kms_encrypted 1.1.0 → 1.2.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +30 -10
- data/LICENSE.txt +1 -1
- data/README.md +447 -8
- data/lib/kms_encrypted.rb +5 -0
- data/lib/kms_encrypted/box.rb +1 -1
- data/lib/kms_encrypted/client.rb +1 -3
- data/lib/kms_encrypted/clients/google.rb +1 -1
- data/lib/kms_encrypted/clients/test.rb +2 -0
- data/lib/kms_encrypted/database.rb +3 -2
- data/lib/kms_encrypted/model.rb +57 -15
- data/lib/kms_encrypted/version.rb +1 -1
- metadata +8 -148
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d9e368d367eac07c613631f127f228ed57c7f5b7cb2202734be492bc7cb4db9f
|
4
|
+
data.tar.gz: 4eb449027d355d5708d2529156d96367273be9eff3bf92e8901104421fae4623
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8b9bf21b480abef541935406524dbd433f8b806fc1d8369af2b2e8a5f98c7c9f3dbb8adcf97e09fca871bdee05127489027c09484731afc468c46e490c5daa90
|
7
|
+
data.tar.gz: 244c6b23ca0cef8ffba7ac3838b2e669bfef2635fd2646307e44e80074c0b69c764339e54e4271c4f213958f1cb91653b89085c6167403c9c7a12d55e8d2400c
|
data/CHANGELOG.md
CHANGED
@@ -1,15 +1,35 @@
|
|
1
|
-
## 1.
|
1
|
+
## 1.2.3 (2021-06-02)
|
2
|
+
|
3
|
+
- Fixed argument error with Google Cloud KMS and Ruby 3
|
4
|
+
|
5
|
+
## 1.2.2 (2021-05-17)
|
6
|
+
|
7
|
+
- Added `key_id` method
|
8
|
+
|
9
|
+
## 1.2.1 (2020-09-28)
|
10
|
+
|
11
|
+
- Fixed `Version not active` error when switching keys
|
12
|
+
|
13
|
+
## 1.2.0 (2020-08-18)
|
14
|
+
|
15
|
+
- Raise error when trying to rotate key used for encrypted files
|
16
|
+
|
17
|
+
## 1.1.1 (2020-04-16)
|
18
|
+
|
19
|
+
- Fixed `SystemStackError` with `reload` and CarrierWave
|
20
|
+
|
21
|
+
## 1.1.0 (2019-07-09)
|
2
22
|
|
3
23
|
- Added support for Lockbox
|
4
24
|
- Dropped support for Rails 4.2
|
5
25
|
|
6
|
-
## 1.0.1
|
26
|
+
## 1.0.1 (2019-01-21)
|
7
27
|
|
8
28
|
- Added support for encryption and decryption outside models
|
9
29
|
- Added support for dynamic keys
|
10
30
|
- Fixed issue with inheritance
|
11
31
|
|
12
|
-
## 1.0.0
|
32
|
+
## 1.0.0 (2018-12-17)
|
13
33
|
|
14
34
|
- Added versioning
|
15
35
|
- Added `context_hash` method
|
@@ -20,38 +40,38 @@ Breaking changes
|
|
20
40
|
- ActiveSupport notifications were changed from `generate_data_key` and `decrypt_data_key` to `encrypt` and `decrypt`
|
21
41
|
- AWS KMS uses the `Encrypt` operation instead of `GenerateDataKey`
|
22
42
|
|
23
|
-
## 0.3.0
|
43
|
+
## 0.3.0 (2018-11-11)
|
24
44
|
|
25
45
|
- Added support for Vault
|
26
46
|
- Removed `KmsEncrypted.kms_client` and `KmsEncrypted.client_options` in favor of `KmsEncrypted.aws_client`
|
27
47
|
- Removed `KmsEncrypted::Google.kms_client` in favor of `KmsEncrypted.google_client`
|
28
48
|
|
29
|
-
## 0.2.0
|
49
|
+
## 0.2.0 (2018-02-23)
|
30
50
|
|
31
51
|
- Added support for Google KMS
|
32
52
|
|
33
|
-
## 0.1.4
|
53
|
+
## 0.1.4 (2017-12-03)
|
34
54
|
|
35
55
|
- Added `kms_keys` method to models
|
36
56
|
- Reset data keys when record is reloaded
|
37
57
|
- Added `kms_client`
|
38
58
|
- Added ActiveSupport notifications
|
39
59
|
|
40
|
-
## 0.1.3
|
60
|
+
## 0.1.3 (2017-12-01)
|
41
61
|
|
42
62
|
- Added test key
|
43
63
|
- Added `client_options`
|
44
64
|
