crypt_keeper 0.15.0.pre → 0.16.0.pre

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: aa70dc82c3b6dac6568cf2c5b7a5c291d9af6238
-  data.tar.gz: f834bf7497a5dc1f6e26361092bbd8b9adedf57f
+  metadata.gz: 742dc47f65ba6f9c21e39dad6b34a25196e74978
+  data.tar.gz: 4e5eaafa1b9876217c739a4c3649fc52308dc0ff
 SHA512:
-  metadata.gz: 16a5a01696fd83cac4d8a7db9efc1bf3a4e56b81a77e6ebcac01ae7d58bfcefbda041866fb18c3485813c69c1fadd3f2bdb5c69f2a66b4c4a382b989a82cfcd7
-  data.tar.gz: 990e7f447a55d5c91bbbaa2865aef249bc7b3d3723bb5367044731e9e5bafacbb0a401ca1df027ad1686d1ed07013b5bf4c3091c557d0003474e3f223be4d297
+  metadata.gz: f43ec8ae9564d08e804d5539ee04fff90b072502e65128a983c4727953ad930a00cfc2f72bb50d5e6b6585c7bd43bb83199f75bd3cabffb27e317a3f56539dd6
+  data.tar.gz: 097e420adcb718391b14476dff3a8a1c00279bcd211df9cef3f163a424bd1267d5be85b1cfa15fe1773a77cd930cc9fea1c4c7ff0d4a406ca4c7146a570f5d61

data/.travis.yml

@@ -4,6 +4,7 @@ gemfile:
   - gemfiles/activerecord_3_1.gemfile
   - gemfiles/activerecord_3_2.gemfile
   - gemfiles/activerecord_4_0.gemfile
+  - gemfiles/activerecord_4_1.gemfile
 before_install:
   - bundle install
 before_script:
@@ -20,3 +21,6 @@ notifications:
 rvm:
   - 1.9.3
   - 2.0.0
+  - 2.1.1
+addons:
+  postgresql: 9.3

data/Appraisals

@@ -12,3 +12,8 @@ appraise "activerecord_4_0" do
   gem 'activerecord',  '~> 4.0.0'
   gem 'activesupport', '~> 4.0.0'
 end
+
+appraise "activerecord_4_1" do
+  gem 'activerecord',  '~> 4.1.0'
+  gem 'activesupport', '~> 4.1.0'
+end

data/README.md

@@ -27,7 +27,7 @@ simple that *just works*.
 
 ```ruby
 class MyModel < ActiveRecord::Base
-  crypt_keeper :field, :other_field, :encryptor => :aes, :key => 'super_good_password'
+  crypt_keeper :field, :other_field, :encryptor => :aes, :key => 'super_good_password', salt: 'salt'
 end
 
 model = MyModel.new(field: 'sometext')
@@ -51,15 +51,23 @@ update the content without going through the current encryptor.
 
 There are three included encryptors.
 
-* [AES](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/provider/aes.rb)
+* [AES](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/provider/aes_new.rb)
   * Encryption is peformed using AES-256 via OpenSSL.
+  * Passphrases are derived using [PBKDF2](http://en.wikipedia.org/wiki/PBKDF2)
 
+* [AES Legacy](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/provider/aes.rb) *DEPRECATED*
+  * Encryption is peformed using AES-256 via OpenSSL.
 
-* [MySQL AES](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/provider/mysql_aes.rb)
+* [MySQL AES](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/provider/mysql_aes_new.rb)
   * Encryption is peformed MySQL's native AES functions.
   * ActiveRecord logs are [automatically](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/log_subscriber/mysql_aes.rb)
     filtered for you to protect sensitive data from being logged.
+  * Passphrases are derived using [PBKDF2](http://en.wikipedia.org/wiki/PBKDF2)
 
+* [MySQL AES](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/provider/mysql_aes.rb) *DEPRECATED*
+  * Encryption is peformed MySQL's native AES functions.
