attr_encrypted 1.4.0 → 2.0.0

data/Rakefile

@@ -1,6 +1,5 @@
-require 'rake'
 require 'rake/testtask'
-require 'rake/rdoctask'
+require 'rdoc/task'
 require "bundler/gem_tasks"
 
 desc 'Test the attr_encrypted gem.'
@@ -19,16 +18,5 @@ Rake::RDocTask.new(:rdoc) do |rdoc|
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
 
-if RUBY_VERSION < '1.9.3'
-  require 'rcov/rcovtask'
-
-  task :rcov do
-    sh "rcov -o coverage/rcov --exclude '^(?!lib)' " + FileList[ 'test/**/*_test.rb' ].join(' ')
-  end
-
-  desc 'Default: run unit tests under rcov.'
-  task :default => :rcov
-else
-  desc 'Default: run unit tests.'
-  task :default => :test
-end
+desc 'Default: run unit tests.'
+task :default => :test

data/attr_encrypted.gemspec

@@ -0,0 +1,60 @@
+# -*- encoding: utf-8 -*-
+
+lib = File.expand_path('../lib/', __FILE__)
+$:.unshift lib unless $:.include?(lib)
+
+require 'attr_encrypted/version'
+require 'date'
+
+Gem::Specification.new do |s|
+  s.name    = 'attr_encrypted'
+  s.version = AttrEncrypted::Version.string
+  s.date    = Date.today
+
+  s.summary     = 'Encrypt and decrypt attributes'
+  s.description = 'Generates attr_accessors that encrypt and decrypt attributes transparently'
+
+  s.authors   = ['Sean Huber', 'S. Brent Faulkner', 'William Monk', 'Stephen Aghaulor']
+  s.email    = ['seah@shuber.io', 'sbfaulkner@gmail.com', 'billy.monk@gmail.com', 'saghaulor@gmail.com']
+  s.homepage = 'http://github.com/attr-encrypted/attr_encrypted'
+
+  s.has_rdoc = false
+  s.rdoc_options = ['--line-numbers', '--inline-source', '--main', 'README.rdoc']
+
+  s.require_paths = ['lib']
+
+  s.files      = `git ls-files`.split("\n")
+  s.test_files = `git ls-files -- test/*`.split("\n")
+
+  s.required_ruby_version = '>= 2.0.0'
+
+  s.add_dependency('encryptor', ['~> 2.0.0'])
+  # support for testing with specific active record version
+  activerecord_version = if ENV.key?('ACTIVERECORD')
+    "~> #{ENV['ACTIVERECORD']}"
+  else
+    '>= 2.0.0'
+  end
+  s.add_development_dependency('activerecord', activerecord_version)
+  s.add_development_dependency('actionpack', activerecord_version)
+  s.add_development_dependency('datamapper')
+  s.add_development_dependency('rake')
+  s.add_development_dependency('minitest')
+  s.add_development_dependency('sequel')
+  if defined?(RUBY_ENGINE) && RUBY_ENGINE.to_sym == :jruby
+    s.add_development_dependency('activerecord-jdbcsqlite3-adapter')
+    s.add_development_dependency('jdbc-sqlite3', '< 3.8.7') # 3.8.7 is nice and broke
+  else
+    s.add_development_dependency('sqlite3')
+  end
+  s.add_development_dependency('dm-sqlite-adapter')
+  s.add_development_dependency('simplecov')
+  s.add_development_dependency('simplecov-rcov')
+  s.add_development_dependency("codeclimate-test-reporter")
+
+  s.cert_chain  = ['certs/saghaulor.pem']
+  s.signing_key = File.expand_path("~/.ssh/gem-private_key.pem") if $0 =~ /gem\z/
+
+  s.post_install_message = "\n\n\nWARNING: Several insecure default options and features have been deprecated in attr_encrypted v2.0.0. Please see the README for more details.\n\n\n"
+
+end

