attr_encryptor 1.0.0

data/.gitignore

@@ -0,0 +1,16 @@
+.DS_Store
+pkg
+*.gem
+*.rbc
+.bundle
+.config
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+
+# YARD artifacts
+.yardoc
+_yardoc
+doc/

data/.rvmrc

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# This is an RVM Project .rvmrc file, used to automatically load the ruby
+# development environment upon cd'ing into the directory
+
+# First we specify our desired <ruby>[@<gemset>], the @gemset name is optional.
+environment_id="ruby-1.9.2-p290@attr_encrypted"
+
+#
+# Uncomment following line if you want options to be set only for given project.
+#
+# PROJECT_JRUBY_OPTS=( --1.9 )
+
+#
+# First we attempt to load the desired environment directly from the environment
+# file. This is very fast and efficient compared to running through the entire
+# CLI and selector. If you want feedback on which environment was used then
+# insert the word 'use' after --create as this triggers verbose mode.
+#
+if [[ -d "${rvm_path:-$HOME/.rvm}/environments" \
+  && -s "${rvm_path:-$HOME/.rvm}/environments/$environment_id" ]]
+then
+  \. "${rvm_path:-$HOME/.rvm}/environments/$environment_id"
+
+  if [[ -s "${rvm_path:-$HOME/.rvm}/hooks/after_use" ]]
+  then
+    . "${rvm_path:-$HOME/.rvm}/hooks/after_use"
+  fi
+else
+  # If the environment file has not yet been created, use the RVM CLI to select.
+  if ! rvm --create  "$environment_id"
+  then
+    echo "Failed to create RVM environment '${environment_id}'."
+    exit 1
+  fi
+fi
+
+#
+# If you use an RVM gemset file to install a list of gems (*.gems), you can have
+# it be automatically loaded. Uncomment the following and adjust the filename if
+# necessary.
+#
+# filename=".gems"
+# if [[ -s "$filename" ]] ; then
+#   rvm gemset import "$filename" | grep -v already | grep -v listed | grep -v complete | sed '/^$/d'
+# fi
+

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2008 Sean Huber - shuber@huberry.com
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,291 @@
+# attr_encryptor
+
+Generates attr_accessors that encrypt and decrypt attributes transparently
+
+It works with ANY class, however, you get a few extra features when you're using it with `ActiveRecord`, `DataMapper`, or `Sequel`
+
+
+## Installation
+
+  gem install attr_encryptor
+
+## Usage
+
+### Basic
+
+Encrypting attributes has never been easier:
+
+### You database
+
+add a `encrypted_ssn`, `encrypted_ssn_salt`, `encrypted_ssn_iv`. All of
+them will be populated automatically
+
+    create_table :google_apps_admins do |t|
+      t.string :username
+      t.string :encrypted_password
+      t.string :encrypted_password_iv
+      t.string :domain
+      t.timestamps
+    end
+
+### Your model
+
+    class User
+      attr_accessor :name
+      attr_encrypted :ssn, :key => 'a secret key'
+      
+    end
+
+### Controllers/views
+
+
+    @user = User.new
+    @user.ssn = '123-45-6789'
+    @user.ssn # returns the unencrypted version of :ssn
+    @user.save
+
+    @user = User.load
+    @user.ssn # decrypts :encrypted_ssn and returns '123-45-6789'
+
+The `attr_encrypted` method is also aliased as `attr_encryptor` to conform to Ruby's `attr_` naming conventions. 
+
+
+### Specifying the encrypted attribute name
+
+By default, the encrypted attribute name is `encrypted_#{attribute}` (e.g. `attr_encrypted :email` would create an attribute named `encrypted_email`). So, if you're storing the encrypted attribute in the database, you need to make sure the `encrypted_#{attribute}` field exists in your table(as well as  `encrypted_#{attribute}_iv` and `encrypted_#{attribute}_salt`). You have a couple of options if you want to name your attribute something else.