+  * ActiveRecord logs are [automatically](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/log_subscriber/mysql_aes.rb)
+    filtered for you to protect senitive data from being logged.
 
 * [PostgreSQL PGP](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/provider/postgres_pgp.rb).
   * Encryption is performed using PostgresSQL's native [PGP functions](http://www.postgresql.org/docs/9.1/static/pgcrypto.html).
@@ -68,15 +76,25 @@ There are three included encryptors.
   * ActiveRecord logs are [automatically](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/log_subscriber/postgres_pgp.rb)
     filtered for you to protect senitive data from being logged.
   * Custom options can be set through the `:pgcrypto_options`. E.g. `crypt_keeper :field, encryptor: :postgres_pgp, pgcrypto_options: 'compress-level=9'
+  * Passphrases are hashed by PostgresSQL itself using a [String2Key (S2K)](http://www.postgresql.org/docs/9.2/static/pgcrypto.html) algorithm. This is rather similar to crypt() algorithms — purposefully slow and with random salt — but it produces a full-length binary key.
+
+* [PostgreSQL PGP Public Key](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/provider/postgres_pgp_public_key.rb).
+  * Encryption is performed using PostgresSQL's native [PGP functions](http://www.postgresql.org/docs/9.1/static/pgcrypto.html).
+  * It requires the `pgcrypto` PostgresSQL extension:
+    `CREATE EXTENSION IF NOT EXISTS pgcrypto`
+  * ActiveRecord logs are [automatically](https://github.com/jmazzi/crypt_keeper/blob/master/lib/crypt_keeper/log_subscriber/postgres_pgp.rb)
+    filtered for you to protect senitive data from being logged.
+  * Accepts a public and private_key. The private key is optional. If the private key is not present the ciphertext value is returned instead of the plaintext. This allows you to keep the private key off certain servers. Encryption is possible with only a public key. Any server that needs access to the plaintext will need the private key.
+  * Passphrases are hashed by PostgresSQL itself using a [String2Key (S2K)](http://www.postgresql.org/docs/9.2/static/pgcrypto.html) algorithm. This is rather similar to crypt() algorithms — purposefully slow and with random salt — but it produces a full-length binary key.
 
 ## Searching
-Searching ciphertext is a complex problem that varies depending on the encryption algorithm you choose. All of the bundled providers include search support, but they have some caveats. 
+Searching ciphertext is a complex problem that varies depending on the encryption algorithm you choose. All of the bundled providers include search support, but they have some caveats.
 
 * AES
   * The Ruby implementation of AES uses a random initialization vector. The same plaintext encrypted multiple times will have different output each time for the ciphertext. Since this is the case, it is not possible to search leveraging the database. Database rows will need to be filtered in memory. It is suggested that you use a scope or ActiveRecord batches to narrow the results before seaching them.
 
 * Mysql AES
- * Surprisingly, MySQL's implementation of AES does not use a random initialization vector. The column containing the ciphertext can be indexed and searched quickly. 
+ * Surprisingly, MySQL's implementation of AES does not use a random initialization vector. The column containing the ciphertext can be indexed and searched quickly.
 
 * PostgresSQL PGP
  * PGP also uses a random initialization vector which means it generates unique output each time you encrypt plaintext. Although the database can be searched by performing row level decryption and comparing the plaintext, it will not be able to use an index. A scope or batch is suggested when searching.
@@ -123,10 +141,11 @@ end
 
 ## Requirements
 
-CryptKeeper has been tested against ActiveRecord 3.1, 3.2, 4.0 using ruby
-1.9.3 and 2.0.0
+CryptKeeper has been tested against ActiveRecord 3.1, 3.2, 4.0, 4.1 using ruby
+1.9.3, 2.0.0 and 2.1.1
 
 ActiveRecord 4.0 is supported starting with v0.11.0.