data/certs/saghaulor.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdDCCAlygAwIBAgIBATANBgkqhkiG9w0BAQUFADBAMRIwEAYDVQQDDAlzYWdo
+YXVsb3IxFTATBgoJkiaJk/IsZAEZFgVnbWFpbDETMBEGCgmSJomT8ixkARkWA2Nv
+bTAeFw0xNjAxMTEyMjQyMDFaFw0xNzAxMTAyMjQyMDFaMEAxEjAQBgNVBAMMCXNh
+Z2hhdWxvcjEVMBMGCgmSJomT8ixkARkWBWdtYWlsMRMwEQYKCZImiZPyLGQBGRYD
+Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx0xdQYk2GwCpQ1n/
+n2mPVYHLYqU5TAn/82t5kbqBUWjbcj8tHAi41tJ19+fT/hH0dog8JHvho1zmOr71
+ZIqreJQo60TqP6oE9a5HncUpjqbRp7tOmHo9E+mOW1yT4NiXqFf1YINExQKy2XND
+WPQ+T50ZNUsGMfHFWB4NAymejRWXlOEY3bvKW0UHFeNmouP5he51TjoP8uCc9536
+4AIWVP/zzzjwrFtC7av7nRw4Y+gX2bQjrkK2k2JS0ejiGzKBIEMJejcI2B+t79zT
+kUQq9SFwp2BrKSIy+4kh4CiF20RT/Hfc1MbvTxSIl/bbIxCYEOhmtHExHi0CoCWs
+YCGCXQIDAQABo3kwdzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHQ4EFgQU
+SCpVzSBvYbO6B3oT3n3RCZmurG8wHgYDVR0RBBcwFYETc2FnaGF1bG9yQGdtYWls
+LmNvbTAeBgNVHRIEFzAVgRNzYWdoYXVsb3JAZ21haWwuY29tMA0GCSqGSIb3DQEB
+BQUAA4IBAQAeiGdC3e0WiZpm0cF/b7JC6hJYXC9Yv9VsRAWD9ROsLjFKwOhmonnc
++l/QrmoTjMakYXBCai/Ca3L+k5eRrKilgyITILsmmFxK8sqPJXUw2Jmwk/dAky6x
+hHKVZAofT1OrOOPJ2USoZyhR/VI8epLaD5wUmkVDNqtZWviW+dtRa55aPYjRw5Pj
+wuj9nybhZr+BbEbmZE//2nbfkM4hCuMtxxxilPrJ22aYNmeWU0wsPpDyhPYxOUgU
+ZjeLmnSDiwL6doiP5IiwALH/dcHU67ck3NGf6XyqNwQrrmtPY0mv1WVVL4Uh+vYE
+kHoFzE2no0BfBg78Re8fY69P5yES5ncC
+-----END CERTIFICATE-----

