I'm not sure if this is something symmetric-encryption can or should address, but I wanted to bring it up because of the potential security implications for Rails applications.

By default, #as_json includes encrypted attributes:

class Person < ApplicationRecord
  attribute :ssn, :encrypted
end

Person.create(ssn: 'top_secret').as_json
# => { id: 1, ssn: 'top_secret' }

I can't think of many scenarios where you'd want sensitive data included in the JSON representation. But I can imagine scenarios where it's inadvertently leaked, for example:

render json: @person

It's simple enough to mitigate this issue by overriding as_json to exclude the sensitive attributes:

class Person < ApplicationRecord
  attribute :ssn, :encrypted

  def as_json(*)
    super(except: [:ssn])
  end
end

It would be ideal if the Rails 5+ Attributes API made it possible for attributes to exclude themselves from JSON, but unfortunately that doesn't seem possible. 😕Maybe there's another way to do this using functionality built into Rails.

What do you think about adding a new module (concern) that, when included, automatically excluded encrypted attributes from as_json? For example, something like SymmetricEncryption::RestrictedAttributes?

I think at the very least this should all be mentioned in the Frameworks Guide. I'd be happy to put together a pull request if there's agreement.