encryptor 1.3.0 → 2.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: dc166257be860dc17bd32f793762a69aa8d0bb17
+  data.tar.gz: 0229093567b3307695cb5cf2bdd12de1005cc32d
+SHA512:
+  metadata.gz: 48dea5301f97036ce8198865090fb7ae13e8385ec1376332043a06ec25d9ae17dfb49d629fc962a193faa763f3cf9624252609b59149a3fba4fe6ead7230b7f1
+  data.tar.gz: 554b9fd4f471a8ef2131b0bce5c2fa843f0abe277f54bbe1a9d6c28e156aa56d0d23077be08c8f003a2d396f9c14347419bc41fc7026d6c2d9a46d8408977058

data.tar.gz.sig

@@ -0,0 +1 @@
+��A�\D|��<�2bU��P

K���Ot#g'n7����˜�
��$Qu��zʎ%���W&�9ƶ�Ե�ϝv�0�m�0�HL(��PW�~sC�6e@

data/.gitignore

@@ -0,0 +1,5 @@
+pkg
+rdoc
+.bundle
+coverage
+Gemfile.lock

data/.travis.yml

@@ -0,0 +1,19 @@
+sudo: false
+language: ruby
+cache: bundler
+matrix:
+  fast_finish: true
+  include:
+  - rvm: 2.0.0
+  - rvm: 2.1
+  - rvm: 2.2
+  - rvm: 2.3.0
+  - rvm: jruby
+  - rvm: rbx
+  allow_failures:
+    - rvm: jruby
+  exclude:
+    - rvm: 1.9.3
+addons:
+  code_climate:
+    repo_token: 5dcb75d5b6c58e2a5f6dc850eb2c1d4e0dbf262e69981db00b765a66bfc9ef10

data/CHANGELOG.md

@@ -0,0 +1,24 @@
+# Encryptor #
+
+## Unreleased ##
+
+* Added support for MRI 2.1, 2.2, 2.3, and Rubinius. (@saghaulor)
+* Added support for Authenticated Encryption Authentiation Data (AEAD) via aes-###-gcm. (@saghaulor)
+* Changed the defaults to improve security, aes-256-gcm, IV is required. (@saghaulor)
+* Added key and IV minimum length validations. (@saghaulor)
+* Added insecure_mode option to allow for backwards compatibility for users who didn't use unique IV. (@saghaulor)
+* Deprecated using Encryptor without an IV.
+* Added hmac_iterations option to allow for adjusting the number of PKCS5 iterations when deriving a unique key. (@saghaulor)
+* Removed support for MRI 1.9.3 and JRuby (until JRuby supports `auth_data=`, https://github.com/jruby/jruby/issues/3376). (@saghaulor)
+* Changed tests to use Minitest. (@saghaulor)
+* Changed syntax to use Ruby 1.9+ hash syntax. (@saghaulor)
+* Salt may be deprecated in a future release, it remains for backwards compatibility. It's better security to have a unique key per record, however, the cost of PKCS5 is too high to force on to users by default. If users want a unique key per record they can implement it in their own way.
+
+## 1.3.0 ##
+
+* Added support for unique key (via salt) and IV. (@danpal & @rcook)
+
+## 1.2.3 ##
+
+* Added support for passing blocks to `encrypt` and `decrypt`. (@shuber)
+* Changed raising an exception if key is missing or empty. (@shuber)

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/README.md

@@ -1,8 +1,8 @@
-## Encryptor  [![Build Status](https://travis-ci.org/attr-encrypted/encryptor.png?branch=master)](https://travis-ci.org/attr-encrypted/encryptor)
+# Encryptor
 
-A simple wrapper for the standard Ruby OpenSSL library
+[![Build Status](https://secure.travis-ci.org/attr-encrypted/encryptor.svg)](https://travis-ci.org/attr-encrypted/encryptor) [![Code Climate](https://codeclimate.com/github/attr-encrypted/encryptor/badges/gpa.svg)](https://codeclimate.com/github/attr-encrypted/encryptor) [![Coverage](https://codeclimate.com/github/attr-encrypted/encryptor/badges/coverage.svg)](https://codeclimate.com/github/attr-encrypted/encryptor) [![Gem Version](https://badge.fury.io/rb/encryptor.svg)](http://badge.fury.io/rb/encryptor) [![security](https://hakiri.io/github/attr-encrypted/encryptor/master.svg)](https://hakiri.io/github/attr-encrypted/encryptor/master)
 