data/lib/attr_encrypted.rb

@@ -14,81 +14,107 @@ module AttrEncrypted
 
   # Generates attr_accessors that encrypt and decrypt attributes transparently
   #
-  # Options (any other options you specify are passed to the encryptor's encrypt and decrypt methods)
-  #
-  #   :attribute        => The name of the referenced encrypted attribute. For example
-  #                        <tt>attr_accessor :email, :attribute => :ee</tt> would generate an
-  #                        attribute named 'ee' to store the encrypted email. This is useful when defining
-  #                        one attribute to encrypt at a time or when the :prefix and :suffix options
-  #                        aren't enough. Defaults to nil.
-  #
-  #   :prefix           => A prefix used to generate the name of the referenced encrypted attributes.
-  #                        For example <tt>attr_accessor :email, :password, :prefix => 'crypted_'</tt> would
-  #                        generate attributes named 'crypted_email' and 'crypted_password' to store the
-  #                        encrypted email and password. Defaults to 'encrypted_'.
-  #
-  #   :suffix           => A suffix used to generate the name of the referenced encrypted attributes.
-  #                        For example <tt>attr_accessor :email, :password, :prefix => '', :suffix => '_encrypted'</tt>
-  #                        would generate attributes named 'email_encrypted' and 'password_encrypted' to store the
-  #                        encrypted email. Defaults to ''.
-  #
-  #   :key              => The encryption key. This option may not be required if you're using a custom encryptor. If you pass
-  #                        a symbol representing an instance method then the :key option will be replaced with the result of the
-  #                        method before being passed to the encryptor. Objects that respond to :call are evaluated as well (including procs).
-  #                        Any other key types will be passed directly to the encryptor.
-  #
-  #   :encode           => If set to true, attributes will be encoded as well as encrypted. This is useful if you're
-  #                        planning on storing the encrypted attributes in a database. The default encoding is 'm' (base64),
-  #                        however this can be overwritten by setting the :encode option to some other encoding string instead of
-  #                        just 'true'. See http://www.ruby-doc.org/core/classes/Array.html#M002245 for more encoding directives.
-  #                        Defaults to false unless you're using it with ActiveRecord, DataMapper, or Sequel.
-  #
-  #   :default_encoding => Defaults to 'm' (base64).
-  #
-  #   :marshal          => If set to true, attributes will be marshaled as well as encrypted. This is useful if you're planning
-  #                        on encrypting something other than a string. Defaults to false unless you're using it with ActiveRecord
-  #                        or DataMapper.
-  #
-  #   :marshaler        => The object to use for marshaling. Defaults to Marshal.
-  #
-  #   :dump_method      => The dump method name to call on the <tt>:marshaler</tt> object to. Defaults to 'dump'.
-  #
-  #   :load_method      => The load method name to call on the <tt>:marshaler</tt> object. Defaults to 'load'.
-  #
-  #   :encryptor        => The object to use for encrypting. Defaults to Encryptor.
-  #
-  #   :encrypt_method   => The encrypt method name to call on the <tt>:encryptor</tt> object. Defaults to 'encrypt'.
-  #
-  #   :decrypt_method   => The decrypt method name to call on the <tt>:encryptor</tt> object. Defaults to 'decrypt'.
-  #
-  #   :if               => Attributes are only encrypted if this option evaluates to true. If you pass a symbol representing an instance
-  #                        method then the result of the method will be evaluated. Any objects that respond to <tt>:call</tt> are evaluated as well.
-  #                        Defaults to true.
-  #
-  #   :unless           => Attributes are only encrypted if this option evaluates to false. If you pass a symbol representing an instance
-  #                        method then the result of the method will be evaluated. Any objects that respond to <tt>:call</tt> are evaluated as well.
-  #                        Defaults to false.
-  #
-  #   :mode             => Selects encryption mode for attribute: choose <tt>:single_iv_and_salt</tt> for compatibility
-  #                        with the old attr_encrypted API: the default IV and salt of the underlying encryptor object
-  #                        is used; <tt>:per_attribute_iv_and_salt</tt> uses a per-attribute IV and salt attribute and
-  #                        is the recommended mode for new deployments.
-  #                        Defaults to <tt>:single_iv_and_salt</tt>.
+  # Options (any other options you specify are passed to the Encryptor's encrypt and decrypt methods)
+  #
+  #   attribute:        The name of the referenced encrypted attribute. For example
+  #                     <tt>attr_accessor :email, attribute: :ee</tt> would generate an
+  #                     attribute named 'ee' to store the encrypted email. This is useful when defining
+  #                     one attribute to encrypt at a time or when the :prefix and :suffix options
+  #                     aren't enough.
+  #                     Defaults to nil.
+  #
+  #   prefix:           A prefix used to generate the name of the referenced encrypted attributes.
+  #                     For example <tt>attr_accessor :email, prefix: 'crypted_'</tt> would
+  #                     generate attributes named 'crypted_email' to store the encrypted
+  #                     email and password.
+  #                     Defaults to 'encrypted_'.
+  #
+  #   suffix:           A suffix used to generate the name of the referenced encrypted attributes.
+  #                     For example <tt>attr_accessor :email, prefix: '', suffix: '_encrypted'</tt>
+  #                     would generate attributes named 'email_encrypted' to store the
