crypt_keeper 0.15.0.pre → 0.16.0.pre

data/lib/crypt_keeper/provider/mysql_aes_new.rb

@@ -0,0 +1,43 @@
+require 'crypt_keeper/log_subscriber/mysql_aes'
+
+module CryptKeeper
+  module Provider
+    class MysqlAesNew
+      include CryptKeeper::Helper::SQL
+      include CryptKeeper::Helper::DigestPassphrase
+
+      attr_accessor :key
+
+      # Public: Initializes the encryptor
+      #
+      #  options - A hash, :key and :salt are required
+      def initialize(options = {})
+        ActiveSupport.run_load_hooks(:crypt_keeper_mysql_aes_log, self)
+        @key = digest_passphrase(options[:key], options[:salt])
+      end
+
+      # Public: Encrypts a string
+      #
+      # Returns an encrypted string
+      def encrypt(value)
+        Base64.encode64 escape_and_execute_sql(
+          ["SELECT AES_ENCRYPT(?, ?)", value, key]).first
+      end
+
+      # Public: Decrypts a string
+      #
+      # Returns a plaintext string
+      def decrypt(value)
+        escape_and_execute_sql(
+          ["SELECT AES_DECRYPT(?, ?)", Base64.decode64(value), key]).first
+      end
+
+      # Public: Searches the table
+      #
+      # Returns an Enumerable
+      def search(records, field, criteria)
+        records.where(field.to_sym => encrypt(criteria))
+      end
+    end
+  end
+end

data/lib/crypt_keeper/provider/postgres_pgp.rb

@@ -12,7 +12,7 @@ module CryptKeeper
       #
       #  options - A hash, :key is required
       def initialize(options = {})
-        ActiveSupport.run_load_hooks(:crypt_keeper_posgres_pgp_log, self)
+        ActiveSupport.run_load_hooks(:crypt_keeper_postgres_pgp_log, self)
 
         @key = options.fetch(:key) do
           raise ArgumentError, "Missing :key"

data/lib/crypt_keeper/provider/postgres_pgp_public_key.rb

@@ -0,0 +1,57 @@
+require 'crypt_keeper/log_subscriber/postgres_pgp'
+
+module CryptKeeper
+  module Provider
+    class PostgresPgpPublicKey
+      include CryptKeeper::Helper::SQL
+
+      attr_accessor :key
+
+      def initialize(options = {})
+        ActiveSupport.run_load_hooks(:crypt_keeper_postgres_pgp_log, self)
+
+        @key = options.fetch(:key) do
+          raise ArgumentError, "Missing :key"
+        end
+
+        @public_key  = options.fetch(:public_key)
+        @private_key = options[:private_key]
+      end
+
+      # Public: Encrypts a string
+      #
+      # Returns an encrypted string
+      def encrypt(value)
+        if !@private_key.present? && encrypted?(value)
+          value
+        else
+          escape_and_execute_sql(["SELECT pgp_pub_encrypt(?, dearmor(?))", value.to_s, @public_key])['pgp_pub_encrypt']
+        end
+      end
+
+      # Public: Decrypts a string
+      #
+      # Returns a plaintext string
+      def decrypt(value)
+        if @private_key.present?
+          escape_and_execute_sql(["SELECT pgp_pub_decrypt(?, dearmor(?), ?)", value, @private_key, @key])['pgp_pub_decrypt']
+        else
+          value
+        end
+      end
+
+      # Public: Attempts to extract a PGP key id. If it's successful, it returns true
+      #
+      # Returns boolean
+      def encrypted?(value)
+        begin
+          ActiveRecord::Base.transaction(requires_new: true) do
+            escape_and_execute_sql(["SELECT pgp_key_id(?)", value.to_s])['pgp_key_id'].present?
+          end
+        rescue ActiveRecord::StatementInvalid
+          false
+        end
+      end
+    end
+  end
+end

data/lib/crypt_keeper/version.rb

@@ -1,3 +1,3 @@
 module CryptKeeper
-  VERSION = "0.15.0.pre"
+  VERSION = "0.16.0.pre"
 end

data/lib/crypt_keeper.rb

@@ -4,8 +4,11 @@ require 'crypt_keeper/version'
 require 'crypt_keeper/model'
 require 'crypt_keeper/helper'
 require 'crypt_keeper/provider/aes'
+require 'crypt_keeper/provider/aes_new'
 require 'crypt_keeper/provider/mysql_aes'
+require 'crypt_keeper/provider/mysql_aes_new'
 require 'crypt_keeper/provider/postgres_pgp'
+require 'crypt_keeper/provider/postgres_pgp_public_key'
 