-Intended to be used by a future version of `http://github.com/shuber/attr_encrypted` to easily encrypt/decrypt attributes in any Ruby class or model.
+A simple wrapper for the standard Ruby OpenSSL library
 
 ### Installation
 
@@ -14,104 +14,199 @@ gem install encryptor
 
 #### Basic
 
-Encryptor uses the AES-256-CBC algorithm by default to encrypt strings securely. You are strongly advised to use both an initialization vector (via the `:iv` option) and a salt (via the `:salt` option) to perform this encryption as securely as possible. Specifying only an `:iv` option without `:salt` is not recommended but is supported as part of a "compatibility mode" to support clients built using older versions of this gem.
+Encryptor uses the AES-256-GCM algorithm by default to encrypt strings securely.
 
 The best example is:
 
 ```ruby
-salt = Time.now.to_i.to_s
-secret_key = 'secret'
-iv = OpenSSL::Cipher::Cipher.new('aes-256-cbc').random_iv
-encrypted_value = Encryptor.encrypt('some string to encrypt', :key => secret_key, :iv => iv, :salt => salt)
-decrypted_value = Encryptor.decrypt(encrypted_value, :key => secret_key, :iv => iv, :salt => salt)
+cipher = OpenSSL::Cipher.new('aes-256-gcm')
+cipher.encrypt # Required before '#random_key' or '#random_iv' can be called. http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-encrypt
+secret_key = cipher.random_key # Insures that the key is the correct length respective to the algorithm used.
+iv = cipher.random_iv # Insures that the IV is the correct length respective to the algorithm used.
+salt = SecureRandom.random_bytes(16)
+encrypted_value = Encryptor.encrypt(value: 'some string to encrypt', key: secret_key, iv: iv, salt: salt)
+decrypted_value = Encryptor.decrypt(value: encrypted_value, key: secret_key, iv: iv, salt: salt)
 ```
 
-The value to encrypt or decrypt may also be passed as the :value option if you'd prefer.
+A slightly easier example is:
+
+```ruby
+require 'securerandom'
+secret_key = SecureRandom.random_bytes(32) # The length in bytes must be equal to or greater than the algorithm bit length.
+iv = SecureRandom.random_bytes(12) # Recomended length for AES-###-GCM algorithm. https://tools.ietf.org/html/rfc5084#section-3.2
+encrypted_value = Encryptor.encrypt(value: 'some string to encrypt', key: secret_key, iv: iv)
+decrypted_value = Encryptor.decrypt(value: encrypted_value, key: secret_key, iv: iv)
+```
+
+**NOTE: It is imperative that you use a unique IV per each string and encryption key combo; a nonce as the IV.**
+See [RFC 5084](https://tools.ietf.org/html/rfc5084#section-1.5) for more details.
+
+The value to encrypt or decrypt may also be passed as the first option if you'd prefer.
 
 ```ruby
-encrypted_value = Encryptor.encrypt(:value => 'some string to encrypt', :key => secret_key, :iv => iv, :salt => salt)
-decrypted_value = Encryptor.decrypt(:value => encrypted_value, :key => secret_key, :iv => iv, :salt => salt)
+encrypted_value = Encryptor.encrypt('some string to encrypt', key: secret_key, iv: iv)
+decrypted_value = Encryptor.decrypt(encrypted_value, key: secret_key, iv: iv)
 ```
 
-**You may also skip the salt and the IV if you like. Do so at your own risk!**
+#### Options
+
+**Defaults:**
 
 ```ruby
-encrypted_value = Encryptor.encrypt(:value => 'some string to encrypt', :key => 'secret')
-decrypted_value = Encryptor.decrypt(:value => encrypted_value, :key => 'secret')
+    { algorithm: 'aes-256-gcm',
+      auth_data: '',
+      insecure_mode: false,
+      hmac_iterations: 2000 }
 ```
 