- Allow private or protected `kms_encryption_context` method
|
45
65
|
|
46
|
-
## 0.1.2
|
66
|
+
## 0.1.2 (2017-09-25)
|
47
67
|
|
48
68
|
- Use `KMS_KEY_ID` env variable by default
|
49
69
|
|
50
|
-
## 0.1.1
|
70
|
+
## 0.1.1 (2017-09-23)
|
51
71
|
|
52
72
|
- Added key rotation
|
53
73
|
- Added support for multiple keys per record
|
54
74
|
|
55
|
-
## 0.1.0
|
75
|
+
## 0.1.0 (2017-09-23)
|
56
76
|
|
57
77
|
- First release
|
data/LICENSE.txt
CHANGED
data/README.md
CHANGED
@@ -14,23 +14,453 @@ Supports [AWS KMS](https://aws.amazon.com/kms/), [Google Cloud KMS](https://clou
|
|
14
14
|
|
15
15
|
Check out [this post](https://ankane.org/sensitive-data-rails) for more info on securing sensitive data with Rails
|
16
16
|
|
17
|
-
[![Build Status](https://
|
17
|
+
[![Build Status](https://github.com/ankane/kms_encrypted/workflows/build/badge.svg?branch=master)](https://github.com/ankane/kms_encrypted/actions)
|
18
18
|
|
19
19
|
## How It Works
|
20
20
|
|
21
|
-
This approach uses a key management service (KMS) to manage encryption keys and attr_encrypted to do the encryption.
|
21
|
+
This approach uses a key management service (KMS) to manage encryption keys and Lockbox / attr_encrypted to do the encryption.
|
22
22
|
|
23
|
-
To encrypt an attribute, we first generate a data key and encrypt it with the KMS. This is known as [envelope encryption](https://cloud.google.com/kms/docs/envelope-encryption). We pass the unencrypted version to
|
23
|
+
To encrypt an attribute, we first generate a data key and encrypt it with the KMS. This is known as [envelope encryption](https://cloud.google.com/kms/docs/envelope-encryption). We pass the unencrypted version to the encryption library and store the encrypted version in the `encrypted_kms_key` column. For each record, we generate a different data key.
|
24
24
|
|
25
|
-
To decrypt an attribute, we first decrypt the data key with the KMS. Once we have the decrypted key, we pass it to
|
25
|
+
To decrypt an attribute, we first decrypt the data key with the KMS. Once we have the decrypted key, we pass it to the encryption library to decrypt the data. We can easily track decryptions since we have a different data key for each record.
|
26
|
+
|
27
|
+
## Installation
|
28
|
+
|
29
|
+
Add this line to your application’s Gemfile:
|
30
|
+
|
31
|
+
```ruby
|
32
|
+
gem 'kms_encrypted'
|
33
|
+
```
|
34
|
+
|
35
|
+
And follow the instructions for your key management service:
|
36
|
+
|
37
|
+
- [AWS KMS](#aws-kms)
|
38
|
+
- [Google Cloud KMS](#google-cloud-kms)
|
39
|
+
- [Vault](#vault)
|
40
|
+
|
41
|
+
### AWS KMS
|
42
|
+
|
43
|
+
Add this line to your application’s Gemfile:
|
44
|
+
|
45
|
+
```ruby
|
46
|
+
gem 'aws-sdk-kms'
|
47
|
+
```
|
48
|
+
|
49
|
+
Create an [Amazon Web Services](https://aws.amazon.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on AWS.
|
50
|
+
|
51
|
+
Create a [KMS master key](https://console.aws.amazon.com/iam/home#/encryptionKeys) and set it in your environment along with your AWS credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
|
52
|
+
|
53
|
+
```sh
|
54
|
+
KMS_KEY_ID=arn:aws:kms:...
|
55
|
+
AWS_ACCESS_KEY_ID=...
|
56
|
+
AWS_SECRET_ACCESS_KEY=...