+  #                     encrypted email.
+  #                     Defaults to ''.
+  #
+  #   key:              The encryption key. This option may not be required if
+  #                     you're using a custom encryptor. If you pass a symbol
+  #                     representing an instance method then the :key option
+  #                     will be replaced with the result of the method before
+  #                     being passed to the encryptor. Objects that respond
+  #                     to :call are evaluated as well (including procs).
+  #                     Any other key types will be passed directly to the encryptor.
+  #                     Defaults to nil.
+  #
+  #   encode:           If set to true, attributes will be encoded as well as
+  #                     encrypted. This is useful if you're planning on storing
+  #                     the encrypted attributes in a database. The default
+  #                     encoding is 'm' (base64), however this can be overwritten
+  #                     by setting the :encode option to some other encoding
+  #                     string instead of just 'true'. See
+  #                     http://www.ruby-doc.org/core/classes/Array.html#M002245
+  #                     for more encoding directives.
+  #                     Defaults to false unless you're using it with ActiveRecord, DataMapper, or Sequel.
+  #
+  #   encode_iv:        Defaults to true.
+
+  #   encode_salt:      Defaults to true.
+  #
+  #   default_encoding: Defaults to 'm' (base64).
+  #
+  #   marshal:          If set to true, attributes will be marshaled as well
+  #                     as encrypted. This is useful if you're planning on
+  #                     encrypting something other than a string.
+  #                     Defaults to false.
+  #
+  #   marshaler:        The object to use for marshaling.
+  #                     Defaults to Marshal.
+  #
+  #   dump_method:      The dump method name to call on the <tt>:marshaler</tt> object to.
+  #                     Defaults to 'dump'.
+  #
+  #   load_method:      The load method name to call on the <tt>:marshaler</tt> object.
+  #                     Defaults to 'load'.
+  #
+  #   encryptor:        The object to use for encrypting.
+  #                     Defaults to Encryptor.
+  #
+  #   encrypt_method:   The encrypt method name to call on the <tt>:encryptor</tt> object.
+  #                     Defaults to 'encrypt'.
+  #
+  #   decrypt_method:   The decrypt method name to call on the <tt>:encryptor</tt> object.
+  #                     Defaults to 'decrypt'.
+  #
+  #   if:               Attributes are only encrypted if this option evaluates
+  #                     to true. If you pass a symbol representing an instance
+  #                     method then the result of the method will be evaluated.
+  #                     Any objects that respond to <tt>:call</tt> are evaluated as well.
+  #                     Defaults to true.
+  #
+  #   unless:           Attributes are only encrypted if this option evaluates
+  #                     to false. If you pass a symbol representing an instance
+  #                     method then the result of the method will be evaluated.
+  #                     Any objects that respond to <tt>:call</tt> are evaluated as well.
+  #                     Defaults to false.
+  #
+  #   mode:             Selects encryption mode for attribute: choose <tt>:single_iv_and_salt</tt> for compatibility
+  #                     with the old attr_encrypted API: the IV is derived from the encryption key by the underlying Encryptor class; salt is not used.
+  #                     The <tt>:per_attribute_iv_and_salt</tt> mode uses a per-attribute IV and salt. The salt is used to derive a unique key per attribute.
+  #                     A <tt>:per_attribute_iv</default> mode derives a unique IV per attribute; salt is not used.
+  #                     Defaults to <tt>:per_attribute_iv</tt>.
   #
   # You can specify your own default options
   #
   #   class User
-  #     # now all attributes will be encoded and marshaled by default
-  #     attr_encrypted_options.merge!(:encode => true, :marshal => true, :some_other_option => true)
-  #     attr_encrypted :configuration, :key => 'my secret key'
+  #     # Now all attributes will be encoded and marshaled by default
+  #     attr_encrypted_options.merge!(encode: true, marshal: true, some_other_option: true)
+  #     attr_encrypted :configuration, key: 'my secret key'
   #   end
   #
   #
   # Example
   #
   #   class User
-  #     attr_encrypted :email, :credit_card, :key => 'some secret key'
-  #     attr_encrypted :configuration, :key => 'some other secret key', :marshal => true
+  #     attr_encrypted :email, key: 'some secret key'
+  #     attr_encrypted :configuration, key: 'some other secret key', marshal: true
   #   end
   #
   #   @user = User.new
@@ -98,46 +124,32 @@ module AttrEncrypted
   #   @user.email? # true
   #   @user.encrypted_email # returns the encrypted version of 'test@example.com'
   #
-  #   @user.configuration = { :time_zone => 'UTC' }
+  #   @user.configuration = { time_zone: 'UTC' }
   #   @user.encrypted_configuration # returns the encrypted version of configuration
   #
   #   See README for more examples
   def attr_encrypted(*attributes)
-    options = {
-      :prefix           => 'encrypted_',
-      :suffix           => '',
-      :if               => true,
-      :unless           => false,
-      :encode           => false,
-      :default_encoding => 'm',
-      :marshal          => false,
-      :marshaler        => Marshal,
-      :dump_method      => 'dump',
-      :load_method      => 'load',
-      :encryptor        => Encryptor,
-      :encrypt_method   => 'encrypt',
-      :decrypt_method   => 'decrypt',
-      :mode             => :single_iv_and_salt
-    }.merge!(attr_encrypted_options).merge!(attributes.last.is_a?(Hash) ? attributes.pop : {})
+    options = attributes.last.is_a?(Hash) ? attributes.pop : {}
+    options = attr_encrypted_default_options.dup.merge!(attr_encrypted_options).merge!(options)
 