 module CryptKeeper
 end

data/spec/fixtures/private.asc

@@ -0,0 +1,60 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+lQO+BFKgjPQBCADxhlfBJIauF69IyfHaSYAKDELoLRLoKCqu9GGbm/d5HV4h0Qeb
+TQLb3uQ+AEL9hPf5MLc2dj3T30jbUD9wnU+mak2cVilzbYw6Okuh8MP6KyTgkQos
+/8pTDZsogirB0E6vx+UGen9Eo6DLljU6oCao8wvVe1AnXBUqLxX4gEOXgtXpf72g
+dPY26NV66htB0l+wkIzbovg0+GF32lu0/M5+iU7QoVa0C/2FdKigASutzBtKTyKL
+NYGnI+xYgXFWO+GiuQT0St2VmROPvU6di9k1NoaMh+5wK//fqXgf27+qMU5nmgnO
+f/vK3gp72NThdobiK1QqDbNJdADzUFb+7molABEBAAH+AwMC9hlrvwnXUxpgJgtF
+l5vo2r3qRf3+bdPkyvRPVSorMj0a1FzY30YGlGnifFI0u6b0XFtWNPydtYxXBoII
+/POECr9H2/Imi7UArZg0pfFqBJL2/+vmTrX2EAYvE+H0KRxZBX1mXhx6kkLJayG9
+exXYVlOLMmJiSjuiI/SzbYr2u7mlD0xEy4vZ0CzDVH37QvUKTYpkHkp2B2G2xqSo
+a6AFNKI8rALF5wtwIRe5a8+0zguUlfIOJbQjIKn4cD9h3cbc9rYJmKluzLfeTopq
+gwE//gGmwmPtR+i/qwzP8U/LAa2HXBhTTLoi2MYVYzy3CeNr9vS7BVPoZ1WrjHVV
+B960XIv3gdUKoQdGJmSKre1zY+lzDuPzqJmEJFIXmQkUEl4V1bd+jLJwRrVpX6aW
+frwkUENOo9Fk43lhNXlZZnqoVFBsylL4FmHJCyW8bDZ5hqnkp+0sELzvSuePePhb
+CGXyIf3OX4CFDbbSAvK4xdiYjaYNwvAAQFxLskw6Onjpn6TAV+ZSgRD4wyhsNG08
+yDbwvhkcblEqeBX8ftLqbILAn7oHSs47xdGrTlobKDVEh/kKP1EmpY+4TGPbUM+g
+A9JfWGfQg49DALMRKR2cMZpvf6ugan3ZKUvNP7OJ8zMbsYQqsK0fxlDU6fEpbNCJ
+SQOxhflHpuoCoyq1lMcCFI75lVkF+AjEEcQMwfIl8ZtpfvFIJCg1gGE5FWGAIwyq
+CaKl6dYk5qVNOw0d/6j+6ZRj9Fv9OF4h3VkGWtddWeWeQBOEwmksIjRglHcmcsgu
+Ig9cp76XkNk0+lAgX5uxvznhTv8xaGk2TVNz5zL6lLwaQ2ug+yVgNTKQatZbOIN6
+Kax0gADoRnR8aLYVhqMReG+tHSntOBHA98Um3vluk/5XnzKG/PtOXxmJrXMNN3gY
+HLRJQ3J5cHQgS2VlcGVyIChwYXNzd29yZCBpcyBzdXBlcm1hZHNlY3JldHN0cmlu
+ZykgPGNyeXB0a2VlcGVyQGV4YW1wbGUub3JnPokBOAQTAQIAIgUCUqCM9AIbAwYL
+CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQKbNvUJ79yP6SQQf+JBuFmA5SAMqf
+97N7RizL16LgDfKCbA1kJ2mDwoCmyLlCCaMjG+dK+YuEV8gD4GfFRri6T3B03NQL
+BNkMipr/palY0cG9Ni0Sy7jt8CXSa1eOuya1gX3FQcI+iwdNv27Pf8dV22WnDIsE
+XY3VFtlsusOnMUivFicKE2RXlrtYy9voRLda9O7ihMLYUnRXyjEqtuMO+1YQKSRt
