enveloperb 0.0.0.1.ENOTAG-aarch64-linux

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: b0e3a56a7f683b6d677551fe1f05ec3cc78caeee6eb6c41c68efd160af5d050f
4
+ data.tar.gz: 44c2bdd2f6a074fc4b19af6057fa668cfc2d5f4c04078664f4b9823e00486834
5
+ SHA512:
6
+ metadata.gz: 2a3229aafe0a57c3e11a8f357e1aab5b3797a8065fb38f1edf00fb2216e7bd55d4624c7e6650d50c93e769921d2757878b0e78b10ae21916251399da971e9d92
7
+ data.tar.gz: 29ec3a7db15cf5f835b9d2f056de63b79da30c8a724141a0d678c5722908a97d224722d0dd9fe421efff6cacb21e7dba760923c7dcd4fcf65315c13d85e3e188
@@ -0,0 +1,49 @@
1
+ # Contributor Code of Conduct
2
+
3
+ As contributors and maintainers of this project, and in the interest of
4
+ fostering an open and welcoming community, we pledge to respect all people who
5
+ contribute through reporting issues, posting feature requests, updating
6
+ documentation, submitting pull requests or patches, and other activities.
7
+
8
+ We are committed to making participation in this project a harassment-free
9
+ experience for everyone, regardless of level of experience, gender, gender
10
+ identity and expression, sexual orientation, disability, personal appearance,
11
+ body size, race, ethnicity, age, religion, or nationality.
12
+
13
+ Examples of unacceptable behavior by participants include:
14
+
15
+ * The use of sexualized language or imagery
16
+ * Personal attacks
17
+ * Trolling or insulting/derogatory comments
18
+ * Public or private harassment
19
+ * Publishing other's private information, such as physical or electronic
20
+ addresses, without explicit permission
21
+ * Other unethical or unprofessional conduct
22
+
23
+ Project maintainers have the right and responsibility to remove, edit, or
24
+ reject comments, commits, code, wiki edits, issues, and other contributions
25
+ that are not aligned to this Code of Conduct, or to ban temporarily or
26
+ permanently any contributor for other behaviors that they deem inappropriate,
27
+ threatening, offensive, or harmful.
28
+
29
+ By adopting this Code of Conduct, project maintainers commit themselves to
30
+ fairly and consistently applying these principles to every aspect of managing
31
+ this project. Project maintainers who do not follow or enforce the Code of
32
+ Conduct may be permanently removed from the project team.
33
+
34
+ This code of conduct applies both within project spaces and in public spaces
35
+ when an individual is representing the project or its community.
36
+
37
+ Instances of abusive, harassing, or otherwise unacceptable behavior may be
38
+ reported by contacting a project maintainer at team@cipherstash.com. All
39
+ complaints will be reviewed and investigated and will result in a response that
40
+ is deemed necessary and appropriate to the circumstances. Maintainers are
41
+ obligated to maintain confidentiality with regard to the reporter of an
42
+ incident.
43
+
44
+ This Code of Conduct is adapted from the [Contributor Covenant][homepage],
45
+ version 1.3.0, available at
46
+ [http://contributor-covenant.org/version/1/3/0/][version]
47
+
48
+ [homepage]: http://contributor-covenant.org
49
+ [version]: http://contributor-covenant.org/version/1/3/0/
data/CONTRIBUTING.md ADDED
@@ -0,0 +1,10 @@
1
+ * If you have found a discrepancy in documented and observed behaviour, that
2
+ is a bug. Feel free to [report it as an
3
+ issue](https://github.com/cipherstash/enveloperb/issues), providing
4
+ sufficient detail to reproduce the problem.
5
+
6
+ * If you would like to add new behaviour, please submit a well-tested and
7
+ well-documented [pull
8
+ request](https://github.com/cipherstash/enveloperb/pulls).
9
+
10
+ * At all times, abide by the Code of Conduct (CODE_OF_CONDUCT.md).
data/LICENSE ADDED
@@ -0,0 +1,124 @@
1
+ CipherStash Client Library Licence Agreement
2
+
3
+ 0. Background
4
+
5
+ This licence sets out the terms on which you are permitted to use client side
6
+ components of software provided by CipherStash to query encrypted databases
7
+ (CipherStash Client Software).The operation of the CipherStash Client Software
8
+ is dependent on encryption keys generated by server software operated or
9
+ licensed by CipherStash.