-You may also pass an `:algorithm` option, though this is not required.
+Older versions of Encryptor allowed you to use it in a less secure way. Namely, you were allowed to run Encryptor without an IV, or with a key of insufficient length. Encryptor now requires a key and IV of the correct length respective to the algorithm that you use. However, to maintain backwards compatibility you can run Encryptor with the `:insecure_mode` option.
+
+You may also pass an `:algorithm`,`:salt`, and `hmac_iterations` option, however none of these options are required. If you pass the `:salt` option, a new unique key will be derived from the key that you passed in using PKCS5 with a default of 2000 iterations. You can change the number of PKCS5 iterations with the `hmac_iterations` option. As PKCS5 is slow, it is optional behavior, but it does provide more security to use a unique IV and key for every encryption operation.
 
 ```ruby
-Encryptor.default_options.merge!(:algorithm => 'aes-128-cbc', :key => 'some default secret key', :iv => iv, :salt => salt)
+Encryptor.default_options.merge!(algorithm: 'aes-256-cbc', key: 'some default secret key', iv: iv, salt: salt)
 ```
 
 #### Strings
 
-Encryptor adds `encrypt` and `decrypt` methods to `String` objects for your convenience. These two methods accept the same arguments as the associated ones in the `Encryptor` module. They're nice when you set the default options in the `Encryptor.default_options attribute.` For example:
+Older versions of Encryptor added `encrypt` and `decrypt` methods to `String` objects for your convenience. However, this behavior has been removed to avoid polluting Ruby's core `String` class. The `Encryptor::String` module remains within this gem to allow users of this feature to implement it themselves. These `encrypt` and `decrypt` methods accept the same arguments as the associated ones in the `Encryptor` module. They're nice when you set the default options in the `Encryptor.default_options attribute.` For example:
 
 ```ruby
-Encryptor.default_options.merge!(:key => 'some default secret key', :iv => iv, :salt => salt)
+require 'encryptor/string'
+String.include Encryptor::String
+Encryptor.default_options.merge!(key: 'some default secret key', iv: iv)
 credit_card = 'xxxx xxxx xxxx 1234'
 encrypted_credit_card = credit_card.encrypt
 ```
 
 There's also `encrypt!` and `decrypt!` methods that replace the contents of a string with the encrypted or decrypted version of itself.
 
