kms_encrypted 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: dcfe0e3ccdefdbde5b05b879a8f2badf3337fd0e
+  data.tar.gz: 8866251c5210f0c67845f99a221931db0a77446f
+SHA512:
+  metadata.gz: 664d6f021217bbd3e3740943bc91b60d1ad7af84c6f2081512f03956ba48488a98666a94417a61a1e68a15ccd36a8a4b31c541a6c40422a7cb8f21f079761d0f
+  data.tar.gz: dbd76c23ee501e1e7c8cb28d4cd1e45430e6ea3904ef4afa8053973b034f8637627c01646e9b5782079f24c151702aa2e3006940df99f572b73be9a8adad7a56

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+## 0.1.0
+
+- First release

data/Gemfile

@@ -0,0 +1,3 @@
+source "https://rubygems.org"
+
+gemspec

data/README.md

@@ -0,0 +1,84 @@
+# KMS Encrypted
+
+[KMS](https://aws.amazon.com/kms/) + [attr_encrypted](https://github.com/attr-encrypted/attr_encrypted)
+
+The attr_encrypted gem is great for encryption, but:
+
+1. Leaves you to manage the security of your keys
+2. Doesn’t provide a great audit trail to see how data has been accessed
+
+KMS addresses both of the issues and it’s easy to use them together.
+
+**Note:** This has not been battle-tested in a production environment, so use with caution
+
+## Getting Started
+
+Add this line to your application’s Gemfile:
+
+```ruby
+gem 'kms_encrypted'
+```
+
+Add a column to store encrypted KMS data keys
+
+```ruby
+add_column :users, :encrypted_kms_key, :string
+```
+
+Create a [KMS master key](https://console.aws.amazon.com/iam/home#/encryptionKeys) and set it in your environment (we recommend [dotenv](https://github.com/bkeepers/dotenv))
+
+```sh
+KMS_KEY_ID=arn:aws:kms:...
+```
+
+And update your model
+
+```ruby
+class User < ApplicationRecord
+  has_kms_key ENV["KMS_KEY_ID"]
+
+  attr_encrypted :email, key: :kms_key
+end
+```
+
+For each encrypted attribute, use the `kms_key` method for its key.
+
+## Auditing
+
+[AWS CloudTrail](https://aws.amazon.com/cloudtrail/) logs all decryption calls. However, to know what data is being decrypted, you’ll need to add context.
+
+Add a `kms_encryption_context` method to your model.
+
+```ruby
+class User < ApplicationRecord
+  def kms_encryption_context
+    self.id ||= self.class.connection.execute("select nextval('#{self.class.sequence_name}')").first["nextval"]
+    {"Record" => "#{model_name}/#{id}"}
+  end
+end
+```
+
+The context is used as part of the encryption and decryption process, so it must be a value that doesn’t change. Otherwise, you won’t be able to decrypt.
+
+Read more about [encryption context here](http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html).
+
+## How It Works
+
+KMS allows you to generate data keys from your master key. Data keys are encrypted and stored with each record. Whenever you want to decrypt data, you need to first decrypt the data key with KMS. Once you have the decrypted key, you can then use it to decrypt the data with attr_encrypted.
+
+## TODO
+
+- add support for multiple data keys per record
+
+## History
+
+View the [changelog](https://github.com/ankane/kms_encrypted/blob/master/CHANGELOG.md)
+
+## Contributing
+
+Everyone is encouraged to help improve this project. Here are a few ways you can help:
+
+- [Report bugs](https://github.com/ankane/kms_encrypted/issues)
+- Fix bugs and [submit pull requests](https://github.com/ankane/kms_encrypted/pulls)
+- Write, clarify, or fix documentation
+- Suggest or add new features

data/Rakefile

@@ -0,0 +1,11 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+  t.warning = false
+end
+
+task default: :test

data/kms_encrypted.gemspec

@@ -0,0 +1,31 @@
+# coding: utf-8
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "kms_encrypted/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "kms_encrypted"
+  spec.version       = KmsEncrypted::VERSION
+  spec.authors       = ["Andrew Kane"]
+  spec.email         = ["andrew@chartkick.com"]
+
+  spec.summary       = "KMS + attr_encrypted"
+  spec.homepage      = "https://github.com/ankane/kms_encrypted"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "aws-sdk-kms"
+  spec.add_dependency "activesupport"
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "minitest"
+  spec.add_development_dependency "sqlite3"
+  spec.add_development_dependency "activerecord"
+  spec.add_development_dependency "attr_encrypted"
+end

data/lib/kms_encrypted.rb

@@ -0,0 +1,56 @@
+require "kms_encrypted/version"
+require "active_support"
+require "aws-sdk-kms"
+
+module KmsEncrypted
+  def self.kms
+    @kms ||= Aws::KMS::Client.new
+  end
+
+  module Model
+    def has_kms_key(key_id)
+      raise ArgumentError, "Missing key id" unless key_id
+
+      class_eval do
+        class << self
+          attr_accessor :kms_key_id
+        end
+        self.kms_key_id = key_id
+
+        def kms_key
+          unless @kms_key
+            key_id = self.class.kms_key_id
+            context = respond_to?(:kms_encryption_context) ? kms_encryption_context : {}
+            default_encoding = "m"
+
+            unless encrypted_kms_key
+              resp = KmsEncrypted.kms.generate_data_key(
+                key_id: key_id,
+                encryption_context: context,
+                key_spec: "AES_256"
+              )
+              @kms_key = resp.plaintext
+              ciphertext = resp.ciphertext_blob
+              self.encrypted_kms_key = [resp.ciphertext_blob].pack(default_encoding)
+            end
+
+            unless @kms_key
+              ciphertext = encrypted_kms_key.unpack(default_encoding).first
+              resp = KmsEncrypted.kms.decrypt(
+                ciphertext_blob: ciphertext,
+                encryption_context: context
+              )
+              @kms_key = resp.plaintext
+            end
+          end
+
+          @kms_key
+        end
+      end
+    end
+  end
+end
+
+ActiveSupport.on_load(:active_record) do
+  extend KmsEncrypted::Model
+end

data/lib/kms_encrypted/version.rb

@@ -0,0 +1,3 @@
+module KmsEncrypted
+  VERSION = "0.1.0"
+end

metadata

@@ -0,0 +1,163 @@
+--- !ruby/object:Gem::Specification
+name: kms_encrypted
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Andrew Kane
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-09-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-kms
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: attr_encrypted
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- andrew@chartkick.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- CHANGELOG.md
+- Gemfile
+- README.md
+- Rakefile
+- kms_encrypted.gemspec
+- lib/kms_encrypted.rb
+- lib/kms_encrypted/version.rb
+homepage: https://github.com/ankane/kms_encrypted
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.13
+signing_key: 
+specification_version: 4
+summary: KMS + attr_encrypted
+test_files: []