attr_keyring 0.2.0 → 0.2.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +1 -1
  3. data/README.md +8 -2
  4. data/lib/attr_keyring.rb +1 -0
  5. data/lib/attr_keyring/active_record.rb +1 -1
  6. data/lib/attr_keyring/version.rb +1 -1
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 040617a8065c7ec13a8c56b5bbe03e0caae106f49b6bd4942069e0cce74de3f7
4
- data.tar.gz: 220bc96f6beec989d76dc6e2371eef0321924c6c829cb70898f19adf36fd42a6
3
+ metadata.gz: 6057a2d9269b3ae803d4a0b83687ef89d5ca9dff7b9570711b433b0c7a9b7f58
4
+ data.tar.gz: e43bda559349979df6e77fef9a17c3f81e5ad96d9dde229ca82c4d781555ee24
5
5
  SHA512:
6
- metadata.gz: 2288a6fa22598c54ef3d6529ed3a85a8d3b0f755e06ab914cf5cf1e40fb4cf8bc543001f950626183e834e01d9dbed540c9213174567a4bebda3195e617cabad
7
- data.tar.gz: a5d942f7b7ea4ed2310267340262cc6fed0057b809602e4a0a4f92f07914a4a0cbc88a8c6b3dc09860eae19cb6b5e0aa36fe655a9be9f8e049a36e2e120e1242
6
+ metadata.gz: 914e18b4fefad514bc4b1d4a802ac213308348e0512e6c8daadffc40327e7aec20ec80064dd98b85140d75bea81ab099ae2da6d8856d377dbb5573e7458ffdd2
7
+ data.tar.gz: '08410c37300a6cb5156a6b8f1e00bf8f3c01b9729fb0840c98c83c0cb275e015a9cbde54ad91859e8a8f4f7ede86d2fa4f46526c38a769655c381c8bcfafd7c3'
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- attr_keyring (0.2.0)
4
+ attr_keyring (0.2.1)
5
5
  activerecord
6
6
 
7
7
  GEM
data/README.md CHANGED
@@ -121,6 +121,12 @@ To generate keys, use `bs=32` instead.
121
121
  $ dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64
122
122
  ```
123
123
 
124
+ #### About the encrypted message
125
+
126
+ Initialization vectors (IV) should be unpredictable and unique; ideally, they will be cryptographically random. They do not have to be secret: IVs are typically just added to ciphertext messages unencrypted. It may sound contradictory that something has to be unpredictable and unique, but does not have to be secret; it is important to remember that an attacker must not be able to predict ahead of time what a given IV will be.
127
+
128
+ With that in mind, attr_keyring uses `unencrypted iv + encrypted message` as the value of `encrypted_<column>`. If you're planning to migrate from other encryption mechanisms or read encrypted values from the database without using attr_keyring, make sure you account for this. The IV length can be retrieved by `OpenSSL::Cipher#iv_len`, e.g. `OpenSSL::Cipher.new("AES-128-CBC").iv_len`.
129
+
124
130
  ### Keyring
125
131
 
126
132
  Keys are managed through a keyring--a short JSON document describing your encryption keys. The keyring must be a JSON object mapping numeric ids of the keys to the key values. A keyring must have at least one key. For example:
@@ -161,10 +167,10 @@ User.where(twitter_oauth_token: "241F596D-79FF-4C08-921A-A19E533B4F52")
161
167
 
162
168
  is trivial with plain text fields, but impossible with the model defined as above.
163
169
 
164
- If add a column `<attribute>_digest` exists, then a SHA256 digest from the value will be saved. This will allow you to lookup by that value instead and add unique indexes.
170
+ If add a column `<attribute>_digest` exists, then a SHA1 digest from the value will be saved. This will allow you to lookup by that value instead and add unique indexes.
165
171
 
166
172
  ```ruby
167
- User.where(twitter_oauth_token_digest: Digest::SHA256.hexdigest("241F596D-79FF-4C08-921A-A19E533B4F52"))
173
+ User.where(twitter_oauth_token_digest: Digest::SHA1.hexdigest("241F596D-79FF-4C08-921A-A19E533B4F52"))
168
174
  ```
169
175
 
170
176
  ### Key Rotation
data/lib/attr_keyring.rb CHANGED
@@ -1,6 +1,7 @@
1
1
  module AttrKeyring
2
2
  require "active_record"
3
3
  require "openssl"
4
+ require "digest/sha1"
4
5
 
5
6
  require "attr_keyring/version"
6
7
  require "attr_keyring/active_record"
data/lib/attr_keyring/active_record.rb CHANGED
@@ -49,7 +49,7 @@ module AttrKeyring
49
49
 
50
50
  private def attr_encrypt_digest(attribute, value)
51
51
  digest_column = "#{attribute}_digest"
52
- public_send("#{digest_column}=", Digest::SHA256.hexdigest(value)) if respond_to?(digest_column)
52
+ public_send("#{digest_column}=", Digest::SHA1.hexdigest(value)) if respond_to?(digest_column)
53
53
  end
54
54
 
55
55
  private def migrate_to_latest_encryption_key
data/lib/attr_keyring/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module AttrKeyring
2
- VERSION = "0.2.0".freeze
2
+ VERSION = "0.2.1".freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: attr_keyring
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Nando Vieira
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2018-12-03 00:00:00.000000000 Z
11
+ date: 2018-12-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activerecord