RubyGems - enveloperb - Versions diffs - 0.1.5.4.g10f5d39-aarch64-linux - Mend

enveloperb 0.1.5.4.g10f5d39-aarch64-linux

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

checksums.yaml +7 -0
data/CODE_OF_CONDUCT.md +49 -0
data/CONTRIBUTING.md +10 -0
data/LICENCE +674 -0
data/README.md +124 -0
data/enveloperb.gemspec +39 -0
data/ext/enveloperb/.gitignore +4 -0
data/ext/enveloperb/Cargo.lock +1732 -0
data/ext/enveloperb/Cargo.toml +17 -0
data/ext/enveloperb/extconf.rb +4 -0
data/ext/enveloperb/src/lib.rs +195 -0
data/lib/2.7/enveloperb.so +0 -0
data/lib/3.0/enveloperb.so +0 -0
data/lib/3.1/enveloperb.so +0 -0
data/lib/enveloperb/awskms.rb +58 -0
data/lib/enveloperb/encrypted_record.rb +31 -0
data/lib/enveloperb/simple.rb +35 -0
data/lib/enveloperb.rb +17 -0
metadata +230 -0

data/README.md ADDED Viewed

@@ -0,0 +1,124 @@
+Ruby bindings for the [envelopers](https://github.com/cipherstash/enveloper) envelope encryption library.
+Envelope encryption is a mechanism by which a plaintext is encrypted into a ciphertext using a single-use key (known as the "data key"), and then that data key is encrypted with a second key (known as the "wrapping key", or "key-encryption key", or sometimes "KEK").
+The encrypted data key is then stored alongside the ciphertext, so that all that is needed for decryption is the key-encryption key and the ciphertext/encrypted data key bundle.
+The benefits of this mechanism are:
+1. Compromise of the key used to encrypt a plaintext (say, by short-term penetration of a process performing decryption) does not compromise all data;
+2. The key-encryption key can be stored securely and entirely separate from any plaintext data, in an HSM (Hardware Security Module) or other hardened environment;
+3. The entity operating the key-encryption key environment never has (direct) access to plaintexts (as would be the case if you sent the plaintext to the HSM for encryption);
+4. Large volumes of data can be encrypted efficiently on a local machine, and only the small data key needs to be sent over a slow network link to be encrypted.
+As you can see, the benefits of envelope encryption mostly center around environments where KEK material is HSM-managed.
+Except for testing purposes, it is not common to use envelope encryption in situations where the KEK is provided directly to the envelope encryption system.
+# Installation
+For the most common platforms, we provide "native" gems (which have the shared object that provides the cryptographic primitives pre-compiled).
+At present, we provide native gems for:
+* Linux `x86_64` and `aarch64`
+* macOS `x86_64` and `arm64`
+On these platforms, you can just install the `enveloperb` gem via your preferred method, and it should "just work".
+If it doesn't, please [report that as a bug](https://github.com/cipherstash/enveloperb/issues).
+For other platforms, you will need to install the source gem, which requires that you have Rust 1.57.0 or later installed.
+On ARM-based platforms, you must use Rust nightly, for SIMD intrinsics support.
+## Installing from Git
+If you have a burning need to install directly from a checkout of the git repository, you can do so by running `bundle install && rake install`.
+As this is a source-based installation, you will need to have Rust installed, as described above.
+# Usage
+First off, load the library:
+```ruby
+require "enveloperb"
+```
+Then create a new cryptography engine, using your choice of wrapping key provider.
+For this example, we'll use the "simple" key provider, which takes a 16 byte *binary* string as the key-encryption-key.
+```ruby
+require "securerandom"
+kek = SecureRandom.bytes(16)
+engine = Enveloperb::Simple.new(kek)
+```
+Now you can encrypt whatever data you like:
+```ruby
+ct = engine.encrypt("This is a super-important secret")
+```
+This produces an `Enveloperb::EncryptedRecord`, which can be turned into a (binary) string very easily:
+```ruby
+File.binwrite("/tmp/ciphertext", ct1.to_s)
+```
+To turn a binary string back into a ciphertext, just create a new `EncryptedRecord` with it:
+```ruby
+ct_new = Enveloperb::EncryptedRecord.new(File.binread("/tmp/ciphertext"))
+```
+Then you can decrypt it again:
+```ruby
+engine.decrypt(ct_new)  # => "This ia super-important secret"
+```
+## AWS KMS Key Provider
+When using a locally-managed wrapping key, the benefits over direct encryption aren't significant.
+The real benefits come when using a secured key provider for the wrapping key, such as AWS KMS.
+To use an AWS KMS key as the wrapping key, you use an `Enveloperb::AWSKMS` instance as the cryptography engine, like so:
+```ruby
+engine = Enveloperb::AWSKMS.key(keyid, profile: "example", region: "xx-example-1", credentials: { ... })
+```
+While `keyid` is mandatory, `profile`, `region` and `credentials` are all optional.
+If not specified, they will be extracted from the usual places (environment, metadata service, etc) as specified in [the AWS SDK for Rust documentation](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/credentials.html).
+Yes, the Rust SDK -- `enveloperb` is just a thin wrapper around a Rust library.
+We are truly living in the future.
+Once you have your AWS KMS cryptography engine, its usage is the familiar `#encrypt` / `#decrypt` cycle.
+# Contributing
+Please see [CONTRIBUTING.md](CONTRIBUTING.md).
+# Licence
+Unless otherwise stated, everything in this repo is covered by the following
+copyright notice:
+    Copyright (C) 2022  CipherStash Inc.
+    This program is free software: you can redistribute it and/or modify it
+    under the terms of the GNU General Public License version 3, as
+    published by the Free Software Foundation.
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.