+ActiveRecord 4.1 is supported starting with v0.16.0. (unreleased, use master branch)
 
 ## Installation
 

data/bin/crypt_keeper

@@ -0,0 +1,99 @@
+#!/usr/bin/env ruby
+$:.unshift(File.join(File.dirname(__FILE__), "/../lib"))
+require 'crypt_keeper'
+require 'yaml'
+require 'active_support/core_ext'
+require 'active_record/log_subscriber'
+require 'optparse'
+
+if !File.exists?('config/database.yml')
+  puts "Please run this from the root of the rails project"
+  exit 1
+else
+  config = YAML::load_file('./config/database.yml')
+end
+
+options = {}
+OptionParser.new do |opts|
+  opts.banner = "Usage: crypt_keeper [options]"
+
+  opts.on("--old-key [key]", "The old encryption key") do |v|
+    options[:old_key] = v
+  end
+
+  opts.on("--new-key [key]", "The new encryption key") do |v|
+    options[:new_key] = v
+  end
+
+  opts.on("--salt [salt]", "The salt for the new encryption") do |v|
+    options[:salt] = v
+  end
+
+  opts.on("--table-name [table_name]", "The name of the table") do |v|
+    options[:table_name] = v
+  end
+
+  opts.on("--columns [field1,field2]", "A comma separated list of column names which are encrypted") do |v|
+    options[:columns] = v
+  end
+
+  opts.on("--old-encryptor [old encryptor]", "The old encryptor") do |v|
+    options[:old_encryptor] = v
+  end
+
+  opts.on("--query-log [file]", "ActiveRecord query log") do |v|
+    options[:query_log] = v
+  end
+end.parse!
+
+def get_required_arg(arg, options)
+  options.fetch(arg) { raise ArgumentError, "--#{arg.to_s.sub('_', '-')} is a required option"}
+end
+
+old_key         = get_required_arg(:old_key, options)
+new_key         = get_required_arg(:new_key, options)
+salt            = get_required_arg(:salt, options)
+table_name      = get_required_arg(:table_name, options)
+columns         = get_required_arg(:columns, options).split(',')
+encryptor       = get_required_arg(:old_encryptor, options)
+env             = ENV.fetch('RAILS_ENV', 'development')
+
+if options[:query_log].present?
+  ActiveRecord::Base.logger = Logger.new(options[:query_log])
+end
+
+if encryptor == "aes"
+  old_encryptor = CryptKeeper::Provider::Aes.new(key: old_key)
+  new_encryptor = CryptKeeper::Provider::AesNew.new(key: new_key, salt: salt)
+elsif encryptor == "mysql_aes"
+  old_encryptor = CryptKeeper::Provider::MysqlAes.new(key: old_key)
+  new_encryptor = CryptKeeper::Provider::MysqlAesNew.new(key: new_key, salt: salt)
+else
+  puts "#{encryptor} is not a known encryptor that can be migrated"
+  exit 1
+end
+
+class MigrateData < ActiveRecord::Base
+  def self.reencrypt_all(encrypted_fields, old_encryptor, new_encryptor)
+    ActiveRecord::Base.transaction do
+      find_each do |record|
+        new_hash = {}
+        encrypted_fields.each do |f|
+          plaintext   = old_encryptor.decrypt(record[f])
+          ciphertext  = new_encryptor.encrypt(plaintext)
+          new_hash[f] = ciphertext
+        end
+
+        record.update_attributes! new_hash
+        yield record if block_given?