-### Algorithms
-
-Run `openssl list-cipher-commands` in your terminal to view a list of all cipher algorithms that are supported on your platform. Typically, this will include the following:
-
-    aes-128-cbc
-    aes-128-ecb
-    aes-192-cbc
-    aes-192-ecb
-    aes-256-cbc
-    aes-256-ecb
-    bf
-    bf-cbc
-    bf-cfb
-    bf-ecb
-    bf-ofb
-    cast
-    cast-cbc
-    cast5-cbc
-    cast5-cfb
-    cast5-ecb
-    cast5-ofb
-    des
-    des-cbc
-    des-cfb
-    des-ecb
-    des-ede
-    des-ede-cbc
-    des-ede-cfb
-    des-ede-ofb
-    des-ede3
-    des-ede3-cbc
-    des-ede3-cfb
-    des-ede3-ofb
-    des-ofb
-    des3
-    desx
-    idea
-    idea-cbc
-    idea-cfb
-    idea-ecb
-    idea-ofb
-    rc2
-    rc2-40-cbc
-    rc2-64-cbc
-    rc2-cbc
-    rc2-cfb
-    rc2-ecb
-    rc2-ofb
-    rc4
-    rc4-40
-
-Note that some ciphers may not be supported by Ruby.
-
-### Notes on patches/pull requests
+#### Algorithms
+
+To view a list of all cipher algorithms that are supported on your platform, run the following code in your favorite Ruby REPL:
+
+```ruby
+require 'openssl'
+puts OpenSSL::Cipher.ciphers
+```
+
+The supported ciphers will vary depending on the version of OpenSSL that was used to compile your version of Ruby. However, the following ciphers are typically supported:
+
+Cipher Name|Key size in bytes|IV size in bytes
+---|---|---
+aes-128-cbc|16|16
+aes-128-cbc-hmac-sha1|16|16
+aes-128-cbc-hmac-sha256|16|16
+aes-128-ccm|16|12
+aes-128-cfb|16|16
+aes-128-cfb1|16|16
+aes-128-cfb8|16|16
+aes-128-ctr|16|16
+aes-128-ecb|16|0
+aes-128-gcm|16|12
+aes-128-ofb|16|16
+aes-128-xts|32|16
+aes-192-cbc|24|16
+aes-192-ccm|24|12
+aes-192-cfb|24|16
+aes-192-cfb1|24|16
+aes-192-cfb8|24|16
+aes-192-ctr|24|16
+aes-192-ecb|24|0
+aes-192-gcm|24|12
+aes-192-ofb|24|16
+aes-256-cbc|32|16
+aes-256-cbc-hmac-sha1|32|16
+aes-256-cbc-hmac-sha256|32|16
+aes-256-ccm|32|12
+aes-256-cfb|32|16
+aes-256-cfb1|32|16
+aes-256-cfb8|32|16
+aes-256-ctr|32|16
+aes-256-ecb|32|0
+aes-256-gcm|32|12
+aes-256-ofb|32|16
+aes-256-xts|64|16
+aes128|16|16
+aes192|24|16
+aes256|32|16
+bf|16|8
+bf-cbc|16|8
+bf-cfb|16|8
+bf-ecb|16|0
+bf-ofb|16|8
+blowfish|16|8
+camellia-128-cbc|16|16
+camellia-128-cfb|16|16
+camellia-128-cfb1|16|16
+camellia-128-cfb8|16|16
+camellia-128-ecb|16|0
+camellia-128-ofb|16|16
+camellia-192-cbc|24|16
+camellia-192-cfb|24|16
+camellia-192-cfb1|24|16
+camellia-192-cfb8|24|16
+camellia-192-ecb|24|0
+camellia-192-ofb|24|16
+camellia-256-cbc|32|16
+camellia-256-cfb|32|16
+camellia-256-cfb1|32|16
+camellia-256-cfb8|32|16
+camellia-256-ecb|32|0
+camellia-256-ofb|32|16
+camellia128|16|16
+camellia192|24|16
+camellia256|32|16
+cast|16|8
+cast-cbc|16|8
+cast5-cbc|16|8
+cast5-cfb|16|8
+cast5-ecb|16|0
+cast5-ofb|16|8
+des|8|8
+des-cbc|8|8
+des-cfb|8|8
+des-cfb1|8|8
+des-cfb8|8|8
+des-ecb|8|0
+des-ede|16|0
+des-ede-cbc|16|8
+des-ede-cfb|16|8
+des-ede-ofb|16|8
+des-ede3|24|0
+des-ede3-cbc|24|8
+des-ede3-cfb|24|8
+des-ede3-cfb1|24|8
+des-ede3-cfb8|24|8
+des-ede3-ofb|24|8
+des-ofb|8|8
+des3|24|8
+desx|24|8
+desx-cbc|24|8
+idea|16|8
+idea-cbc|16|8
+idea-cfb|16|8
+idea-ecb|16|0
+idea-ofb|16|8
+rc2|16|8
+rc2-40-cbc|5|8
+rc2-64-cbc|8|8
+rc2-cbc|16|8
+rc2-cfb|16|8
+rc2-ecb|16|0
+rc2-ofb|16|8
+rc4|16|0
+rc4-40|5|0
+rc4-hmac-md5|16|0
+seed|16|16
+seed-cbc|16|16
+seed-cfb|16|16
+seed-ecb|16|0
+seed-ofb|16|16
+
+**NOTE: Some ciphers may not be supported by Ruby. Additionally, Ruby compiled with OpenSSL >= v1.0.1 will include AEAD ciphers, ie., aes-256-gcm.**
+
+#### Notes on patches/pull requests
 
