From 4259da831611ae91b10250e2a23a5a8c2dca23b1 Mon Sep 17 00:00:00 2001
From: Andrew Kane <andrew@chartkick.com>
Date: Sat, 15 Dec 2018 14:08:55 -0800
Subject: [PATCH] Made note about unique key/IV pair more prominent in docs
 [skip ci]

---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/README.md b/README.md
index 41629a07..d5b6a132 100644
--- a/README.md
+++ b/README.md
@@ -87,6 +87,12 @@ Create or modify the table that your model uses to add a column with the `encryp
 
 You can use a string or binary column type. (See the encode option section below for more info)
 
+If you use the same key for each record, add a unique index on the IV. Repeated IVs with AES-GCM (the default algorithm) allow an attacker to recover the key.
+
+```ruby
+  add_index :users, :encrypted_ssn_iv, unique: true
+```
+
 ### Specifying the encrypted attribute name
 
 By default, the encrypted attribute name is `encrypted_#{attribute}` (e.g. `attr_encrypted :email` would create an attribute named `encrypted_email`). So, if you're storing the encrypted attribute in the database, you need to make sure the `encrypted_#{attribute}` field exists in your table. You have a couple of options if you want to name your attribute or db column something else, see below for more details.