|
57
|
+
```
|
58
|
+
|
59
|
+
You can also use the alias
|
60
|
+
|
61
|
+
```sh
|
62
|
+
KMS_KEY_ID=alias/my-alias
|
63
|
+
```
|
64
|
+
|
65
|
+
### Google Cloud KMS
|
66
|
+
|
67
|
+
Add this line to your application’s Gemfile:
|
68
|
+
|
69
|
+
```ruby
|
70
|
+
gem 'google-apis-cloudkms_v1'
|
71
|
+
```
|
72
|
+
|
73
|
+
Create a [Google Cloud Platform](https://cloud.google.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on GCP.
|
74
|
+
|
75
|
+
Create a [KMS key ring and key](https://console.cloud.google.com/iam-admin/kms) and set it in your environment along with your GCP credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
|
76
|
+
|
77
|
+
```sh
|
78
|
+
KMS_KEY_ID=projects/.../locations/.../keyRings/.../cryptoKeys/...
|
79
|
+
```
|
80
|
+
|
81
|
+
The Google API client logs requests by default. Be sure to turn off the logger in production or it will leak the plaintext.
|
82
|
+
|
83
|
+
```ruby
|
84
|
+
Google::Apis.logger = Logger.new(nil)
|
85
|
+
```
|
86
|
+
|
87
|
+
### Vault
|
88
|
+
|
89
|
+
Add this line to your application’s Gemfile:
|
90
|
+
|
91
|
+
```ruby
|
92
|
+
gem 'vault'
|
93
|
+
```
|
94
|
+
|
95
|
+
Enable the [transit](https://www.vaultproject.io/docs/secrets/transit/index.html) secrets engine
|
96
|
+
|
97
|
+
```sh
|
98
|
+
vault secrets enable transit
|
99
|
+
```
|
100
|
+
|
101
|
+
And create a key
|
102
|
+
|
103
|
+
```sh
|
104
|
+
vault write -f transit/keys/my-key derived=true
|
105
|
+
```
|
106
|
+
|
107
|
+
Set it in your environment along with your Vault credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
|
108
|
+
|
109
|
+
```sh
|
110
|
+
KMS_KEY_ID=vault/my-key
|
111
|
+
VAULT_ADDR=http://127.0.0.1:8200
|
112
|
+
VAULT_TOKEN=secret
|
113
|
+
```
|
26
114
|
|
27
115
|
## Getting Started
|
28
116
|
|
29
|
-
|
117
|
+
Create a migration to add a column for the encrypted KMS data keys
|
118
|
+
|
119
|
+
```ruby
|
120
|
+
add_column :users, :encrypted_kms_key, :text
|
121
|
+
```
|
122
|
+
|
123
|
+
And update your model
|
124
|
+
|
125
|
+
```ruby
|
126
|
+
class User < ApplicationRecord
|
127
|
+
has_kms_key
|
128
|
+
|
129
|
+
# Lockbox fields
|
130
|
+
encrypts :email, key: :kms_key
|
131
|
+
|
132
|
+
# Lockbox files
|
133
|
+
encrypts_attached :license, key: :kms_key
|
134
|
+
|
135
|
+
# attr_encrypted fields
|
136
|
+
attr_encrypted :email, key: :kms_key
|
137
|
+
end
|
138
|
+
```
|
139
|
+
|
140
|
+
For each encrypted attribute, use the `kms_key` method for its key.
|
141
|
+
|
142
|
+
## Auditing & Alerting
|
143
|
+
|
144
|
+
### Context
|
145
|
+
|
146
|
+
Encryption context is used in auditing to identify the data being decrypted. This is the model name and id by default. You can customize this with:
|
147
|
+
|
148
|
+
```ruby
|
149
|
+
class User < ApplicationRecord
|
150
|
+
def kms_encryption_context
|
151
|
+
{
|
152
|
+
model_name: model_name.to_s,
|
153
|
+
model_id: id
|
154
|
+
}
|
155
|
+
end
|
156
|
+
end
|
157
|
+
```
|
158
|
+
|
159
|
+
The context is used as part of the encryption and decryption process, so it must be a value that doesn’t change. Otherwise, you won’t be able to decrypt. You can [rotate the context](#switching-context) without downtime if needed.