10
+
11
+ 1. Definitions
12
+
13
+ 1.1 In these terms the following terms have the following meanings:
14
+ (a) Authorised Purpose in relation to the CipherStash Source Code has the
15
+ meaning given to it in clause 2.4;
16
+ (b) CipherStash Source Code means human readable code of the CipherStash
17
+ Client Software;
18
+ (c) CipherStash Executable means the machine executable code of the
19
+ CipherStash Client Software as made available by CipherStash from
20
+ time to time;
21
+ (d) CipherStash Client Software has the meaning given to it in the
22
+ Background;
23
+ (e) Licensed Query means a query on a database that:
24
+ (i) uses an encryption key generated by a key server operated or
25
+ licensed by CipherStash for all encryption of the content of that
26
+ query or of results returned in response to that query (excluding
27
+ encryption in the transport layer for communications between
28
+ servers); and
29
+ (ii) uses a valid token provided by CipherStash in the course of
30
+ acquiring the key referred to in the previous paragraph;
31
+ (f) Your Applications means applications that you create that rely on any
32
+ part of the CipherStash Client Software in the course of their
33
+ operation.
34
+ 1.2 In these terms, unless the context requires otherwise, references to:
35
+ (a) encryption includes decryption;
36
+ (b) keys are references to data used for encryption, not data indicating a
37
+ row in a database table.
38
+
39
+ 2. Grant of Licence
40
+
41
+ 2.1 This licence permits you to do the following in relation to the CipherStash
42
+ Client Software:
43
+ (a) use the CipherStash Executables in the course of developing and testing
44
+ Your Applications;
45
+ (b) deploy and use copies of the CipherStash Executables for the purpose of
46
+ executing Licensed Queries, including as part of one or more of Your
47
+ Applications; and
48
+ (c) use the CipherStash Source Code solely for an Authorised Purpose.
49
+ 2.2 Subject to clause 2.4(c), you must not make any modifications to the
50
+ CipherStash Client Software.
51
+ 2.3 This licence specifically excludes any use of any part of the CipherStash
52
+ Client Software to execute any queries other than Licensed Queries on any
53
+ database.
54
+ 2.4 CipherStash makes the CipherStash Source Code available for the sole purpose
55
+ of allowing third parties to verify the operation, integrity and security
56
+ of the CipherStash Client Software (Authorised Purpose). This licence
57
+ permits you to do the following solely for an Authorised Purpose:
58
+ (a) download and review the CipherStash Source Code;
59
+ (b) build executable versions of the CipherStash Source Code to verify
60
+ correspondence between it and its associated CipherStash Executable;
61
+ (c) make configuration changes to the CipherStash Source Code solely to the
62
+ extent necessary to build a working executable version under paragraph
63
+ (b).
64
+
65
+ 3. Warranties and Liability
66
+
67
+ 3.1 To the extent permitted by law, CipherStash excludes all warranties,
68
+ guarantees and conditions that would otherwise be implied into this
69
+ agreement by law. Where CipherStash is not able to exclude such a warranty,
70
+ guarantee or condition, CipherStash limits, to the extent permitted by law,
71
+ its liability for a breach of that warranty, guarantee or condition to one
72
+ or more of the following at its option:
73
+ (a) in the case of goods, any one or more of the following:
74
+ (i) the replacement of the goods or the supply of equivalent goods;
75
+ (ii) the repair of the goods;
76
+ (iii) the payment of the cost of replacing the goods or of acquiring
77
+ equivalent goods;
78
+ (iv) the payment of the cost of having the goods repaired; and
79
+ (b) in the case of services:
80
+ (i) the supplying of the services again; or
81
+ (ii) the payment of the cost of having the services supplied again.
82
+ 3.2 CipherStash has no liability to any person arising under or in relation to
83
+ this agreement (whether in tort, contract, equity or otherwise) for any
84
+ loss in the nature of consequential or economic loss. In particular,
85
+ CipherStash has no liability to any person for any: lost profits; loss of
86
+ savings, income or revenue; revenue not meeting targets or certain levels;
87
+ uptime or availability of internet connectivity or of the ability of third
88
+ parties to access a website, loss of opportunity; or loss of or corruption
89
+ of data. The exclusions in this clause 3.2 apply even in respect of loss or
90
+ damage that was foreseeable or about which either or both of the parties
91
+ were aware was likely to arise.
92
+
93
+ 4. Dispute Resolution
94
+
95
+ 4.1 Prior to commencing any action in any court or any action in any other form
96
+ of judicial or quasi-judicial forum you must comply with the requirements
97
+ of this clause 4.
98
+ 4.2 Where you believe there is a dispute between you and CipherStash in respect
99
+ of a matter the subject of this agreement you must notify CipherStash in
100
+ writing of the nature of that dispute and for a period of 120 days
101
+ following CipherStash’s receipt of that notification, make reasonable
102
+ attempts to resolve that dispute with CipherStash.