+9AkL5PrajZb/nW/DMtK5oCIMrk2q8fQ/wQ1J14Civ3pXzL5W7ZaD0MLJtbH7Uygj
+KIzN3T7DpiyPGM+bN7tqhbnLO4+TAvGOKBFM2/QRFykBGfgyDZOP4SkVz7tnGRkC
+XTHcW940Y50DvgRSoIz0AQgA1E4Yb171r0aTgWzEGq7gW0gkno8B13rR4Noy6gI0
+diiTwV/qBslwUfQNpc6oyV1ytb0J7M6wjlz0hBaAaYiqJLqnyMRqV7N6fWkhyVRm
+ZcCIN70wPBrOuMlPdKw/+pLo9BnmimH+wuHnAl/WQArr1G6zF4/KGxKiF4SFnobj
+UwNdpIo2/MqJJQE98/n6Ozrwqdaos1BA5OPwuxnHgHJe3Xy7U21SQBXR+hn8ankM
+plPcnXNmicHhqd+bXq2CPQdp4rPyLM2/nxHyKi/WEgGFP1m/x2GM4ZSnTn4Q2ODI
+tQ3FYt0309v1+I8iAtAqvRxuNgvmh6KggX30WfZ9mcgKqQARAQAB/gMDAvYZa78J
+11MaYC+sc4/3fD8opvxxjC2vjD9+Nu49evHI53SaxwcusNSkW7Wafxx4MTUKfwxb
+Q760zksn2DGyyKeih4SARNRGuOzfHSSQilyPf0nRQLTcWh9OLrXerV9i5kQjH4Y+
+FMYdaM+F2p9X27UDPKRTrs7e+ofTSdn2c4B+KcKoXwK7dB33A+54B6Tg3i/Scc4z
+F4jn6HorL2GOSRzo2keBfVFDL+foUi00g6N8/esa0w8JHrea7e6gMJzEQfAQCGOT
+g8O8/1X4OuucITtDNJ4MpiZx+h48bFC3k59u88Esg74CI2sdETiQax5+N4xyVbgK
+bvFYBmMTik/ofvG2CM+8pmov3g03Oh2AjkyAjKj3Lw3dgVTx/0DeO8pYGqgTEjCC
+fHRlIcavJsavlDHQEBn2+83qmVrAynBvBr7HB8+u3KaFwTfavQzrKnRpPEDi6j06
+CgIGUvas3kL8dksJvY229zXutLUMpXVZrcuLnur/psSmUBrFbEesVqiM/WjmyeBL
+pWt05joHKbPx6sm7xvOwn0Wlh9YoMIRCIGZrtKbCBWVxFLVZWHKOaLQAwN3U3ExZ
+XpLMo2Exg8tSC6QsYZf17VQzf9wJi1d5WJgrYgaJY4sFfts5SMCXzjPMCetfmD0s
+omC4txVzMtyOkzJ/O7IkxRHF6iMY63rb68wyRcy2U2TlOrciT4yqtEcuACvEWnJ3
+fm6QVLvxL9J0s9FxzXlP38ZKsv5GKl0gzcHM4zGF6HUs/b82n3/x8ae8Cm91DTWP
+j/s28Sg94M1tICoy971hXt+rMOWYg0e2Ldz48LCSEyGmSheHHQYaJ3tLFCL2+DM0
+qJU5eTa82ylc2CYO6e+GoyxJzqWq9sDcAqRPjMsHyQFHOF6DJ29vDJV0976nQZ+i
+W2qVfTyjvWmJAR8EGAECAAkFAlKgjPQCGwwACgkQKbNvUJ79yP6PHwf/Tpu1d6NY
+MPYHtj8tbSlIMW1noZzxeuV9GIEK7z3d2xBnHK9rPvCBbGbpCqpK2CB/vrTdJVpP
+oAaYck5+nnDKqILMZCmJDBeOkpC+a5+pjcPPOKwTzL/6BeZlm58ABI2Z2bd517Kj
+5D3VaW9TRE/guA58CBDkWcfGQSmVhufi1Scu1zY7lwDVNeznTEB5EVYMaBCGwyyu
+wLgejRZCAt6fvra60gh3OahwpmQflEPwJ0IqqKAWwKhkUefo540IWtE3EShMKur+
+okcexIpwXNAqa7XFrZrSsjg67SjBwrK/0BxUaVDpFimALOwieBpxxpsFfl7GN+wT
+ziVkBajJpIr1ZA==
+=2NOT
+-----END PGP PRIVATE KEY BLOCK-----