|
160
|
+
|
161
|
+
### Order of Events
|
162
|
+
|
163
|
+
Since the default context includes the id, the data key cannot be encrypted until the record has an id. For new records, the default flow is:
|
164
|
+
|
165
|
+
1. Start a database transaction
|
166
|
+
2. Insert the record, getting back the id
|
167
|
+
3. Call KMS to encrypt the data key, passing the id as part of the context
|
168
|
+
4. Update the `encrypted_kms_key` column
|
169
|
+
5. Commit the database transaction
|
170
|
+
|
171
|
+
With Postgres, you can avoid a network call inside a transaction with:
|
172
|
+
|
173
|
+
```ruby
|
174
|
+
class User < ApplicationRecord
|
175
|
+
has_kms_key eager_encrypt: :fetch_id
|
176
|
+
end
|
177
|
+
```
|
178
|
+
|
179
|
+
This changes the flow to:
|
180
|
+
|
181
|
+
1. Prefetch the id with the Postgres `nextval` function
|
182
|
+
2. Call KMS to encrypt the data key, passing the id as part of the context
|
183
|
+
3. Insert the record with the id and encrypted data key
|
184
|
+
|
185
|
+
If you don’t need the id from the database for context, you can use:
|
186
|
+
|
187
|
+
```ruby
|
188
|
+
class User < ApplicationRecord
|
189
|
+
has_kms_key eager_encrypt: true
|
190
|
+
end
|
191
|
+
```
|
192
|
+
|
193
|
+
### AWS KMS
|
194
|
+
|
195
|
+
[AWS CloudTrail](https://aws.amazon.com/cloudtrail/) logs all decryption calls. You can view them in the [CloudTrail console](https://console.aws.amazon.com/cloudtrail/home#/events?EventName=Decrypt). Note that it can take 20 minutes for events to show up. You can also use the AWS CLI.
|
196
|
+
|
197
|
+
```sh
|
198
|
+
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=Decrypt
|
199
|
+
```
|
200
|
+
|
201
|
+
If you haven’t already, enable CloudTrail storage to S3 to ensure events are accessible after 90 days. Later, you can use Amazon Athena and this [table structure](https://www.1strategy.com/blog/2017/07/25/auditing-aws-activity-with-cloudtrail-and-athena/) to query them.
|
202
|
+
|
203
|
+
Read more about [encryption context here](https://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html).
|
204
|
+
|
205
|
+
#### Alerting
|
206
|
+
|
207
|
+
Set up alerts for suspicious behavior. To get near real-time alerts (20-30 second delay), use CloudWatch Events.
|
208
|
+
|
209
|
+
First, create a new SNS topic with a name like "decryptions". We’ll use this shortly.
|
210
|
+
|
211
|
+
Next, open [CloudWatch Events](https://console.aws.amazon.com/cloudwatch/home#rules:) and create a rule to match “Events by Service”. Choose “Key Management Service (KMS)” as the service name and “AWS API Call via CloudTrail” as the event type. For operations, select “Specific Operations” and enter “Decrypt”.
|
212
|
+
|
213
|
+
Select the SNS topic created earlier as the target and save the rule.
|
214
|
+
|
215
|
+
To set up an alarm, go to [this page](https://console.aws.amazon.com/cloudwatch/home?#metricsV2:graph=%7E();namespace=AWS/Events;dimensions=RuleName) in CloudWatch Metrics. Find the rule and check “Invocations”. On the “Graphed Metrics” tab, change the statistic to “Sum” and the period to “1 minute”. Finally, click the bell icon to create an alarm for high number of decryptions.
|
216
|
+
|
217
|
+
While the alarm we created isn’t super sophisticated, this setup provides a great foundation for alerting as your organization grows.
|
218
|
+
|
219
|
+
You can use the SNS topic or another target to send events to a log provider or [SIEM](https://en.wikipedia.org/wiki/Security_information_and_event_management), where can you do more advanced anomaly detection.
|
220
|
+
|
221
|
+
You should also use other tools to detect breaches, like an [IDS](https://www.alienvault.com/blogs/security-essentials/open-source-intrusion-detection-tools-a-quick-overview). You can use [Amazon GuardDuty](https://aws.amazon.com/guardduty/) if you run infrastructure on AWS.
|
222
|
+
|
223
|
+
### Google Cloud KMS
|
224
|
+
|
225
|
+
Follow the [instructions here](https://cloud.google.com/kms/docs/logging) to set up data access logging. There is not currently a way to see what data is being decrypted, since the additional authenticated data is not logged. For this reason, we recommend another KMS provider.