+      end
+    end
+  end
+end
+
+ActiveRecord::Base.establish_connection(config.fetch(env))
+MigrateData.table_name = table_name
+
+MigrateData.reencrypt_all(columns, old_encryptor, new_encryptor) do |r|
+  puts "#{r.id} is now re-encrypted"
+end

data/crypt_keeper.gemspec

@@ -16,8 +16,10 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
   gem.version       = CryptKeeper::VERSION
 
-  gem.add_runtime_dependency 'activerecord',  '>= 3.1', '< 4.1'
-  gem.add_runtime_dependency 'activesupport', '>= 3.1', '< 4.1'
+  gem.add_runtime_dependency 'activerecord',  '>= 3.1', '< 4.2'
+  gem.add_runtime_dependency 'activesupport', '>= 3.1', '< 4.2'
+  gem.add_runtime_dependency 'aes',           '~> 0.5.0'
+  gem.add_runtime_dependency 'armor',         '~> 0.0.2'
 
   gem.add_development_dependency 'rspec',       '~> 2.13.0'
   gem.add_development_dependency 'guard',       '~> 1.8.0'

data/gemfiles/activerecord_3_1.gemfile.lock

@@ -1,9 +1,11 @@
 PATH
   remote: /Users/justin/work/jmazzi/crypt_keeper
   specs:
-    crypt_keeper (0.14.0.pre)
-      activerecord (>= 3.1, < 4.1)
-      activesupport (>= 3.1, < 4.1)
+    crypt_keeper (0.16.0.pre)
+      activerecord (>= 3.1, < 4.2)
+      activesupport (>= 3.1, < 4.2)
+      aes (~> 0.5.0)
+      armor (~> 0.0.2)
 
 GEM
   remote: https://rubygems.org/
@@ -19,10 +21,12 @@ GEM
       tzinfo (~> 0.3.29)
     activesupport (3.1.12)
       multi_json (~> 1.0)
+    aes (0.5.0)
     appraisal (0.5.2)
       bundler
       rake
     arel (2.2.3)
+    armor (0.0.2)
     builder (3.0.4)
     coderay (1.0.9)
     coveralls (0.7.0)
@@ -51,7 +55,7 @@ GEM
     lumberjack (1.0.4)
     method_source (0.8.2)
     mime-types (1.25)
-    multi_json (1.8.0)
+    multi_json (1.8.2)
     mysql2 (0.3.13)
     pg (0.15.1)
     pry (0.9.12.2)
@@ -83,8 +87,8 @@ GEM
     term-ansicolor (1.2.2)
       tins (~> 0.8)
     thor (0.18.1)
-    tins (0.11.0)
-    tzinfo (0.3.37)
+    tins (0.12.0)
+    tzinfo (0.3.38)
 
 PLATFORMS
   ruby

data/gemfiles/activerecord_3_2.gemfile.lock

@@ -1,9 +1,11 @@
 PATH
   remote: /Users/justin/work/jmazzi/crypt_keeper
   specs:
-    crypt_keeper (0.14.0.pre)
-      activerecord (>= 3.1, < 4.1)
-      activesupport (>= 3.1, < 4.1)
+    crypt_keeper (0.16.0.pre)
+      activerecord (>= 3.1, < 4.2)
+      activesupport (>= 3.1, < 4.2)
+      aes (~> 0.5.0)
+      armor (~> 0.0.2)
 
 GEM
   remote: https://rubygems.org/
@@ -19,10 +21,12 @@ GEM
     activesupport (3.2.14)
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
+    aes (0.5.0)
     appraisal (0.5.2)
       bundler
       rake
     arel (3.0.2)
+    armor (0.0.2)
     builder (3.0.4)
     coderay (1.0.9)
     coveralls (0.7.0)
@@ -51,7 +55,7 @@ GEM
     lumberjack (1.0.4)
     method_source (0.8.2)
     mime-types (1.25)
-    multi_json (1.8.0)
+    multi_json (1.8.2)
     mysql2 (0.3.13)
     pg (0.15.1)
     pry (0.9.12.2)
@@ -83,8 +87,8 @@ GEM
     term-ansicolor (1.2.2)
       tins (~> 0.8)
     thor (0.18.1)
-    tins (0.11.0)
-    tzinfo (0.3.37)
+    tins (0.12.0)
+    tzinfo (0.3.38)
 
 PLATFORMS
   ruby

data/gemfiles/activerecord_4_0.gemfile.lock

@@ -1,9 +1,11 @@
 PATH
   remote: /Users/justin/work/jmazzi/crypt_keeper
   specs:
-    crypt_keeper (0.14.0.pre)
-      activerecord (>= 3.1, < 4.1)
-      activesupport (>= 3.1, < 4.1)
+    crypt_keeper (0.16.0.pre)
+      activerecord (>= 3.1, < 4.2)
+      activesupport (>= 3.1, < 4.2)
+      aes (~> 0.5.0)