data/spec/fixtures/public.asc

@@ -0,0 +1,31 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+mQENBFKgjPQBCADxhlfBJIauF69IyfHaSYAKDELoLRLoKCqu9GGbm/d5HV4h0Qeb
+TQLb3uQ+AEL9hPf5MLc2dj3T30jbUD9wnU+mak2cVilzbYw6Okuh8MP6KyTgkQos
+/8pTDZsogirB0E6vx+UGen9Eo6DLljU6oCao8wvVe1AnXBUqLxX4gEOXgtXpf72g
+dPY26NV66htB0l+wkIzbovg0+GF32lu0/M5+iU7QoVa0C/2FdKigASutzBtKTyKL
+NYGnI+xYgXFWO+GiuQT0St2VmROPvU6di9k1NoaMh+5wK//fqXgf27+qMU5nmgnO
+f/vK3gp72NThdobiK1QqDbNJdADzUFb+7molABEBAAG0SUNyeXB0IEtlZXBlciAo
+cGFzc3dvcmQgaXMgc3VwZXJtYWRzZWNyZXRzdHJpbmcpIDxjcnlwdGtlZXBlckBl
+eGFtcGxlLm9yZz6JATgEEwECACIFAlKgjPQCGwMGCwkIBwMCBhUIAgkKCwQWAgMB
+Ah4BAheAAAoJECmzb1Ce/cj+kkEH/iQbhZgOUgDKn/eze0Ysy9ei4A3ygmwNZCdp
+g8KApsi5QgmjIxvnSvmLhFfIA+BnxUa4uk9wdNzUCwTZDIqa/6WpWNHBvTYtEsu4
+7fAl0mtXjrsmtYF9xUHCPosHTb9uz3/HVdtlpwyLBF2N1RbZbLrDpzFIrxYnChNk
+V5a7WMvb6ES3WvTu4oTC2FJ0V8oxKrbjDvtWECkkbfQJC+T62o2W/51vwzLSuaAi
+DK5NqvH0P8ENSdeAor96V8y+Vu2Wg9DCybWx+1MoIyiMzd0+w6YsjxjPmze7aoW5
+yzuPkwLxjigRTNv0ERcpARn4Mg2Tj+EpFc+7ZxkZAl0x3FveNGO5AQ0EUqCM9AEI
+ANROGG9e9a9Gk4FsxBqu4FtIJJ6PAdd60eDaMuoCNHYok8Ff6gbJcFH0DaXOqMld
+crW9CezOsI5c9IQWgGmIqiS6p8jEalezen1pIclUZmXAiDe9MDwazrjJT3SsP/qS
+6PQZ5oph/sLh5wJf1kAK69RusxePyhsSoheEhZ6G41MDXaSKNvzKiSUBPfP5+js6
+8KnWqLNQQOTj8LsZx4ByXt18u1NtUkAV0foZ/Gp5DKZT3J1zZonB4anfm16tgj0H
+aeKz8izNv58R8iov1hIBhT9Zv8dhjOGUp05+ENjgyLUNxWLdN9Pb9fiPIgLQKr0c
+bjYL5oeioIF99Fn2fZnICqkAEQEAAYkBHwQYAQIACQUCUqCM9AIbDAAKCRAps29Q
+nv3I/o8fB/9Om7V3o1gw9ge2Py1tKUgxbWehnPF65X0YgQrvPd3bEGccr2s+8IFs
+ZukKqkrYIH++tN0lWk+gBphyTn6ecMqogsxkKYkMF46SkL5rn6mNw884rBPMv/oF
+5mWbnwAEjZnZt3nXsqPkPdVpb1NET+C4DnwIEORZx8ZBKZWG5+LVJy7XNjuXANU1
+7OdMQHkRVgxoEIbDLK7AuB6NFkIC3p++trrSCHc5qHCmZB+UQ/AnQiqooBbAqGRR
+5+jnjQha0TcRKEwq6v6iRx7EinBc0CprtcWtmtKyODrtKMHCsr/QHFRpUOkWKYAs
+7CJ4GnHGmwV+XsY37BPOJWQFqMmkivVk
+=U2r8
+-----END PGP PUBLIC KEY BLOCK-----

data/spec/log_subscriber/postgres_pgp_spec.rb

@@ -4,27 +4,95 @@ module CryptKeeper::LogSubscriber
   describe PostgresPgp do
     use_postgres
 
-    # Fire the ActiveSupport.on_load
-    before do
-      CryptKeeper::Provider::PostgresPgp.new key: 'secret'
-    end
+    context "Symmetric encryption" do
+      # Fire the ActiveSupport.on_load
+      before do
+        CryptKeeper::Provider::PostgresPgp.new key: 'secret'
+      end
 
-    subject { ::ActiveRecord::LogSubscriber.new }
+      subject { ::ActiveRecord::LogSubscriber.new }
 