 * Fork the project.
 * Make your feature addition or bug fix.

data/Rakefile

@@ -1,6 +1,8 @@
 require 'rake'
 require 'rake/testtask'
-require 'rake/rdoctask'
+require 'rdoc/task'
+require "bundler/gem_tasks"
+
 
 desc 'Test the encryptor gem'
 Rake::TestTask.new(:test) do |t|
@@ -18,16 +20,5 @@ Rake::RDocTask.new(:rdoc) do |rdoc|
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
 
-if RUBY_VERSION < '1.9.3'
-  require 'rcov/rcovtask'
-
-  task :rcov do
-    system "rcov -o coverage/rcov --exclude '^(?!lib)' " + FileList[ 'test/**/*_test.rb' ].join(' ')
-  end
-
-  desc 'Default: run unit tests under rcov.'
-  task :default => :rcov
-else
-  desc 'Default: run unit tests.'
-  task :default => :test
-end
+desc 'Default: run unit tests.'
+task default: :test

data/certs/saghaulor.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdDCCAlygAwIBAgIBATANBgkqhkiG9w0BAQUFADBAMRIwEAYDVQQDDAlzYWdo
+YXVsb3IxFTATBgoJkiaJk/IsZAEZFgVnbWFpbDETMBEGCgmSJomT8ixkARkWA2Nv
+bTAeFw0xNjAxMTEyMjQyMDFaFw0xNzAxMTAyMjQyMDFaMEAxEjAQBgNVBAMMCXNh
+Z2hhdWxvcjEVMBMGCgmSJomT8ixkARkWBWdtYWlsMRMwEQYKCZImiZPyLGQBGRYD
+Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx0xdQYk2GwCpQ1n/
+n2mPVYHLYqU5TAn/82t5kbqBUWjbcj8tHAi41tJ19+fT/hH0dog8JHvho1zmOr71
+ZIqreJQo60TqP6oE9a5HncUpjqbRp7tOmHo9E+mOW1yT4NiXqFf1YINExQKy2XND
+WPQ+T50ZNUsGMfHFWB4NAymejRWXlOEY3bvKW0UHFeNmouP5he51TjoP8uCc9536
+4AIWVP/zzzjwrFtC7av7nRw4Y+gX2bQjrkK2k2JS0ejiGzKBIEMJejcI2B+t79zT
+kUQq9SFwp2BrKSIy+4kh4CiF20RT/Hfc1MbvTxSIl/bbIxCYEOhmtHExHi0CoCWs
+YCGCXQIDAQABo3kwdzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHQ4EFgQU
+SCpVzSBvYbO6B3oT3n3RCZmurG8wHgYDVR0RBBcwFYETc2FnaGF1bG9yQGdtYWls
+LmNvbTAeBgNVHRIEFzAVgRNzYWdoYXVsb3JAZ21haWwuY29tMA0GCSqGSIb3DQEB
+BQUAA4IBAQAeiGdC3e0WiZpm0cF/b7JC6hJYXC9Yv9VsRAWD9ROsLjFKwOhmonnc
++l/QrmoTjMakYXBCai/Ca3L+k5eRrKilgyITILsmmFxK8sqPJXUw2Jmwk/dAky6x
+hHKVZAofT1OrOOPJ2USoZyhR/VI8epLaD5wUmkVDNqtZWviW+dtRa55aPYjRw5Pj
+wuj9nybhZr+BbEbmZE//2nbfkM4hCuMtxxxilPrJ22aYNmeWU0wsPpDyhPYxOUgU
+ZjeLmnSDiwL6doiP5IiwALH/dcHU67ck3NGf6XyqNwQrrmtPY0mv1WVVL4Uh+vYE
+kHoFzE2no0BfBg78Re8fY69P5yES5ncC
+-----END CERTIFICATE-----