+
+#### The `:attribute` option
+
+You can simply pass the name of the encrypted attribute as the `:attribute` option:
+
+    class User
+      attr_encrypted :email, :key => 'a secret key', :attribute => 'email_encrypted'
+    end
+
+This would generate an attribute named `email_encrypted`
+
+#### The `:prefix` and `:suffix` options
+
+If you're planning on encrypting a few different attributes and you don't like the `encrypted_#{attribute}` naming convention then you can specify your own:
+
+    class User
+      attr_encrypted :email, :credit_card, :ssn, :key => 'a secret key', :prefix => 'secret_', :suffix => '_crypted'
+    end
+
+This would generate the following attributes: `secret_email_crypted`, `secret_credit_card_crypted`, and `secret_ssn_crypted`.
+
+
+### Encryption keys
+
+Although a `:key` option may not be required (see custom encryptor below), it has a few special features
+
+#### Unique keys for each attribute
+
+You can specify unique keys for each attribute if you'd like:
+
+    class User
+      attr_encrypted :email, :key => 'a secret key'
+      attr_encrypted :ssn, :key => 'a different secret key'
+    end
+
+
+#### Symbols representing instance methods as keys
+
+If your class has an instance method that determines the encryption key to use, simply pass a symbol representing it like so:
+
+    class User
+      attr_encrypted :email, :key => :encryption_key
+    
+      def encryption_key
+        # does some fancy logic and returns an encryption key
+      end
+    end
+
+
+#### Procs as keys
+
+You can pass a proc/lambda object as the `:key` option as well:
+
+    class User
+      attr_accessor :key
+      attr_encrypted :email, :key => proc { |user| user.key }
+    end
+
+However when calling `User.new`, `User.create`, `User.update_attributes` the `:key` attribute has to precede the `:email` or key will be nil and you'll get an Exception,
+
+### Conditional encrypting
+
+There may be times that you want to only encrypt when certain conditions are met. For example maybe you're using rails and you don't want to encrypt 
+attributes when you're in development mode. You can specify conditions like this:
+
+    class User < ActiveRecord::Base
+      attr_encrypted :email, :key => 'a secret key', :unless => Rails.env.development?
+    end
+
+You can specify both `:if` and `:unless` options. If you pass a symbol representing an instance method then the result of the method will be evaluated. Any objects that respond to `:call` are evaluated as well.
+
+
+### Custom encryptor
+
+The `Encryptor` (see http://github.com/shuber/encryptor) class is used by default. You may use your own custom encryptor by specifying
+the `:encryptor`, `:encrypt_method`, and `:decrypt_method` options
+
+Lets suppose you'd like to use this custom encryptor class:
+
+    class SillyEncryptor
+      def self.silly_encrypt(options)
+          (options[:value] + options[:secret_key]).reverse
+      end
+
+      def self.silly_decrypt(options)
+         options[:value].reverse.gsub(/#{options[:secret_key]}$/, '')
+      end
+    end
+
+Simply set up your class like so:
+
+    class User
+      attr_encrypted :email, :secret_key => 'a secret key', :encryptor => SillyEncryptor, :encrypt_method => :silly_encrypt, :decrypt_method => :silly_decrypt
+    end
+
+Any options that you pass to `attr_encrypted` will be passed to the encryptor along with the `:value` option which contains the string to encrypt/decrypt. Notice it uses `:secret_key` instead of `:key`.
+
+
+### Custom algorithms
+
+The default `Encryptor` uses the standard ruby OpenSSL library. It's default algorithm is `aes-256-cbc`. You can modify this by passing the `:algorithm` option to the `attr_encrypted` call like so:
+
+    class User
+      attr_encrypted :email, :key => 'a secret key', :algorithm => 'bf'
+    end
+
+Run `openssl list-cipher-commands` to view a list of algorithms supported on your platform. See http://github.com/danpal/encryptor for more information.