-    let(:input_query) do
-      "SELECT pgp_sym_encrypt('encrypt_value', 'encrypt_key'), pgp_sym_decrypt('decrypt_value', 'decrypt_key') FROM DUAL;"
-    end
+      let(:input_query) do
+        "SELECT pgp_sym_encrypt('encrypt_value', 'encrypt_key'), pgp_sym_decrypt('decrypt_value', 'decrypt_key') FROM DUAL;"
+      end
+
+      let(:output_query) do
+        "SELECT encrypt([FILTERED]) FROM DUAL;"
+      end
+
+      let(:input_search_query) do
+        "SELECT \"sensitive_data\".* FROM \"sensitive_data\" WHERE ((pgp_sym_decrypt('f'), 'tool') = 'blah')) AND secret = 'testing'"
+      end
+
+      let(:output_search_query) do
+        "SELECT \"sensitive_data\".* FROM \"sensitive_data\" WHERE decrypt([FILTERED]) AND secret = 'testing'"
+      end
+
+      it "filters pgp functions" do
+        subject.should_receive(:sql_without_postgres_pgp) do |event|
+          event.payload[:sql].should == output_query
+        end
+
+        subject.sql(ActiveSupport::Notifications::Event.new(:sql, 1, 1, 1, { sql: input_query }))
+      end
+
+      it "filters pgp functions in lowercase" do
+        subject.should_receive(:sql_without_postgres_pgp) do |event|
+          event.payload[:sql].should == output_query.downcase.gsub(/filtered/, 'FILTERED')
+        end
+
+        subject.sql(ActiveSupport::Notifications::Event.new(:sql, 1, 1, 1, { sql: input_query.downcase }))
+      end
 
-    let(:output_query) do
-      "SELECT pgp_sym_encrypt([FILTERED]), pgp_sym_decrypt([FILTERED]) FROM DUAL;"
+      it "filters pgp functions when searching" do
+        subject.should_receive(:sql_without_postgres_pgp) do |event|
+          event.payload[:sql].should == output_search_query
+        end
+
+        subject.sql(ActiveSupport::Notifications::Event.new(:sql, 1, 1, 1, { sql: input_search_query }))
+      end
     end
 
-    it "filters pgp functions" do
-      subject.should_receive(:sql_without_postgres_pgp) do |event|
-        event.payload[:sql].should == output_query
+    context "Public key encryption" do
+      let(:public_key) do
+        IO.read(File.join(SPEC_ROOT, 'fixtures', 'public.asc'))
+      end
+
+      let(:private_key) do
+        IO.read(File.join(SPEC_ROOT, 'fixtures', 'private.asc'))
+      end
+
+      # Fire the ActiveSupport.on_load
+      before do
+        CryptKeeper::Provider::PostgresPgpPublicKey.new key: 'secret', public_key: public_key, private_key: private_key
+      end
+
+      subject { ::ActiveRecord::LogSubscriber.new }
+
+      let(:input_query) do
+        "SELECT pgp_pub_encrypt('test', dearmor('#{public_key}
+        '))"
+      end
+
+      let(:output_query) do
+        "SELECT encrypt([FILTERED])"
+      end
+
+      it "filters pgp functions" do
+        subject.should_receive(:sql_without_postgres_pgp) do |event|
+          event.payload[:sql].should == output_query
+        end
+
+        subject.sql(ActiveSupport::Notifications::Event.new(:sql, 1, 1, 1, { sql: input_query }))
       end
 
-      subject.sql(ActiveSupport::Notifications::Event.new(:sql, 1, 1, 1, { sql: input_query }))
+      it "filters pgp functions in lowercase" do
+        subject.should_receive(:sql_without_postgres_pgp) do |event|
+          event.payload[:sql].should == output_query.downcase.gsub(/filtered/, 'FILTERED')
+        end
+
+        subject.sql(ActiveSupport::Notifications::Event.new(:sql, 1, 1, 1, { sql: input_query.downcase }))
+      end
     end
   end
 end