+      armor (~> 0.0.2)
 
 GEM
   remote: https://rubygems.org/
@@ -23,10 +25,12 @@ GEM
       multi_json (~> 1.3)
       thread_safe (~> 0.1)
       tzinfo (~> 0.3.37)
+    aes (0.5.0)
     appraisal (0.5.2)
       bundler
       rake
     arel (4.0.0)
+    armor (0.0.2)
     atomic (1.1.14)
     builder (3.1.4)
     coderay (1.0.9)
@@ -57,7 +61,7 @@ GEM
     method_source (0.8.2)
     mime-types (1.25)
     minitest (4.7.5)
-    multi_json (1.8.0)
+    multi_json (1.8.2)
     mysql2 (0.3.13)
     pg (0.15.1)
     pry (0.9.12.2)
@@ -91,8 +95,8 @@ GEM
     thor (0.18.1)
     thread_safe (0.1.3)
       atomic
-    tins (0.11.0)
-    tzinfo (0.3.37)
+    tins (0.12.0)
+    tzinfo (0.3.38)
 
 PLATFORMS
   ruby

data/gemfiles/activerecord_4_1.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activerecord", "~> 4.1.0"
+gem "activesupport", "~> 4.1.0"
+
+gemspec :path=>"../"

data/gemfiles/activerecord_4_1.gemfile.lock

@@ -0,0 +1,117 @@
+PATH
+  remote: /Users/justin/work/jmazzi/crypt_keeper
+  specs:
+    crypt_keeper (0.16.0.pre)
+      activerecord (>= 3.1, < 4.2)
+      activesupport (>= 3.1, < 4.2)
+      aes (~> 0.5.0)
+      armor (~> 0.0.2)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activemodel (4.1.0)
+      activesupport (= 4.1.0)
+      builder (~> 3.1)
+    activerecord (4.1.0)
+      activemodel (= 4.1.0)
+      activesupport (= 4.1.0)
+      arel (~> 5.0.0)
+    activesupport (4.1.0)
+      i18n (~> 0.6, >= 0.6.9)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.1)
+      tzinfo (~> 1.1)
+    aes (0.5.0)
+    appraisal (0.5.2)
+      bundler
+      rake
+    arel (5.0.1.20140414130214)
+    armor (0.0.3)
+    builder (3.2.2)
+    coderay (1.1.0)
+    coveralls (0.7.0)
+      multi_json (~> 1.3)
+      rest-client
+      simplecov (>= 0.7)
+      term-ansicolor
+      thor
+    diff-lcs (1.2.5)
+    docile (1.1.3)
+    ffi (1.9.3)
+    formatador (0.2.4)
+    guard (1.8.3)
+      formatador (>= 0.2.4)
+      listen (~> 1.3)
+      lumberjack (>= 1.0.2)
+      pry (>= 0.9.10)
+      thor (>= 0.14.6)
+    guard-rspec (2.5.4)
+      guard (>= 1.1)
+      rspec (~> 2.11)
+    i18n (0.6.9)
+    json (1.8.1)
+    listen (1.3.1)
+      rb-fsevent (>= 0.9.3)
+      rb-inotify (>= 0.9)
+      rb-kqueue (>= 0.2)
+    lumberjack (1.0.5)
+    method_source (0.8.2)
+    mime-types (2.2)
+    minitest (5.3.3)
+    multi_json (1.9.2)
+    mysql2 (0.3.15)
+    pg (0.15.1)
+    pry (0.9.12.6)
+      coderay (~> 1.0)
+      method_source (~> 0.8)
+      slop (~> 3.4)
+    rake (10.0.4)
+    rb-fsevent (0.9.4)
+    rb-inotify (0.9.3)
+      ffi (>= 0.5.0)
+    rb-kqueue (0.2.2)
+      ffi (>= 0.5.0)
+    rest-client (1.6.7)
+      mime-types (>= 1.16)
+    rspec (2.13.0)
+      rspec-core (~> 2.13.0)
+      rspec-expectations (~> 2.13.0)
+      rspec-mocks (~> 2.13.0)
+    rspec-core (2.13.1)
+    rspec-expectations (2.13.0)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.13.1)
+    simplecov (0.8.2)
+      docile (~> 1.1.0)
+      multi_json
+      simplecov-html (~> 0.8.0)
+    simplecov-html (0.8.0)
+    slop (3.5.0)
+    sqlite3 (1.3.9)
+    term-ansicolor (1.3.0)
+      tins (~> 1.0)
+    thor (0.19.1)
+    thread_safe (0.3.3)
+    tins (1.1.0)
+    tzinfo (1.1.0)
+      thread_safe (~> 0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord (~> 4.1.0)
+  activesupport (~> 4.1.0)
+  appraisal (~> 0.5.2)
+  coveralls
+  crypt_keeper!