     options[:encode] = options[:default_encoding] if options[:encode] == true
+    options[:encode_iv] = options[:default_encoding] if options[:encode_iv] == true
+    options[:encode_salt] = options[:default_encoding] if options[:encode_salt] == true
 
     attributes.each do |attribute|
       encrypted_attribute_name = (options[:attribute] ? options[:attribute] : [options[:prefix], attribute, options[:suffix]].join).to_sym
-      iv_name = "#{encrypted_attribute_name}_iv".to_sym
-      salt_name = "#{encrypted_attribute_name}_salt".to_sym
 
       instance_methods_as_symbols = attribute_instance_methods_as_symbols
       attr_reader encrypted_attribute_name unless instance_methods_as_symbols.include?(encrypted_attribute_name)
       attr_writer encrypted_attribute_name unless instance_methods_as_symbols.include?(:"#{encrypted_attribute_name}=")
 
-      if options[:mode] == :per_attribute_iv_and_salt
-        attr_reader iv_name unless instance_methods_as_symbols.include?(iv_name)
-        attr_writer iv_name unless instance_methods_as_symbols.include?(:"#{iv_name}=")
+      iv_name = "#{encrypted_attribute_name}_iv".to_sym
+      attr_reader iv_name unless instance_methods_as_symbols.include?(iv_name)
+      attr_writer iv_name unless instance_methods_as_symbols.include?(:"#{iv_name}=")
 
-        attr_reader salt_name unless instance_methods_as_symbols.include?(salt_name)
-        attr_writer salt_name unless instance_methods_as_symbols.include?(:"#{salt_name}=")
-      end
+      salt_name = "#{encrypted_attribute_name}_salt".to_sym
+      attr_reader salt_name unless instance_methods_as_symbols.include?(salt_name)
+      attr_writer salt_name unless instance_methods_as_symbols.include?(:"#{salt_name}=")
 
       define_method(attribute) do
         instance_variable_get("@#{attribute}") || instance_variable_set("@#{attribute}", decrypt(attribute, send(encrypted_attribute_name)))
@@ -153,7 +165,7 @@ module AttrEncrypted
         value.respond_to?(:empty?) ? !value.empty? : !!value
       end
 
-      encrypted_attributes[attribute.to_sym] = options.merge(:attribute => encrypted_attribute_name)
+      encrypted_attributes[attribute.to_sym] = options.merge(attribute: encrypted_attribute_name)
     end
   end
 
@@ -166,6 +178,30 @@ module AttrEncrypted
     @attr_encrypted_options ||= superclass.attr_encrypted_options.dup
   end
 