|
226
|
+
|
227
|
+
### Vault
|
228
|
+
|
229
|
+
Follow the [instructions here](https://www.vaultproject.io/docs/audit/) to set up data access logging.
|
230
|
+
|
231
|
+
**Note:** Vault will only verify this value if `derived` was set to true when creating the key. If this is not done, the context cannot be trusted.
|
232
|
+
|
233
|
+
Context will show up hashed in the audit logs. To get the hash for a record, use:
|
30
234
|
|
31
|
-
|
32
|
-
|
33
|
-
|
235
|
+
```ruby
|
236
|
+
KmsEncrypted.context_hash(record.kms_encryption_context, path: "file")
|
237
|
+
```
|
238
|
+
|
239
|
+
The `path` option should point to your audit device. Common paths are `file`, `syslog`, and `socket`.
|
240
|
+
|
241
|
+
## Separate Permissions
|
242
|
+
|
243
|
+
A great feature of KMS is the ability to grant encryption and decryption permission separately.
|
244
|
+
|
245
|
+
Be extremely selective of servers you allow to decrypt.
|
246
|
+
|
247
|
+
For servers that can only encrypt, clear out the existing data and data key before assigning new values (otherwise, you’ll get a decryption error).
|
248
|
+
|
249
|
+
```ruby
|
250
|
+
# Lockbox
|
251
|
+
user.email_ciphertext = nil
|
252
|
+
user.encrypted_kms_key = nil
|
253
|
+
|
254
|
+
# attr_encrypted
|
255
|
+
user.encrypted_email = nil
|
256
|
+
user.encrypted_email_iv = nil
|
257
|
+
user.encrypted_kms_key = nil
|
258
|
+
```
|
259
|
+
|
260
|
+
### AWS KMS
|
261
|
+
|
262
|
+
To encrypt the data, use an IAM policy with:
|
263
|
+
|
264
|
+
```json
|
265
|
+
{
|
266
|
+
"Version": "2012-10-17",
|
267
|
+
"Statement": [
|
268
|
+
{
|
269
|
+
"Sid": "EncryptData",
|
270
|
+
"Effect": "Allow",
|
271
|
+
"Action": "kms:Encrypt",
|
272
|
+
"Resource": "arn:aws:kms:..."
|
273
|
+
}
|
274
|
+
]
|
275
|
+
}
|
276
|
+
```
|
277
|
+
|
278
|
+
To decrypt the data, use an IAM policy with:
|
279
|
+
|
280
|
+
```json
|
281
|
+
{
|
282
|
+
"Version": "2012-10-17",
|
283
|
+
"Statement": [
|
284
|
+
{
|
285
|
+
"Sid": "DecryptData",
|
286
|
+
"Effect": "Allow",
|
287
|
+
"Action": "kms:Decrypt",
|
288
|
+
"Resource": "arn:aws:kms:..."
|
289
|
+
}
|
290
|
+
]
|
291
|
+
}
|
292
|
+
```
|
293
|
+
|
294
|
+
### Google Cloud KMS
|
295
|
+
|
296
|
+
todo: document
|
297
|
+
|
298
|
+
### Vault
|
299
|
+
|
300
|
+
To encrypt the data, use a policy with:
|
301
|
+
|
302
|
+
```hcl
|
303
|
+
path "transit/encrypt/my-key"
|
304
|
+
{
|
305
|
+
capabilities = ["create", "update"]
|
306
|
+
}
|
307
|
+
```
|
308
|
+
|
309
|
+
To decrypt the data, use a policy with:
|
310
|
+
|
311
|
+
```hcl
|
312
|
+
path "transit/decrypt/my-key"
|
313
|
+
{
|
314
|
+
capabilities = ["create", "update"]
|
315
|
+
}
|
316
|
+
```
|
317
|
+
|
318
|
+
Apply a policy with:
|
319
|
+
|
320
|
+
```sh
|
321
|
+
vault policy write encrypt encrypt.hcl
|
322
|
+
```
|
323
|
+
|
324
|
+
And create a token with specific policies with:
|
325
|
+
|
326
|
+
```sh
|
327
|
+
vault token create -policy=encrypt -policy=decrypt -no-default-policy
|
328
|
+
```
|
329
|
+
|
330
|
+
## Testing
|
331
|
+
|
332
|
+
For testing, you can prevent network calls to KMS by setting:
|
333
|
+
|
334
|
+
```sh
|
335
|
+
KMS_KEY_ID=insecure-test-key
|
336
|
+
```
|
337
|
+
|
338
|
+
In a Rails application, you can also create `config/initializers/kms_encrypted.rb` with:
|
339
|
+
|
340
|
+
```ruby
|
341
|
+
KmsEncrypted.key_id = Rails.env.test? ? "insecure-test-key" : ENV["KMS_KEY_ID"]
|
342
|
+
```
|
343
|
+
|
344
|
+
## Key Rotation
|
345
|
+
|
346
|
+
Key management services allow you to rotate the master key without any code changes.