103
+
104
+ 5. General and Interpretation
105
+
106
+ 5.1 Except where expressly set out to the contrary, nothing in this agreement
107
+ grants the Customer any rights over any intellectual property rights
108
+ (including copyright, patents, and rights to the registration of such
109
+ rights) held by CipherStash at any time.
110
+ 5.2 No provision of this agreement may be construed against a party because
111
+ that party drafted that term.
112
+ 5.3 A waiver of rights under this agreement can only occur in writing signed by
113
+ the party granting the waiver. Except to the extent set out in the waiver,
114
+ a waiver is only effective in relation to the specific facts and rights set
115
+ out in it and does not operate to waive any other rights or to waive the
116
+ same rights in respect of different facts or circumstances.
117
+ 5.4 Where a part of this agreement is held by a court to be illegal or
118
+ otherwise unenforceable, and the unenforceability of that part does not
119
+ substantially alter the character of the bargain that would have been in
120
+ existence between the parties had that part been enforceable, that part is
121
+ severed and the balance of this agreement will continue unaffected.
122
+ 5.5 This contract is governed by the laws in force in the State of New South
123
+ Wales, Australia. Each party submits to the non-exclusive jurisdiction of
124
+ the courts of that State.
data/README.md ADDED
@@ -0,0 +1,124 @@
1
+ Ruby bindings for the [envelopers](https://github.com/cipherstash/enveloper) envelope encryption library.
2
+
3
+ Envelope encryption is a mechanism by which a plaintext is encrypted into a ciphertext using a single-use key (known as the "data key"), and then that data key is encrypted with a second key (known as the "wrapping key", or "key-encryption key", or sometimes "KEK").
4
+ The encrypted data key is then stored alongside the ciphertext, so that all that is needed for decryption is the key-encryption key and the ciphertext/encrypted data key bundle.
5
+
6
+ The benefits of this mechanism are:
7
+
8
+ 1. Compromise of the key used to encrypt a plaintext (say, by short-term penetration of a process performing decryption) does not compromise all data;
9
+
10
+ 2. The key-encryption key can be stored securely and entirely separate from any plaintext data, in an HSM (Hardware Security Module) or other hardened environment;
11
+
12
+ 3. The entity operating the key-encryption key environment never has (direct) access to plaintexts (as would be the case if you sent the plaintext to the HSM for encryption);
13
+
14
+ 4. Large volumes of data can be encrypted efficiently on a local machine, and only the small data key needs to be sent over a slow network link to be encrypted.
15
+
16
+ As you can see, the benefits of envelope encryption mostly center around environments where KEK material is HSM-managed.
17
+ Except for testing purposes, it is not common to use envelope encryption in situations where the KEK is provided directly to the envelope encryption system.
18
+
19
+
20
+ # Installation
21
+
22
+ For the most common platforms, we provide "native" gems (which have the shared object that provides the cryptographic primitives pre-compiled).
23
+ At present, we provide native gems for:
24
+
25
+ * Linux `x86_64` and `aarch64`
26
+ * macOS `x86_64` and `arm64`
27
+
28
+ On these platforms, you can just install the `enveloperb` gem via your preferred method, and it should "just work".
29
+ If it doesn't, please [report that as a bug](https://github.com/cipherstash/enveloperb/issues).
30
+
31
+ For other platforms, you will need to install the source gem, which requires that you have Rust 1.57.0 or later installed.
32
+ On ARM-based platforms, you must use Rust nightly, for SIMD intrinsics support.
33
+
34
+ ## Installing from Git
35
+
36
+ If you have a burning need to install directly from a checkout of the git repository, you can do so by running `bundle install && rake install`.
37
+ As this is a source-based installation, you will need to have Rust installed, as described above.
38
+
39
+
40
+ # Usage
41
+
42
+ First off, load the library:
43
+
44
+ ```ruby
45
+ require "enveloperb"
46
+ ```
47
+
48
+ Then create a new cryptography engine, using your choice of wrapping key provider.
49
+ For this example, we'll use the "simple" key provider, which takes a 16 byte *binary* string as the key-encryption-key.