data/encryptor.gemspec

@@ -0,0 +1,41 @@
+# -*- encoding: utf-8 -*-
+
+lib = File.expand_path('../lib/', __FILE__)
+$:.unshift lib unless $:.include?(lib)
+
+require 'encryptor/version'
+require 'date'
+
+Gem::Specification.new do |s|
+  s.name     = 'encryptor'
+  s.version  = Encryptor::Version
+  s.date     = Date.today
+  s.platform = Gem::Platform::RUBY
+
+  s.summary     = 'A simple wrapper for the standard ruby OpenSSL library'
+  s.description = 'A simple wrapper for the standard ruby OpenSSL library to encrypt and decrypt strings'
+
+  s.authors   = ['Sean Huber', 'S. Brent Faulkner', 'William Monk', 'Stephen Aghaulor']
+  s.email    = ['sean@shuber.io', 'sbfaulkner@gmail.com', 'billy.monk@gmail.com', 'saghaulor@gmail.com']
+  s.homepage = 'http://github.com/attr-encrypted/encryptor'
+  s.license = 'MIT'
+  s.rdoc_options = %w(--charset=UTF-8 --inline-source --line-numbers --main README.md)
+
+  s.require_paths = ['lib']
+
+  s.files      = `git ls-files`.split("\n")
+  s.test_files = `git ls-files -- test/*`.split("\n")
+
+  s.required_ruby_version = '>= 2.0.0'
+
+  s.add_development_dependency('minitest', '>= 0')
+  s.add_development_dependency('rake', '>= 0')
+  s.add_development_dependency('simplecov', '>= 0')
+  s.add_development_dependency('simplecov-rcov', '>= 0')
+  s.add_development_dependency('codeclimate-test-reporter', '>= 0')
+
+  s.requirements << 'openssl, >= v1.0.1'
+
+  s.cert_chain  = ['certs/saghaulor.pem']
+  s.signing_key = File.expand_path("~/.ssh/gem-private_key.pem") if $0 =~ /gem\z/
+end

data/lib/encryptor.rb

@@ -1,45 +1,48 @@
 require 'openssl'
-require 'encryptor/string'
-
-String.send(:include, Encryptor::String)
+require 'encryptor/version'
 
 # A simple wrapper for the standard OpenSSL library
 module Encryptor
-  autoload :Version, 'encryptor/version'
 
   extend self
 
   # The default options to use when calling the <tt>encrypt</tt> and <tt>decrypt</tt> methods
   #
-  # Defaults to { :algorithm => 'aes-256-cbc' }
+  # Defaults to { algorithm: 'aes-256-gcm',
+  #               auth_data: '',
+  #               insecure_mode: false,
+  #               hmac_iterations: 2000 }
   #
   # Run 'openssl list-cipher-commands' in your terminal to view a list all cipher algorithms that are supported on your platform
   def default_options
-    @default_options ||= { :algorithm => 'aes-256-cbc' }
+    @default_options ||= { algorithm: 'aes-256-gcm',
+                           auth_data: '',
+                           insecure_mode: false,
+                           hmac_iterations: 2000 }
   end
 
-  # Encrypts a <tt>:value</tt> with a specified <tt>:key</tt>
+  # Encrypts a <tt>:value</tt> with a specified <tt>:key</tt> and <tt>:iv</tt>.
   #
-  # Optionally accepts <tt>:iv</tt> and <tt>:algorithm</tt> options
+  # Optionally accepts <tt>:salt</tt>, <tt>:auth_data</tt>, <tt>:algorithm</tt>, <tt>:hmac_iterations</tt>, and <tt>:insecure_mode</tt> options.
   #
   # Example
   #
-  #   encrypted_value = Encryptor.encrypt(:value => 'some string to encrypt', :key => 'some secret key')
+  #   encrypted_value = Encryptor.encrypt(value: 'some string to encrypt', key: 'some secret key', iv: 'some unique value', salt: 'another unique value')
   #   # or
-  #   encrypted_value = Encryptor.encrypt('some string to encrypt', :key => 'some secret key')
+  #   encrypted_value = Encryptor.encrypt('some string to encrypt', key: 'some secret key', iv: 'some unique value', salt: 'another unique value')
   def encrypt(*args, &block)
     crypt :encrypt, *args, &block
   end
 