+  def attr_encrypted_default_options
+    {
+      prefix:            'encrypted_',
+      suffix:            '',
+      if:                true,
+      unless:            false,
+      encode:            false,
+      encode_iv:         true,
+      encode_salt:       true,
+      default_encoding:  'm',
+      marshal:           false,
+      marshaler:         Marshal,
+      dump_method:       'dump',
+      load_method:       'load',
+      encryptor:         Encryptor,
+      encrypt_method:    'encrypt',
+      decrypt_method:    'decrypt',
+      mode:              :per_attribute_iv,
+      algorithm:         'aes-256-gcm',
+    }
+  end
+
+  private :attr_encrypted_default_options
+
   # Checks if an attribute is configured with <tt>attr_encrypted</tt>
   #
   # Example
@@ -194,7 +230,7 @@ module AttrEncrypted
     options = encrypted_attributes[attribute.to_sym].merge(options)
     if options[:if] && !options[:unless] && !encrypted_value.nil? && !(encrypted_value.is_a?(String) && encrypted_value.empty?)
       encrypted_value = encrypted_value.unpack(options[:encode]).first if options[:encode]
-      value = options[:encryptor].send(options[:decrypt_method], options.merge!(:value => encrypted_value))
+      value = options[:encryptor].send(options[:decrypt_method], options.merge!(value: encrypted_value))
       if options[:marshal]
         value = options[:marshaler].send(options[:load_method], value)
       elsif defined?(Encoding)
@@ -220,7 +256,7 @@ module AttrEncrypted
     options = encrypted_attributes[attribute.to_sym].merge(options)
     if options[:if] && !options[:unless] && !value.nil? && !(value.is_a?(String) && value.empty?)
       value = options[:marshal] ? options[:marshaler].send(options[:dump_method], value) : value.to_s
-      encrypted_value = options[:encryptor].send(options[:encrypt_method], options.merge!(:value => value))
+      encrypted_value = options[:encryptor].send(options[:encrypt_method], options.merge!(value: value))
       encrypted_value = [encrypted_value].pack(options[:encode]) if options[:encode]
       encrypted_value
     else
@@ -234,10 +270,10 @@ module AttrEncrypted
   # Example
   #
   #   class User
-  #     attr_encrypted :email, :key => 'my secret key'
+  #     attr_encrypted :email, key: 'my secret key'
   #   end
   #
-  #   User.encrypted_attributes # { :email => { :attribute => 'encrypted_email', :key => 'my secret key' } }
+  #   User.encrypted_attributes # { email: { attribute: 'encrypted_email', key: 'my secret key' } }
   def encrypted_attributes
     @encrypted_attributes ||= superclass.encrypted_attributes.dup
   end
@@ -248,7 +284,7 @@ module AttrEncrypted
   # Example
   #
   #   class User
-  #     attr_encrypted :email, :key => 'my secret key'
+  #     attr_encrypted :email, key: 'my secret key'
   #   end
   #
   #   User.encrypt_email('SOME_ENCRYPTED_EMAIL_STRING')
@@ -267,7 +303,7 @@ module AttrEncrypted
     #
     #  class User
     #    attr_accessor :secret_key
-    #    attr_encrypted :email, :key => :secret_key
+    #    attr_encrypted :email, key: :secret_key
     #
     #    def initialize(secret_key)
     #      self.secret_key = secret_key
@@ -277,6 +313,7 @@ module AttrEncrypted
     #  @user = User.new('some-secret-key')
     #  @user.decrypt(:email, 'SOME_ENCRYPTED_EMAIL_STRING')
     def decrypt(attribute, encrypted_value)
+      encrypted_attributes[attribute.to_sym][:operation] = :decrypting
       self.class.decrypt(attribute, encrypted_value, evaluated_attr_encrypted_options_for(attribute))
     end
 
@@ -286,7 +323,7 @@ module AttrEncrypted
     #
     #  class User
     #    attr_accessor :secret_key
-    #    attr_encrypted :email, :key => :secret_key
+    #    attr_encrypted :email, key: :secret_key
     #
     #    def initialize(secret_key)
     #      self.secret_key = secret_key
@@ -296,19 +333,38 @@ module AttrEncrypted
     #  @user = User.new('some-secret-key')
     #  @user.encrypt(:email, 'test@example.com')
     def encrypt(attribute, value)
+      encrypted_attributes[attribute.to_sym][:operation] = :encrypting
       self.class.encrypt(attribute, value, evaluated_attr_encrypted_options_for(attribute))
     end
 
+    # Copies the class level hash of encrypted attributes with virtual attribute names as keys
+    # and their corresponding options as values to the instance
+    #
+    def encrypted_attributes
+      @encrypted_attributes ||= self.class.encrypted_attributes.dup
+    end
+
     protected
 