data/spec/provider/aes_new_spec.rb

@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+module CryptKeeper
+  module Provider
+    describe AesNew do
+      subject { AesNew.new(key: 'cake', salt: 'salt') }
+
+      describe "#initialize" do
+        let(:digested_key) do
+          ::Armor.digest('cake', 'salt')
+        end
+
+        its(:key) { should == digested_key }
+        specify { expect { AesNew.new }.to raise_error(ArgumentError, "Missing :key") }
+      end
+
+      describe "#encrypt" do
+        let(:encrypted) do
+          subject.encrypt 'string'
+        end
+
+        specify { encrypted.should_not == 'string' }
+        specify { encrypted.should_not be_blank }
+      end
+
+      describe "#decrypt" do
+        let(:decrypted) do
+          subject.decrypt "V02ebRU2wLk25AizasROVg==$kE+IpRaUNdBfYqR+WjMqvA=="
+        end
+
+        specify { decrypted.should == 'string' }
+      end
+
+      describe "#search" do
+        let(:records) do
+          [{ name: 'Bob' }, { name: 'Tim' }]
+        end
+
+        it "finds the matching record" do
+          expect(subject.search(records, :name, 'Bob')).to eql([records.first])
+        end
+      end
+    end
+  end
+end

data/spec/provider/aes_spec.rb

@@ -21,6 +21,22 @@ module CryptKeeper
 
         specify { encrypted.should_not == 'string' }
         specify { encrypted.should_not be_blank }
+
+        context "an empty string" do
+          let(:encrypted) do
+            subject.encrypt ''
+          end
+
+          specify { encrypted.should == '' }
+        end
+
+        context "a nil" do
+          let(:encrypted) do
+            subject.encrypt nil
+          end
+
+          specify { encrypted.should be_nil }
+        end
       end
 
       describe "#decrypt" do
@@ -29,17 +45,23 @@ module CryptKeeper
         end
 
         specify { decrypted.should == 'string' }
-      end
 
-      describe "#search" do
-        let(:records) do
-          [{ name: 'Bob' }, { name: 'Tim' }]
+        context "an empty string" do
+          let(:decrypted) do
+            subject.decrypt ''
+          end
+
+          specify { decrypted.should == '' }
         end
 
-        it "finds the matching record" do
-          expect(subject.search(records, :name, 'Bob')).to eql([records.first])
+        context "a nil" do
+          let(:decrypted) do
+            subject.decrypt nil
+          end
+
+          specify { decrypted.should be_nil }
         end
       end
     end
   end
-end
+end

data/spec/provider/mysql_aes_new_spec.rb

@@ -0,0 +1,52 @@
+require 'spec_helper'
+
+module CryptKeeper
+  module Provider
+    describe MysqlAesNew do
+      use_mysql
+
+      let(:plain_text) { 'test' }
+
+      # MySQL stores AES encrypted strings in binary which you can't paste
+      # into a spec :). This is a Base64 encoded string of 'test' AES encrypted
+      # by AES_ENCRYPT()
+      let(:cipher_text) do
+        "fBN8i7bx/DGAA4NJ4EWi0A=="
+      end
+
+      subject { MysqlAesNew.new key: ENCRYPTION_PASSWORD, salt: 'salt' }
+
+      its(:key) { should == "825e8c5e8ca394818b307b22b8cb7d3df2735e9c1e5838b476e7719135a4f499f2133022c1a0e8597c9ac1507b0f0c44328a40049f9704fab3598c5dec120724" }
+
+      describe "#initialize" do
+        specify { expect { MysqlAesNew.new }.to raise_error(ArgumentError, "Missing :key") }
+        specify { expect { MysqlAesNew.new(key: 'blah') }.to raise_error(ArgumentError, "Missing :salt") }
+      end
+
+      describe "#encrypt" do
+        specify { subject.encrypt(plain_text).should_not == plain_text }
+        specify { subject.encrypt(plain_text).should_not be_blank }
+      end
+
+      describe "#decrypt" do
+        specify { subject.decrypt(cipher_text).should == plain_text }
+      end
+
+      describe "#search" do
+        it "finds the matching record" do
+          SensitiveDataMysql.create!(storage: 'blah2')
+          match = SensitiveDataMysql.create!(storage: 'blah')
+          SensitiveDataMysql.search_by_plaintext(:storage, 'blah').first.should == match
+        end
+
+        it "keeps the scope" do
+          SensitiveDataMysql.create!(storage: 'blah')
+          SensitiveDataMysql.create!(storage: 'blah')
+
+          scope = SensitiveDataMysql.limit(1)
+          expect(scope.search_by_plaintext(:storage, 'blah').count).to eql(1)
+        end
+      end
+    end
+  end
+end

data/spec/provider/mysql_aes_spec.rb

@@ -30,22 +30,6 @@ module CryptKeeper
       describe "#decrypt" do
         specify { subject.decrypt(cipher_text).should == plain_text }
       end
-
-      describe "#search" do
-        it "finds the matching record" do
-          SensitiveDataMysql.create!(storage: 'blah2')
-          match = SensitiveDataMysql.create!(storage: 'blah')
-          SensitiveDataMysql.search_by_plaintext(:storage, 'blah').first.should == match
-        end
-
-        it "keeps the scope" do
-          SensitiveDataMysql.create!(storage: 'blah')
-          SensitiveDataMysql.create!(storage: 'blah')
-
-          scope = SensitiveDataMysql.limit(1)
-          expect(scope.search_by_plaintext(:storage, 'blah').count).to eql(1)
-        end
-      end
     end
   end
 end