+
+    aes-128-cbc
+    aes-128-ecb
+    aes-192-cbc
+    aes-192-ecb
+    aes-256-cbc
+    aes-256-ecb
+    base64
+    bf
+    bf-cbc
+    bf-cfb
+    bf-ecb
+    bf-ofb
+    cast
+    cast-cbc
+    cast5-cbc
+    cast5-cfb
+    cast5-ecb
+    cast5-ofb
+    des
+    des-cbc
+    des-cfb
+    des-ecb
+    des-ede
+    des-ede-cbc
+    des-ede-cfb
+    des-ede-ofb
+    des-ede3
+    des-ede3-cbc
+    des-ede3-cfb
+    des-ede3-ofb
+    des-ofb
+    des3
+    desx
+    idea
+    idea-cbc
+    idea-cfb
+    idea-ecb
+    idea-ofb
+    rc2
+    rc2-40-cbc
+    rc2-64-cbc
+    rc2-cbc
+    rc2-cfb
+    rc2-ecb
+    rc2-ofb
+    rc4
+    rc4-40
+
+
+### Default options
+
+Let's imagine that you have a few attributes that you want to encrypt with different keys, but you don't like the `encrypted_#{attribute}` naming convention. Instead of having to define your class like this:
+
+    class User
+      attr_encrypted :email, :key => 'a secret key', :prefix => '', :suffix => '_crypted'
+      attr_encrypted :ssn, :key => 'a different secret key', :prefix => '', :suffix => '_crypted'
+      attr_encrypted :credit_card, :key => 'another secret key', :prefix => '', :suffix => '_crypted'
+    end
+
+You can simply define some default options like so:
+
+    class User
+      attr_encrypted_options.merge!(:prefix => '', :suffix => '_crypted')
+      attr_encrypted :email, :key => 'a secret key'
+      attr_encrypted :ssn, :key => 'a different secret key'
+      attr_encrypted :credit_card, :key => 'another secret key'
+    end
+
+This should help keep your classes clean and DRY.
+
+
+### Encoding
+
+You're probably going to be storing your encrypted attributes somehow (e.g. filesystem, database, etc) and may run into some issues trying to store a weird
+encrypted string. I've had this problem myself using MySQL. You can simply pass the `:encode` option to automatically encode/decode when encrypting/decrypting.
+
+    class User
+      attr_encrypted :email, :key => 'some secret key', :encode => true
+    end
+
+The default encoding is `m*` (base64). You can change this by setting `:encode => 'some encoding'`. See the `Array#pack` method at http://www.ruby-doc.org/core/classes/Array.html#M002245 for more encoding options.
+
+
+### Marshaling
+
+You may want to encrypt objects other than strings (e.g. hashes, arrays, etc). If this is the case, simply pass the `:marshal` option to automatically marshal when encrypting/decrypting.
+
+    class User
+      attr_encrypted :credentials, :key => 'some secret key', :marshal => true
+    end
+
+You may also optionally specify `:marshaler`, `:dump_method`, and `:load_method` if you want to use something other than the default `Marshal` object.
+
+
+### Encrypt/decrypt attribute methods
+
+If you use the same key to encrypt every record (per attribute) like this:
+
+    class User
+      attr_encrypted :email, :key => 'a secret key'
+    end
+
+Then you'll have these two class methods available for each attribute: `User.encrypt_email(email_to_encrypt)` and `User.decrypt_email(email_to_decrypt)`. This can be useful when you're using `ActiveRecord` (see below).
+
+
+### ActiveRecord
+
+If you're using this gem with `ActiveRecord`, you get a few extra features:
+
+
+#### Default options
+
+For your convenience, the `:encode` option is set to true by default since you'll be storing everything in a database.
+
+
+### DataMapper and Sequel
+
+Just like the default options for `ActiveRecord`, the `:encode` option is set to true by default since you'll be storing everything in a database.
+
+
+## Note on Patches/Pull Requests
+
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.