+  guard (~> 1.8.0)
+  guard-rspec (~> 2.5.4)
+  mysql2 (~> 0.3.11)
+  pg (~> 0.15.1)
+  rake (~> 10.0.3)
+  rb-fsevent (~> 0.9.1)
+  rspec (~> 2.13.0)
+  sqlite3

data/lib/crypt_keeper/helper.rb

@@ -10,6 +10,14 @@ module CryptKeeper
       end
     end
 
+    module DigestPassphrase
+      def digest_passphrase(key, salt)
+        raise ArgumentError.new("Missing :key") if key.blank?
+        raise ArgumentError.new("Missing :salt") if salt.blank?
+        ::Armor.digest(key, salt)
+      end
+    end
+
     module Serializer
       def dump(value)
         if value.blank?

data/lib/crypt_keeper/log_subscriber/mysql_aes.rb

@@ -12,7 +12,7 @@ module CryptKeeper
 
       # Public: Prevents sensitive data from being logged
       def sql_with_mysql_aes(event)
-        filter = /(aes_(encrypt|decrypt))\(((.|\n)*?)\)/i
+        filter = /(aes_(encrypt|decrypt))\(.*\)/i
 
         event.payload[:sql] = event.payload[:sql].gsub(filter) do |_|
           "#{$1}([FILTERED])"

data/lib/crypt_keeper/log_subscriber/postgres_pgp.rb

@@ -12,10 +12,10 @@ module CryptKeeper
 
       # Public: Prevents sensitive data from being logged
       def sql_with_postgres_pgp(event)
-        filter = /(pgp_sym_(encrypt|decrypt))\(((.|\n)*?)\)/i
+        filter = /(\(*)pgp_(sym|pub)_(?<operation>decrypt|encrypt)(\(+.*\)+)/im
 
         event.payload[:sql] = event.payload[:sql].gsub(filter) do |_|
-          "#{$1}([FILTERED])"
+          "#{$~[:operation]}([FILTERED])"
         end
 
         sql_without_postgres_pgp(event)
@@ -24,6 +24,6 @@ module CryptKeeper
   end
 end
 
-ActiveSupport.on_load :crypt_keeper_posgres_pgp_log do
+ActiveSupport.on_load :crypt_keeper_postgres_pgp_log do
   ActiveRecord::LogSubscriber.send :include, CryptKeeper::LogSubscriber::PostgresPgp
 end

data/lib/crypt_keeper/provider/aes.rb

@@ -5,7 +5,6 @@ require 'base64'
 module CryptKeeper
   module Provider
     class Aes
-      # A value to split the iv and cipher text with
       SEPARATOR = ":crypt_keeper:"
 
       # Public: The encryption key
@@ -18,6 +17,7 @@ module CryptKeeper
       #
       #   options - A hash of options. :key is required
       def initialize(options = {})
+        legacy
         @aes         = ::OpenSSL::Cipher::Cipher.new("AES-256-CBC")
         @aes.padding = 1
 
@@ -34,6 +34,7 @@ module CryptKeeper
       # When they are encountered, the orignal value is returned.
       # Otherwise, returns the encrypted string
       def encrypt(value)
+        return value if value == '' || value.nil?