data/spec/provider/postgres_pgp_public_key_spec.rb

@@ -0,0 +1,70 @@
+require 'spec_helper'
+
+module CryptKeeper
+  module Provider
+    describe PostgresPgpPublicKey do
+      use_postgres
+
+      let(:cipher_text) { '\xc1c04c036c401ad086beb9e3010800987d6c4ccd974322190caa75a3a01aba37bc1970182c4c1d3faec98edf186780520f0586101f286e0626096a1eca91a229ed4d4058a6913a8d13cdf49f29ea44e2b96d10347f9b1b860bb3c959f000a3b1b415a95d2cd07af8c74aa6df8cd10ab06b6a6f7db69cdf3185466d68c5b66b95b813acdfb3ddfb021cac92e0967d67e90df73332f27970c1d2b9a56ac74f602d4107b163ed73ef89fca560d9a0a0d2bc7a74005f29fa27babfbaf950ac07b1c809049db4ab126be4824cf76416c278571f7064f638edf830a1ae5ee1ab544d35fce0f974f21b9dcbbea3986077d27b0de34144dc23f369f471090b57e067a056901e680493ddf2a6b29e4af3462387d235010259556079d07daa249b6703e2bc79345da556cfb46f228cad40a8a5b569ac46f08865f9176acf89129a3e0ceb2a7b1991012f65' }
+
+      let(:integer_cipher_text) { '\xc1c04c036c401ad086beb9e30107ff59e674ba05958eb053c2427b44355e0f333f1726e18a0b851130130510c648f580b13b3f6a223eb26e397008596867c5a511a4f5bfbf2ecc852d8929814480d63166e525fa2b259b6a8d4474b5b1373b4e1a4fe70a491d25442e1c0046fd3d69466ad30153c8d8d920e9b4260d4e4e421ef3ead162b3aba5d85408c4ef9f9d342b5655c7568d1bdc61c27ddb419133bf091f22f42e7bc91ec6d279b7b25b87ea65119568b85ae81079dd0a6a7258b58fb219c6cc4580f33cb46de97770a1eb0880bdf87426fd0529576a1e791e521d9b3c426e393e63d83321f319b00f9dc4027ea5a81dd57c0f5ba868fb86d73179c34f2287c437266e8becc072b45a929562d2320194be54464e03854635d0f7d7fb10813adbc6efe51efa9095a9bacc2a03fb5c41d1c1896384e4f36b100c0f00e81d4cff7d' }
+
+      let(:integer_plain_text) { 1 }
+      let(:plain_text)  { 'test' }
+
+      let(:public_key) do
+        IO.read(File.join(SPEC_ROOT, 'fixtures', 'public.asc'))
+      end
+
+      let(:private_key) do
+        IO.read(File.join(SPEC_ROOT, 'fixtures', 'private.asc'))
+      end
+
+      subject { PostgresPgpPublicKey.new key: ENCRYPTION_PASSWORD, public_key: public_key, private_key: private_key }
+
+
+      its(:key) { should == ENCRYPTION_PASSWORD }
+
+      describe "#initialize" do
+        specify { expect { PostgresPgpPublicKey.new }.to raise_error(ArgumentError, "Missing :key") }
+      end
+
+      describe "#encrypt" do
+        context "Strings" do
+          specify { subject.encrypt(plain_text).should_not == plain_text }
+          specify { subject.encrypt(plain_text).should_not be_empty }
+
+          it "does not double encrypt" do
+            pgp = PostgresPgpPublicKey.new key: ENCRYPTION_PASSWORD, public_key: public_key
+            pgp.encrypt(cipher_text).should == cipher_text
+          end
+        end
+
+        context "Integers" do
+          specify { subject.encrypt(integer_plain_text).should_not == integer_plain_text }
+          specify { subject.encrypt(integer_plain_text).should_not be_empty }
+        end
+      end
+
+      describe "#decrypt" do
+        specify { subject.decrypt(cipher_text).should == plain_text }
+        specify { subject.decrypt(integer_cipher_text).should == integer_plain_text.to_s }
+
+        it "does not decrypt w/o private key" do
+          pgp = PostgresPgpPublicKey.new key: ENCRYPTION_PASSWORD, public_key: public_key
+          pgp.decrypt(cipher_text).should eql(cipher_text)
+        end
+      end
+
+      describe "#encrypted?" do
+        it "returns true for encrypted strings" do
+          subject.encrypted?(cipher_text).should be_true
+        end
+
+        it "returns false for non-encrypted strings" do
+          subject.encrypted?(plain_text).should be_false
+        end
+      end
+    end
+  end
+end

data/spec/provider/postgres_pgp_spec.rb

@@ -5,15 +5,16 @@ module CryptKeeper
     describe PostgresPgp do
       use_postgres
 