data/Rakefile

@@ -0,0 +1,22 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the attr_encryptor gem.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the attr_encryptor gem.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'attr_encryptor'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/attr_encryptor.gemspec

@@ -0,0 +1,36 @@
+# -*- encoding: utf-8 -*-
+
+lib = File.expand_path('../lib/', __FILE__)
+$:.unshift lib unless $:.include?(lib)
+
+require 'attr_encryptor/version'
+require 'date'
+
+Gem::Specification.new do |s|
+  s.name    = 'attr_encryptor'
+  s.version = AttrEncryptor::Version.string
+  s.date    = Date.today
+
+  s.summary     = 'Encrypt and decrypt attributes'
+  s.description = 'Generates attr_accessors that encrypt and decrypt attributes transparently'
+
+  s.author   = 'Daniel Palacio'
+  s.email    = 'danpal@gmail.com'
+  s.homepage = 'http://github.com/danpal/attr_encrypted'
+
+  s.has_rdoc = false
+  s.rdoc_options = ['--line-numbers', '--inline-source', '--main', 'README.rdoc']
+
+  s.require_paths = ['lib']
+  
+  s.files       = `git ls-files`.split("\n")
+  s.test_files  = `git ls-files -- {test,spec,features}/*`.split("\n")
+
+  s.add_dependency('encryptor2', ['>= 1.1.1'])
+  s.add_development_dependency('activerecord', ['>= 2.0.0'])
+  s.add_development_dependency('datamapper')
+  s.add_development_dependency('mocha')
+  s.add_development_dependency('sequel')
+  s.add_development_dependency('dm-sqlite-adapter')
+  s.add_development_dependency('sqlite3')
+end

data/lib/attr_encryptor.rb

@@ -0,0 +1,326 @@
+require 'encryptor'
+require 'openssl'
+
+# Adds attr_accessors that encrypt and decrypt an object's attributes
+module AttrEncryptor
+  autoload :Version, 'attr_encryptor/version'
+
+  def self.extended(base) # :nodoc:
+    base.class_eval do
+      include InstanceMethods
+      attr_writer :attr_encrypted_options
+      @attr_encrypted_options, @encrypted_attributes = {}, {}
+    end
+  end
+
+  # Generates attr_accessors that encrypt and decrypt attributes transparently
+  #
+  # Options (any other options you specify are passed to the encryptor's encrypt and decrypt methods)
+  #
+  #   :attribute        => The name of the referenced encrypted attribute. For example
+  #                        <tt>attr_accessor :email, :attribute => :ee</tt> would generate an
+  #                        attribute named 'ee' to store the encrypted email. This is useful when defining
+  #                        one attribute to encrypt at a time or when the :prefix and :suffix options
+  #                        aren't enough. Defaults to nil.
+  #
+  #   :prefix           => A prefix used to generate the name of the referenced encrypted attributes.
+  #                        For example <tt>attr_accessor :email, :password, :prefix => 'crypted_'</tt> would
+  #                        generate attributes named 'crypted_email' and 'crypted_password' to store the
+  #                        encrypted email and password. Defaults to 'encrypted_'.
+  #
+  #   :suffix           => A suffix used to generate the name of the referenced encrypted attributes.
+  #                        For example <tt>attr_accessor :email, :password, :prefix => '', :suffix => '_encrypted'</tt>
+  #                        would generate attributes named 'email_encrypted' and 'password_encrypted' to store the
+  #                        encrypted email. Defaults to ''.
+  #
+  #   :key              => The encryption key. This option may not be required if you're using a custom encryptor. If you pass
+  #                        a symbol representing an instance method then the :key option will be replaced with the result of the
+  #                        method before being passed to the encryptor. Objects that respond to :call are evaluated as well (including procs).
+  #                        Any other key types will be passed directly to the encryptor.
+  #
+  #   :encode           => If set to true, attributes will be encoded as well as encrypted. This is useful if you're
+  #                        planning on storing the encrypted attributes in a database. The default encoding is 'm' (base64),
+  #                        however this can be overwritten by setting the :encode option to some other encoding string instead of
+  #                        just 'true'. See http://www.ruby-doc.org/core/classes/Array.html#M002245 for more encoding directives.
+  #                        Defaults to false unless you're using it with ActiveRecord, DataMapper, or Sequel.
+  #
+  #   :default_encoding => Defaults to 'm' (base64).