         aes.encrypt
         aes.key = key
         Base64::encode64("#{aes.random_iv}#{SEPARATOR}#{aes.update(value.to_s) + aes.final}")
@@ -45,6 +46,7 @@ module CryptKeeper
       # When they are encountered, the orignal value is returned.
       # Otherwise, returns the decrypted string
       def decrypt(value)
+        return value if value == '' || value.nil?
         iv, value = Base64::decode64(value.to_s).split(SEPARATOR)
         aes.decrypt
         aes.key = key
@@ -52,13 +54,12 @@ module CryptKeeper
         aes.update(value) + aes.final
       end
 
-      # Public: Search for a record
-      #
-      # record   - An ActiveRecord collection
-      # field    - The field to search
-      # criteria - A string to search with
-      def search(records, field, criteria)
-        records.select { |record| record[field] == criteria }
+      private
+
+      def legacy
+        unless ENV['CRYPT_KEEPER_IGNORE_LEGACY_DEPRECATION']
+          warn "[DEPRECATION] AES Legacy is now deprecated. Please see http://git.io/uYcp2A"
+        end
       end
     end
   end

data/lib/crypt_keeper/provider/aes_new.rb

@@ -0,0 +1,53 @@
+require 'aes'
+require 'armor'
+
+module CryptKeeper
+  module Provider
+    class AesNew
+      include CryptKeeper::Helper::DigestPassphrase
+
+      # Public: The encryption key
+      attr_accessor :key
+
+      # Public: Initializes the class
+      #
+      #   options - A hash of options. :key and :salt are required
+      def initialize(options = {})
+        @key = digest_passphrase(options[:key], options[:salt])
+      end
+
+      # Public: Encrypt a string
+      #
+      # Note: nil and empty strings are not encryptable with AES.
+      # When they are encountered, the orignal value is returned.
+      # Otherwise, returns the encrypted string
+      #
+      # Returns a String
+      def encrypt(value)
+        AES.encrypt(value, key)
+      end
+
+      # Public: Decrypt a string
+      #
+      # Note: nil and empty strings are not encryptable with AES (and thus cannot be decrypted).
+      # When they are encountered, the orignal value is returned.
+      # Otherwise, returns the decrypted string
+      #
+      # Returns a String
+      def decrypt(value)
+        AES.decrypt(value, key)
+      end
+
+      # Public: Search for a record
+      #
+      # record   - An ActiveRecord collection
+      # field    - The field to search
+      # criteria - A string to search with
+      #
+      # Returns an Enumerable
+      def search(records, field, criteria)
+        records.select { |record| record[field] == criteria }
+      end
+    end
+  end
+end

data/lib/crypt_keeper/provider/mysql_aes.rb

@@ -11,6 +11,7 @@ module CryptKeeper
       #
       #  options - A hash, :key is required
       def initialize(options = {})
+        legacy
         ActiveSupport.run_load_hooks(:crypt_keeper_mysql_aes_log, self)
 
         @key = options.fetch(:key) do
@@ -34,8 +35,12 @@ module CryptKeeper
           ["SELECT AES_DECRYPT(?, ?)", Base64.decode64(value), key]).first
       end
 
-      def search(records, field, criteria)
-        records.where(field.to_sym => encrypt(criteria))
+      private
+
+      def legacy
+        unless ENV['CRYPT_KEEPER_IGNORE_LEGACY_DEPRECATION']
+          warn "[DEPRECATION] MySqlAes Legacy is now deprecated. Please see http://git.io/nXXOlg"
+        end
       end
     end
   end