attr_keyring 0.2.0 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +1 -1
  3. data/README.md +8 -2
  4. data/lib/attr_keyring.rb +1 -0
  5. data/lib/attr_keyring/active_record.rb +1 -1
  6. data/lib/attr_keyring/version.rb +1 -1
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 040617a8065c7ec13a8c56b5bbe03e0caae106f49b6bd4942069e0cce74de3f7
4
- data.tar.gz: 220bc96f6beec989d76dc6e2371eef0321924c6c829cb70898f19adf36fd42a6
3
+ metadata.gz: 6057a2d9269b3ae803d4a0b83687ef89d5ca9dff7b9570711b433b0c7a9b7f58
4
+ data.tar.gz: e43bda559349979df6e77fef9a17c3f81e5ad96d9dde229ca82c4d781555ee24
5
5
  SHA512:
6
- metadata.gz: 2288a6fa22598c54ef3d6529ed3a85a8d3b0f755e06ab914cf5cf1e40fb4cf8bc543001f950626183e834e01d9dbed540c9213174567a4bebda3195e617cabad
7
- data.tar.gz: a5d942f7b7ea4ed2310267340262cc6fed0057b809602e4a0a4f92f07914a4a0cbc88a8c6b3dc09860eae19cb6b5e0aa36fe655a9be9f8e049a36e2e120e1242
6
+ metadata.gz: 914e18b4fefad514bc4b1d4a802ac213308348e0512e6c8daadffc40327e7aec20ec80064dd98b85140d75bea81ab099ae2da6d8856d377dbb5573e7458ffdd2
7
+ data.tar.gz: '08410c37300a6cb5156a6b8f1e00bf8f3c01b9729fb0840c98c83c0cb275e015a9cbde54ad91859e8a8f4f7ede86d2fa4f46526c38a769655c381c8bcfafd7c3'
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- attr_keyring (0.2.0)
4
+ attr_keyring (0.2.1)
5
5
  activerecord
6
6
 
7
7
  GEM
data/README.md CHANGED
@@ -121,6 +121,12 @@ To generate keys, use `bs=32` instead.
121
121
  $ dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64
122
122
  ```
123
123
 
124
+ #### About the encrypted message
125
+
126
+ Initialization vectors (IV) should be unpredictable and unique; ideally, they will be cryptographically random. They do not have to be secret: IVs are typically just added to ciphertext messages unencrypted. It may sound contradictory that something has to be unpredictable and unique, but does not have to be secret; it is important to remember that an attacker must not be able to predict ahead of time what a given IV will be.
127
+
128
+ With that in mind, attr_keyring uses `unencrypted iv + encrypted message` as the value of `encrypted_<column>`. If you're planning to migrate from other encryption mechanisms or read encrypted values from the database without using attr_keyring, make sure you account for this. The IV length can be retrieved by `OpenSSL::Cipher#iv_len`, e.g. `OpenSSL::Cipher.new("AES-128-CBC").iv_len`.
129
+
124
130
  ### Keyring
125
131
 
126
132
  Keys are managed through a keyring--a short JSON document describing your encryption keys. The keyring must be a JSON object mapping numeric ids of the keys to the key values. A keyring must have at least one key. For example:
@@ -161,10 +167,10 @@ User.where(twitter_oauth_token: "241F596D-79FF-4C08-921A-A19E533B4F52")
161
167
 
162
168
  is trivial with plain text fields, but impossible with the model defined as above.
163
169
 
164
- If add a column `<attribute>_digest` exists, then a SHA256 digest from the value will be saved. This will allow you to lookup by that value instead and add unique indexes.
170
+ If add a column `<attribute>_digest` exists, then a SHA1 digest from the value will be saved. This will allow you to lookup by that value instead and add unique indexes.
165
171
 
166
172
  ```ruby
167
- User.where(twitter_oauth_token_digest: Digest::SHA256.hexdigest("241F596D-79FF-4C08-921A-A19E533B4F52"))
173
+ User.where(twitter_oauth_token_digest: Digest::SHA1.hexdigest("241F596D-79FF-4C08-921A-A19E533B4F52"))
168
174
  ```
169
175
 
170
176
  ### Key Rotation
data/lib/attr_keyring.rb CHANGED
@@ -1,6 +1,7 @@
1
1
  module AttrKeyring
2
2
  require "active_record"
3
3
  require "openssl"
4
+ require "digest/sha1"
4
5
 
5
6
  require "attr_keyring/version"
6
7
  require "attr_keyring/active_record"
data/lib/attr_keyring/active_record.rb CHANGED
@@ -49,7 +49,7 @@ module AttrKeyring
49
49
 
50
50
  private def attr_encrypt_digest(attribute, value)
51
51
  digest_column = "#{attribute}_digest"
52
- public_send("#{digest_column}=", Digest::SHA256.hexdigest(value)) if respond_to?(digest_column)
52
+ public_send("#{digest_column}=", Digest::SHA1.hexdigest(value)) if respond_to?(digest_column)
53
53
  end
54
54
 
55
55
  private def migrate_to_latest_encryption_key
data/lib/attr_keyring/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module AttrKeyring
2
- VERSION = "0.2.0".freeze
2
+ VERSION = "0.2.1".freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: attr_keyring
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Nando Vieira
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2018-12-03 00:00:00.000000000 Z
11
+ date: 2018-12-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activerecord