+  #
+  #   :marshal          => If set to true, attributes will be marshaled as well as encrypted. This is useful if you're planning
+  #                        on encrypting something other than a string. Defaults to false unless you're using it with ActiveRecord
+  #                        or DataMapper.
+  #
+  #   :marshaler        => The object to use for marshaling. Defaults to Marshal.
+  #
+  #   :dump_method      => The dump method name to call on the <tt>:marshaler</tt> object to. Defaults to 'dump'.
+  #
+  #   :load_method      => The load method name to call on the <tt>:marshaler</tt> object. Defaults to 'load'.
+  #
+  #   :encryptor        => The object to use for encrypting. Defaults to Encryptor.
+  #
+  #   :encrypt_method   => The encrypt method name to call on the <tt>:encryptor</tt> object. Defaults to 'encrypt'.
+  #
+  #   :decrypt_method   => The decrypt method name to call on the <tt>:encryptor</tt> object. Defaults to 'decrypt'.
+  #
+  #   :if               => Attributes are only encrypted if this option evaluates to true. If you pass a symbol representing an instance
+  #                        method then the result of the method will be evaluated. Any objects that respond to <tt>:call</tt> are evaluated as well.
+  #                        Defaults to true.
+  #
+  #   :unless           => Attributes are only encrypted if this option evaluates to false. If you pass a symbol representing an instance
+  #                        method then the result of the method will be evaluated. Any objects that respond to <tt>:call</tt> are evaluated as well.
+  #                        Defaults to false.
+  #
+  # You can specify your own default options
+  #
+  #   class User
+  #     # now all attributes will be encoded and marshaled by default
+  #     attr_encrypted_options.merge!(:encode => true, :marshal => true, :some_other_option => true)
+  #     attr_encrypted :configuration, :key => 'my secret key'
+  #   end
+  #
+  #
+  # Example
+  #
+  #   class User
+  #     attr_encrypted :email, :credit_card, :key => 'some secret key'
+  #     attr_encrypted :configuration, :key => 'some other secret key', :marshal => true
+  #   end
+  #
+  #   @user = User.new
+  #   @user.encrypted_email # nil
+  #   @user.email? # false
+  #   @user.email = 'test@example.com'
+  #   @user.email? # true
+  #   @user.encrypted_email # returns the encrypted version of 'test@example.com'
+  #
+  #   @user.configuration = { :time_zone => 'UTC' }
+  #   @user.encrypted_configuration # returns the encrypted version of configuration
+  #
+  #   See README for more examples
+  def attr_encrypted(*attributes)
+    options = {
+      :prefix           => 'encrypted_',
+      :suffix           => '',
+      :if               => true,
+      :unless           => false,
+      :encode           => false,
+      :default_encoding => 'm',
+      :marshal          => false,
+      :marshaler        => Marshal,
+      :dump_method      => 'dump',
+      :load_method      => 'load',
+      :encryptor        => Encryptor,
+      :encrypt_method   => 'encrypt',
+      :decrypt_method   => 'decrypt'
+    }.merge!(attr_encrypted_options).merge!(attributes.last.is_a?(Hash) ? attributes.pop : {})
+
+    options[:encode] = options[:default_encoding] if options[:encode] == true
+
+    attributes.each do |attribute|
+      encrypted_attribute_name = (options[:attribute] ? options[:attribute] : [options[:prefix], attribute, options[:suffix]].join).to_sym
+
+      instance_methods_as_symbols = instance_methods.collect { |method| method.to_sym }
+      attr_reader encrypted_attribute_name unless instance_methods_as_symbols.include?(encrypted_attribute_name)
+      attr_writer encrypted_attribute_name unless instance_methods_as_symbols.include?(:"#{encrypted_attribute_name}=")
+      
+      attr_reader (encrypted_attribute_name.to_s + "_iv").to_sym unless instance_methods_as_symbols.include?((encrypted_attribute_name.to_s + "_iv").to_sym )