-  # Decrypts a <tt>:value</tt> with a specified <tt>:key</tt>
+  # Decrypts a <tt>:value</tt> with a specified <tt>:key</tt> and  <tt>:iv</tt>.
   #
-  # Optionally accepts <tt>:iv</tt> and <tt>:algorithm</tt> options
+  # Optionally accepts <tt>:salt</tt>, <tt>:auth_data</tt>, <tt>:algorithm</tt>, <tt>:hmac_iterations</tt>, and <tt>:insecure_mode</tt> options.
   #
   # Example
   #
-  #   decrypted_value = Encryptor.decrypt(:value => 'some encrypted string', :key => 'some secret key')
+  #   decrypted_value = Encryptor.decrypt(value: 'some encrypted string', key: 'some secret key', iv: 'some unique value', salt: 'another unique value')
   #   # or
-  #   decrypted_value = Encryptor.decrypt('some encrypted string', :key => 'some secret key')
+  #   decrypted_value = Encryptor.decrypt('some encrypted string', key: 'some secret key', iv: 'some unique value', salt: 'another unique value')
   def decrypt(*args, &block)
     crypt :decrypt, *args, &block
   end
@@ -47,10 +50,15 @@ module Encryptor
   protected
 
     def crypt(cipher_method, *args) #:nodoc:
-      options = default_options.merge(:value => args.first).merge(args.last.is_a?(Hash) ? args.last : {})
-      raise ArgumentError.new('must specify a :key') if options[:key].to_s.empty?
-      cipher = OpenSSL::Cipher::Cipher.new(options[:algorithm])
+      options = default_options.merge(value: args.first).merge(args.last.is_a?(Hash) ? args.last : {})
+      raise ArgumentError.new('must specify a key') if options[:key].to_s.empty?
+      cipher = OpenSSL::Cipher.new(options[:algorithm])
       cipher.send(cipher_method)
+      unless options[:insecure_mode]
+        raise ArgumentError.new("key must be #{cipher.key_len} bytes or longer") if options[:key].bytesize < cipher.key_len
+        raise ArgumentError.new('must specify an iv') if options[:iv].to_s.empty?
+        raise ArgumentError.new("iv must be #{cipher.iv_len} bytes or longer") if options[:iv].bytesize < cipher.iv_len
+      end
       if options[:iv]
         cipher.iv = options[:iv]
         if options[:salt].nil?
@@ -63,13 +71,40 @@ module Encryptor
           # Use an explicit salt (which can be persisted into a database on a
           # per-column basis, for example). This is the preferred (and more
           # secure) mode of operation.
-          cipher.key = OpenSSL::PKCS5.pbkdf2_hmac_sha1(options[:key], options[:salt], 2000, cipher.key_len)
+          cipher.key = OpenSSL::PKCS5.pbkdf2_hmac_sha1(options[:key], options[:salt], options[:hmac_iterations], cipher.key_len)
         end
       else
+        # This is deprecated and needs to be changed.
         cipher.pkcs5_keyivgen(options[:key])
       end
       yield cipher, options if block_given?
-      result = cipher.update(options[:value])
+      value = options[:value]
+      if cipher.authenticated?
+        if encryption?(cipher_method)
+          cipher.auth_data = options[:auth_data]
+        else
+          value = extract_cipher_text(options[:value])
+          cipher.auth_tag = extract_auth_tag(options[:value])
+          # auth_data must be set after auth_tag has been set when decrypting
+          # See http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-auth_data-3D
+          cipher.auth_data = options[:auth_data]
+        end
+      end
+      result = cipher.update(value)
       result << cipher.final
+      result << cipher.auth_tag if cipher.authenticated? && encryption?(cipher_method)
+      result
+    end
+
+    def encryption?(cipher_method)
+      cipher_method == :encrypt
+    end
+
+    def extract_cipher_text(value)
+      value[0..-17]
+    end
+
+    def extract_auth_tag(value)
+      value[-16..-1]
     end
 end