data/enveloperb.gemspec ADDED Viewed

@@ -0,0 +1,39 @@
+begin
+  require 'git-version-bump'
+rescue LoadError
+  nil
+end
+Gem::Specification.new do |s|
+  s.name = "enveloperb"
+  s.version = ENV.fetch("GVB_VERSION_OVERRIDE") { GVB.version rescue "0.0.0.1.NOGVB" }
+  s.date    = GVB.date    rescue Time.now.strftime("%Y-%m-%d")
+  s.platform = Gem::Platform::RUBY
+  s.summary  = "Ruby bindings for the envelopers envelope encryption library"
+  s.authors  = ["Matt Palmer"]
+  s.email    = ["matt@cipherstash.com"]
+  s.homepage = "https://github.com/cipherstash/enveloperb"
+  s.files = `git ls-files -z`.split("\0").reject { |f| f =~ /^(\.|G|spec|Rakefile)/ }
+  s.extensions = ["ext/enveloperb/extconf.rb"]
+  s.required_ruby_version = ">= 2.7.0"
+  s.add_development_dependency 'bundler'
+  s.add_development_dependency 'github-release'
+  s.add_development_dependency 'guard-rspec'
+  s.add_development_dependency 'rake', '~> 13.0'
+  s.add_development_dependency 'rake-compiler', '~> 1.2'
+  s.add_development_dependency 'rake-compiler-dock', '~> 1.2'
+  s.add_development_dependency 'rb-inotify', '~> 0.9'
+  s.add_development_dependency 'rb_sys', '~> 0.1'
+  s.add_development_dependency 'redcarpet'
+  s.add_development_dependency 'rspec'
+  s.add_development_dependency 'simplecov'
+  s.add_development_dependency 'yard'
+end

data/ext/enveloperb/.gitignore ADDED Viewed

@@ -0,0 +1,4 @@
+/target
+# Cargo.lock is deliberately *not* ignored; despite *technically* being a
+# library package, it is not a Rust library that is built into other projects,
+# but rather a standalone binary object that should be built reproducibly.