+      attr_writer (encrypted_attribute_name.to_s + "_iv").to_sym unless instance_methods_as_symbols.include?((encrypted_attribute_name.to_s + "_iv").to_sym )
+      
+      attr_reader (encrypted_attribute_name.to_s + "_salt").to_sym unless instance_methods_as_symbols.include?((encrypted_attribute_name.to_s + "_salt").to_sym )
+      attr_writer (encrypted_attribute_name.to_s + "_salt").to_sym unless instance_methods_as_symbols.include?((encrypted_attribute_name.to_s + "_salt").to_sym )
+
+
+
+      define_method(attribute) do
+        instance_variable_get("@#{attribute}") || instance_variable_set("@#{attribute}", decrypt(attribute, send(encrypted_attribute_name)))
+      end
+
+      define_method("#{attribute}=") do |value|
+        iv = send("#{encrypted_attribute_name.to_s + "_iv"}")
+        if(iv == nil)
+          begin 
+            algorithm = options[:algorithm] || "aes-256-cbc"
+            algo = OpenSSL::Cipher::Cipher.new(algorithm)
+            iv = [algo.random_iv].pack("m")
+            send("#{encrypted_attribute_name.to_s + "_iv"}=", iv)
+          rescue RuntimeError
+          end
+        end
+
+        salt = send("#{encrypted_attribute_name.to_s + "_salt"}") || send("#{encrypted_attribute_name.to_s + "_salt"}=", Time.now.to_i.to_s) 
+        #this add's the iv and salt on the options for this instance
+        self.class.encrypted_attributes[attribute.to_sym] = self.class.encrypted_attributes[attribute.to_sym].merge(:iv => iv.unpack("m").first) if (iv && !iv.empty?)
+        self.class.encrypted_attributes[attribute.to_sym] = self.class.encrypted_attributes[attribute.to_sym].merge(:salt => salt)
+        send("#{encrypted_attribute_name}=", encrypt(attribute, value))
+        instance_variable_set("@#{attribute}", value)
+      end
+
+      define_method("#{attribute}?") do
+        value = send(attribute)
+        value.respond_to?(:empty?) ? !value.empty? : !!value
+      end
+      encrypted_attributes[attribute.to_sym] = options.merge(:attribute => encrypted_attribute_name)
+    end
+  end
+  alias_method :attr_encryptor, :attr_encrypted
+
+  # Default options to use with calls to <tt>attr_encrypted</tt>
+  #
+  # It will inherit existing options from its superclass
+  def attr_encrypted_options
+    @attr_encrypted_options ||= superclass.attr_encrypted_options.dup
+  end
+
+  # Checks if an attribute is configured with <tt>attr_encrypted</tt>
+  #
+  # Example
+  #
+  #   class User
+  #     attr_accessor :name
+  #     attr_encrypted :email
+  #   end
+  #
+  #   User.attr_encrypted?(:name)  # false
+  #   User.attr_encrypted?(:email) # true
+  def attr_encrypted?(attribute)
+    encrypted_attributes.has_key?(attribute.to_sym)
+  end
+
+  # Decrypts a value for the attribute specified
+  #
+  # Example
+  #
+  #   class User
+  #     attr_encrypted :email
+  #   end
+  #
+  #   email = User.decrypt(:email, 'SOME_ENCRYPTED_EMAIL_STRING')
+  def decrypt(attribute, encrypted_value, options = {})
+    options = encrypted_attributes[attribute.to_sym].merge(options)
+    if options[:if] && !options[:unless] && !encrypted_value.nil? && !(encrypted_value.is_a?(String) && encrypted_value.empty?)
+      encrypted_value = encrypted_value.unpack(options[:encode]).first if options[:encode]
+      value = options[:encryptor].send(options[:decrypt_method], options.merge!(:value => encrypted_value))
+      value = options[:marshaler].send(options[:load_method], value) if options[:marshal]
+      value
+    else
+      encrypted_value
+    end
+  end
+
+  # Encrypts a value for the attribute specified
+  #
+  # Example
+  #
+  #   class User
+  #     attr_encrypted :email
+  #   end
+  #
+  #   encrypted_email = User.encrypt(:email, 'test@example.com')
+  def encrypt(attribute, value, options = {})
+    options = encrypted_attributes[attribute.to_sym].merge(options)
+    if options[:if] && !options[:unless] && !value.nil? && !(value.is_a?(String) && value.empty?)