       # Returns attr_encrypted options evaluated in the current object's scope for the attribute specified
       def evaluated_attr_encrypted_options_for(attribute)
-        if evaluate_attr_encrypted_option(self.class.encrypted_attributes[attribute.to_sym][:mode]) == :per_attribute_iv_and_salt
-          load_iv_for_attribute(attribute, self.class.encrypted_attributes[attribute.to_sym][:algorithm])
-          load_salt_for_attribute(attribute)
+        evaluated_options = Hash.new
+        attribute_option_value = encrypted_attributes[attribute.to_sym][:attribute]
+        self.class.encrypted_attributes[attribute.to_sym].map do |option, value|
+          evaluated_options[option] = evaluate_attr_encrypted_option(value)
         end
 
-        self.class.encrypted_attributes[attribute.to_sym].inject({}) { |hash, (option, value)| hash[option] = evaluate_attr_encrypted_option(value); hash }
+        evaluated_options[:attribute] = attribute_option_value
+
+        evaluated_options.tap do |options|
+          unless options[:mode] == :single_iv_and_salt
+            load_iv_for_attribute(attribute, options)
+          end
+
+          if options[:mode] == :per_attribute_iv_and_salt
+            load_salt_for_attribute(attribute, options)
+          end
+        end
       end
 
       # Evaluates symbol (method reference) or proc (responds to call) options
@@ -324,25 +380,53 @@ module AttrEncrypted
         end
       end
 
-      def load_iv_for_attribute(attribute, algorithm)
-        encrypted_attribute_name = self.class.encrypted_attributes[attribute.to_sym][:attribute]
+      def load_iv_for_attribute(attribute, options)
+        encrypted_attribute_name = options[:attribute]
+        encode_iv = options[:encode_iv]
         iv = send("#{encrypted_attribute_name}_iv")
-        if(iv == nil)
+        if options[:operation] == :encrypting
           begin
-            algorithm = algorithm || "aes-256-cbc"
-            algo = OpenSSL::Cipher::Cipher.new(algorithm)
-            iv = [algo.random_iv].pack("m")
+            iv = generate_iv(options[:algorithm])
+            iv = [iv].pack(encode_iv) if encode_iv
             send("#{encrypted_attribute_name}_iv=", iv)
           rescue RuntimeError
           end
         end
-        self.class.encrypted_attributes[attribute.to_sym] = self.class.encrypted_attributes[attribute.to_sym].merge(:iv => iv.unpack("m").first) if (iv && !iv.empty?)
+        if iv && !iv.empty?
+          iv = iv.unpack(encode_iv).first if encode_iv
+          options[:iv] = iv
+        end
+      end
+
+      def generate_iv(algorithm)
+        algo = OpenSSL::Cipher.new(algorithm)
+        algo.encrypt
+        algo.random_iv
+      end
+
+      def load_salt_for_attribute(attribute, options)
+        encrypted_attribute_name = options[:attribute]
+        encode_salt = options[:encode_salt]
+        salt = send("#{encrypted_attribute_name}_salt")
+        if (salt == nil)
+          salt = SecureRandom.random_bytes
+          salt = prefix_and_encode_salt(salt, encode_salt) if encode_salt
+          send("#{encrypted_attribute_name}_salt=", salt)
+        end
+        if salt && !salt.empty?
+          salt = decode_salt_if_encoded(salt, encode_salt) if encode_salt
+          options[:salt] = salt
+        end
+      end
+
+      def prefix_and_encode_salt(salt, encoding)
+        prefix = '_'
+        prefix + [salt].pack(encoding)
       end
 
-      def load_salt_for_attribute(attribute)
-        encrypted_attribute_name = self.class.encrypted_attributes[attribute.to_sym][:attribute]
-        salt = send("#{encrypted_attribute_name}_salt") || send("#{encrypted_attribute_name}_salt=", Digest::SHA256.hexdigest((Time.now.to_i * rand(1000)).to_s)[0..15])
-        self.class.encrypted_attributes[attribute.to_sym] = self.class.encrypted_attributes[attribute.to_sym].merge(:salt => salt)
+      def decode_salt_if_encoded(salt, encoding)
+        prefix = '_'
+        salt.slice(0).eql?(prefix) ? salt.slice(1..-1).unpack(encoding).first : salt
       end
   end
 
@@ -354,6 +438,5 @@ module AttrEncrypted
 
 end
 
-Object.extend AttrEncrypted
 
 Dir[File.join(File.dirname(__FILE__), 'attr_encrypted', 'adapters', '*.rb')].each { |adapter| require adapter }