Feature Request: GDPR-Compliant Soft Delete with Format-Preserving Encryption #367
Description
Problem
While acts_as_paranoid provides excellent soft delete functionality, it doesn't fully address GDPR's "right to be forgotten" requirements. When users request data deletion under GDPR Article 17, simply marking records as deleted_at isn't sufficient because:
- Sensitive personal data remains readable in the database
- Compliance officers can't verify true data deletion
- Database backups still contain recoverable personal information
- Regulatory audits may flag readable "deleted" data as non-compliant
Proposed Solution
Integrate Format-Preserving Encryption (FF1) to encrypt sensitive columns during soft delete while maintaining data format and existing functionality.
Benefits
- True GDPR compliance
- Maintains data format for legacy systems
- Builds on existing acts_as_paranoid workflow
- Optional feature - doesn't affect existing users
Proposed Solution
Basic Usage
class User < ApplicationRecord
acts_as_paranoid
# New feature - specify columns to encrypt on soft delete
paranoid_encrypt :email, :phone_number, :address
paranoid_encrypt :ssn, :credit_card, mode: :irreversible
end
# Usage remains identical
user = User.find(1)
user.destroy # Now encrypts sensitive data + sets deleted_at
# All existing scopes work unchanged
User.with_deleted # Returns all records (encrypted data shows as encrypted)
User.only_deleted # Returns soft-deleted records
User.without_deleted # Returns active records (default scope)Advanced Configuration
class User < ApplicationRecord
acts_as_paranoid
# Fine-grained control
paranoid_encrypt :email, :phone,
mode: :irreversible,
key: ENV['GDPR_ENCRYPTION_KEY'],
context: ->(record) { "user_#{record.id}" }
end