+      value = options[:marshal] ? options[:marshaler].send(options[:dump_method], value) : value.to_s
+      encrypted_value = options[:encryptor].send(options[:encrypt_method], options.merge!(:value => value))
+      encrypted_value = [encrypted_value].pack(options[:encode]) if options[:encode]
+      encrypted_value
+    else
+      value
+    end
+  end
+
+  # Contains a hash of encrypted attributes with virtual attribute names as keys
+  # and their corresponding options as values
+  #
+  # Example
+  #
+  #   class User
+  #     attr_encrypted :email, :key => 'my secret key'
+  #   end
+  #
+  #   User.encrypted_attributes # { :email => { :attribute => 'encrypted_email', :key => 'my secret key' } }
+  def encrypted_attributes
+    @encrypted_attributes ||= superclass.encrypted_attributes.dup
+  end
+
+  # Forwards calls to :encrypt_#{attribute} or :decrypt_#{attribute} to the corresponding encrypt or decrypt method
+  # if attribute was configured with attr_encrypted
+  #
+  # Example
+  #
+  #   class User
+  #     attr_encrypted :email, :key => 'my secret key'
+  #   end
+  #
+  #   User.encrypt_email('SOME_ENCRYPTED_EMAIL_STRING')
+  def method_missing(method, *arguments, &block)
+    if method.to_s =~ /^((en|de)crypt)_(.+)$/ && attr_encrypted?($3)
+      send($1, $3, *arguments)
+    else
+      super
+    end
+  end
+
+  module InstanceMethods
+    # Decrypts a value for the attribute specified using options evaluated in the current object's scope
+    #
+    # Example
+    #
+    #  class User
+    #    attr_accessor :secret_key
+    #    attr_encrypted :email, :key => :secret_key
+    #
+    #    def initialize(secret_key)
+    #      self.secret_key = secret_key
+    #    end
+    #  end
+    #
+    #  @user = User.new('some-secret-key')
+    #  @user.decrypt(:email, 'SOME_ENCRYPTED_EMAIL_STRING')
+    def decrypt(attribute, encrypted_value)
+      self.class.decrypt(attribute, encrypted_value, evaluated_attr_encrypted_options_for(attribute))
+    end
+
+    # Encrypts a value for the attribute specified using options evaluated in the current object's scope
+    #
+    # Example
+    #
+    #  class User
+    #    attr_accessor :secret_key
+    #    attr_encrypted :email, :key => :secret_key
+    #
+    #    def initialize(secret_key)
+    #      self.secret_key = secret_key
+    #    end
+    #  end
+    #
+    #  @user = User.new('some-secret-key')
+    #  @user.encrypt(:email, 'test@example.com')
+    def encrypt(attribute, value)
+      self.class.encrypt(attribute, value, evaluated_attr_encrypted_options_for(attribute))
+    end
+
+    protected
+
+      # Returns attr_encrypted options evaluated in the current object's scope for the attribute specified
+      def evaluated_attr_encrypted_options_for(attribute)
+        self.class.encrypted_attributes[attribute.to_sym].inject({}) { |hash, (option, value)| hash.merge!(option => evaluate_attr_encrypted_option(value)) }
+      end
+
+      # Evaluates symbol (method reference) or proc (responds to call) options
+      #
+      # If the option is not a symbol or proc then the original option is returned
+      def evaluate_attr_encrypted_option(option)
+        if option.is_a?(Symbol) && respond_to?(option)
+          send(option)
+        elsif option.respond_to?(:call)
+          option.call(self)
+        else
+          option
+        end
+      end
+  end
+end
+
+Object.extend AttrEncryptor
+
+Dir[File.join(File.dirname(__FILE__), 'attr_encryptor', 'adapters', '*.rb')].each { |adapter| require adapter }