50
+
51
+ ```ruby
52
+ require "securerandom"
53
+ kek = SecureRandom.bytes(16)
54
+
55
+ engine = Enveloperb::Simple.new(kek)
56
+ ```
57
+
58
+ Now you can encrypt whatever data you like:
59
+
60
+ ```ruby
61
+ ct = engine.encrypt("This is a super-important secret")
62
+ ```
63
+
64
+ This produces an `Enveloperb::EncryptedRecord`, which can be turned into a (binary) string very easily:
65
+
66
+ ```ruby
67
+ File.binwrite("/tmp/ciphertext", ct1.to_s)
68
+ ```
69
+
70
+ To turn a binary string back into a ciphertext, just create a new `EncryptedRecord` with it:
71
+
72
+ ```ruby
73
+ ct_new = Enveloperb::EncryptedRecord.new(File.binread("/tmp/ciphertext"))
74
+ ```
75
+
76
+ Then you can decrypt it again:
77
+
78
+ ```ruby
79
+ engine.decrypt(ct_new) # => "This ia super-important secret"
80
+ ```
81
+
82
+
83
+ ## AWS KMS Key Provider
84
+
85
+ When using a locally-managed wrapping key, the benefits over direct encryption aren't significant.
86
+ The real benefits come when using a secured key provider for the wrapping key, such as AWS KMS.
87
+
88
+ To use an AWS KMS key as the wrapping key, you use an `Enveloperb::AWSKMS` instance as the cryptography engine, like so:
89
+
90
+ ```ruby
91
+ engine = Enveloperb::AWSKMS.key(keyid, profile: "example", region: "xx-example-1", credentials: { ... })
92
+ ```
93
+
94
+ While `keyid` is mandatory, `profile`, `region` and `credentials` are all optional.
95
+ If not specified, they will be extracted from the usual places (environment, metadata service, etc) as specified in [the AWS SDK for Rust documentation](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/credentials.html).
96
+ Yes, the Rust SDK -- `enveloperb` is just a thin wrapper around a Rust library.
97
+ We are truly living in the future.
98
+
99
+ Once you have your AWS KMS cryptography engine, its usage is the familiar `#encrypt` / `#decrypt` cycle.
100
+
101
+
102
+ # Contributing
103
+
104
+ Please see [CONTRIBUTING.md](CONTRIBUTING.md).
105
+
106
+
107
+ # Licence
108
+
109
+ Unless otherwise stated, everything in this repo is covered by the following
110
+ copyright notice:
111
+
112
+ Copyright (C) 2022 CipherStash Inc.
113
+
114
+ This program is free software: you can redistribute it and/or modify it
115
+ under the terms of the GNU General Public License version 3, as
116
+ published by the Free Software Foundation.
117
+
118
+ This program is distributed in the hope that it will be useful,
119
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
120
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
121
+ GNU General Public License for more details.
122
+
123
+ You should have received a copy of the GNU General Public License
124
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
@@ -0,0 +1,39 @@
1
+ begin
2
+ require 'git-version-bump'
3
+ rescue LoadError
4
+ nil
5
+ end
6
+
7
+ Gem::Specification.new do |s|
8
+ s.name = "enveloperb"
9
+
10
+ s.version = ENV.fetch("GVB_VERSION_OVERRIDE") { GVB.version rescue "0.0.0.1.NOGVB" }
11
+ s.date = GVB.date rescue Time.now.strftime("%Y-%m-%d")
12
+
13
+ s.platform = Gem::Platform::RUBY
14
+
15
+ s.summary = "Ruby bindings for the envelopers envelope encryption library"
16
+
17
+ s.authors = ["Matt Palmer"]
18
+ s.email = ["matt@cipherstash.com"]
19
+ s.homepage = "https://github.com/cipherstash/enveloperb"
20
+
21
+ s.files = `git ls-files -z`.split("\0").reject { |f| f =~ /^(\.|G|spec|Rakefile)/ }
22
+
23
+ s.extensions = ["ext/enveloperb/extconf.rb"]
24
+
25
+ s.required_ruby_version = ">= 2.7.0"
26
+
27
+ s.add_development_dependency 'bundler'
28
+ s.add_development_dependency 'github-release'
29
+ s.add_development_dependency 'guard-rspec'
30
+ s.add_development_dependency 'rake', '~> 13.0'
31
+ s.add_development_dependency 'rake-compiler', '~> 1.2'
32
+ s.add_development_dependency 'rake-compiler-dock', '~> 1.2'
33
+ s.add_development_dependency 'rb-inotify', '~> 0.9'
34
+ s.add_development_dependency 'rb_sys', '~> 0.1'
35
+ s.add_development_dependency 'redcarpet'
36
+ s.add_development_dependency 'rspec'
37
+ s.add_development_dependency 'simplecov'
38
+ s.add_development_dependency 'yard'
39
+ end
@@ -0,0 +1,4 @@
1
+ /target
2
+ # Cargo.lock is deliberately *not* ignored; despite *technically* being a
3
+ # library package, it is not a Rust library that is built into other projects,
4
+ # but rather a standalone binary object that should be built reproducibly.