-      let(:cipher_text) { '\\xc30d0407030283b15f71b6a7d0296cd23501bd2c8fe3c7a56005ff4619527c4291509a78c77a6758cddd2a14acbde589fa10b3e0686865182d3beadaf237b9f928e7ba1810b8' }
+      let(:cipher_text) { '\xc30d04070302f1a092093988b26873d235017203ce086a53fce1925dc39b4e972e534f192d10b94af3dcf8589abc1f828456f5d3e20b225d56006ffd1e312e3b8a492a6010e9' }
       let(:plain_text)  { 'test' }
 
-      let(:integer_cipher_text) { '\xc30d040703028c65c58c0e9d015360d2320125112fc38f094e57cce1c0313f3eea4a7fc3e95c048bc319e25003ab6f29ceabe3609089d12094508c1eb79a2d70f95233' }
+      let(:integer_cipher_text) { '\xc30d04070302c8d266353bcf2fc07dd23201153f9d9c32fbb3c36b9b0db137bf8b6c609172210d89ded63f11dff23d1ddbf5111c0266549dde26175c4425e06bb4bd6f' }
+
       let(:integer_plain_text) { 1 }
 
-      subject { PostgresPgp.new key: 'candy' }
+      subject { PostgresPgp.new key: ENCRYPTION_PASSWORD }
 
-      its(:key) { should == 'candy' }
+      its(:key) { should == ENCRYPTION_PASSWORD }
 
       describe "#initialize" do
         specify { expect { PostgresPgp.new }.to raise_error(ArgumentError, "Missing :key") }
@@ -33,6 +34,7 @@ module CryptKeeper
 
       describe "#decrypt" do
         specify { subject.decrypt(cipher_text).should == plain_text }
+        specify { subject.decrypt(integer_cipher_text).should == integer_plain_text.to_s }
       end
 
       describe "#search" do

data/spec/spec_helper.rb

@@ -1,8 +1,13 @@
+ENV['ARMOR_ITER'] ||= "10"
+ENV['CRYPT_KEEPER_IGNORE_LEGACY_DEPRECATION'] = "true"
 require 'coveralls'
 Coveralls.wear!
 require 'crypt_keeper'
 
-SPEC_ROOT = Pathname.new File.expand_path File.dirname __FILE__
+SPEC_ROOT           = Pathname.new File.expand_path File.dirname __FILE__
+AR_LOG              = SPEC_ROOT.join('debug.log').to_s
+ENCRYPTION_PASSWORD = "supermadsecretstring"
+
 Dir[SPEC_ROOT.join('support/*.rb')].each{|f| require f }
 
 RSpec.configure do |config|
@@ -15,4 +20,14 @@ RSpec.configure do |config|
       model.method(:delete_all).call
     end
   end
+
+  config.after :suite do
+    if File.exist?(AR_LOG) && ENV['TRAVIS'].present?
+      `grep \"#{ENCRYPTION_PASSWORD}\" #{AR_LOG}`
+
+      if $?.exitstatus == 0
+        raise StandardError, "\n\nERROR: The encryption password was found in the logs\n\n"
+      end
+    end
+  end
 end

data/spec/support/active_record.rb

@@ -1,13 +1,14 @@
 require 'active_record'
 require 'logger'
 
-::ActiveRecord::Base.logger = Logger.new SPEC_ROOT.join('debug.log').to_s
+::ActiveRecord::Base.logger = Logger.new(AR_LOG)
 ::ActiveRecord::Migration.verbose = false
 
 module CryptKeeper
   class SensitiveDataMysql < ActiveRecord::Base
     self.table_name = 'sensitive_data'
-    crypt_keeper :storage, key: 'tool', encryptor: :mysql_aes
+    crypt_keeper :storage, encryptor: :mysql_aes_new, key: ENCRYPTION_PASSWORD,
+      salt: 'salt'
   end
 
   class SensitiveDataPg < ActiveRecord::Base