|
347
|
+
|
348
|
+
AWS KMS supports [automatic key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html).
|
349
|
+
|
350
|
+
For Google Cloud, use the Google Cloud Console or API.
|
351
|
+
|
352
|
+
For Vault, use:
|
353
|
+
|
354
|
+
```sh
|
355
|
+
vault write -f transit/keys/my-key/rotate
|
356
|
+
```
|
357
|
+
|
358
|
+
New data will be encrypted with the new master key version. To encrypt existing data with new master key version, run:
|
359
|
+
|
360
|
+
```ruby
|
361
|
+
User.find_each do |user|
|
362
|
+
user.rotate_kms_key!
|
363
|
+
end
|
364
|
+
```
|
365
|
+
|
366
|
+
**Note:** This method does not rotate encrypted files, so avoid calling `rotate_kms_key!` on models with file uploads for now.
|
367
|
+
|
368
|
+
### Switching Keys
|
369
|
+
|
370
|
+
You can change keys within your current KMS or move to a different KMS without downtime. Update your model:
|
371
|
+
|
372
|
+
```ruby
|
373
|
+
class User < ApplicationRecord
|
374
|
+
has_kms_key version: 2, key_id: ENV["KMS_KEY_ID_V2"],
|
375
|
+
previous_versions: {
|
376
|
+
1 => {key_id: ENV["KMS_KEY_ID"]}
|
377
|
+
}
|
378
|
+
end
|
379
|
+
```
|
380
|
+
|
381
|
+
New data will be encrypted with the new key. To update existing data, use:
|
382
|
+
|
383
|
+
```ruby
|
384
|
+
User.where("encrypted_kms_key NOT LIKE 'v2:%'").find_each do |user|
|
385
|
+
user.rotate_kms_key!
|
386
|
+
end
|
387
|
+
```
|
388
|
+
|
389
|
+
Once all data is updated, you can remove the `previous_versions` option.
|
390
|
+
|
391
|
+
### Switching Context
|
392
|
+
|
393
|
+
You can change your encryption context without downtime. Update your model:
|
394
|
+
|
395
|
+
```ruby
|
396
|
+
class User < ApplicationRecord
|
397
|
+
has_kms_key version: 2,
|
398
|
+
previous_versions: {
|
399
|
+
1 => {key_id: ENV["KMS_KEY_ID"]}
|
400
|
+
}
|
401
|
+
|
402
|
+
def kms_encryption_context(version:)
|
403
|
+
if version == 1
|
404
|
+
# previous context method
|
405
|
+
else
|
406
|
+
# new context method
|
407
|
+
end
|
408
|
+
end
|
409
|
+
end
|
410
|
+
```
|
411
|
+
|
412
|
+
New data will be encrypted with the new context. To update existing data, use:
|
413
|
+
|
414
|
+
```ruby
|
415
|
+
User.where("encrypted_kms_key NOT LIKE 'v2:%'").find_each do |user|
|
416
|
+
user.rotate_kms_key!
|
417
|
+
end
|
418
|
+
```
|
419
|
+
|
420
|
+
Once all data is updated, you can remove the `previous_versions` option.
|
421
|
+
|
422
|
+
## Multiple Keys Per Record
|
423
|
+
|
424
|
+
You may want to protect different columns with different data keys (or even master keys).
|
425
|
+
|
426
|
+
To do this, add another column
|
427
|
+
|
428
|
+
```ruby
|
429
|
+
add_column :users, :encrypted_kms_key_phone, :text
|
430
|
+
```
|
431
|
+
|
432
|
+
And update your model
|
433
|
+
|
434
|
+
```ruby
|
435
|
+
class User < ApplicationRecord
|
436
|
+
has_kms_key
|
437
|
+
has_kms_key name: :phone, key_id: "..."
|
438
|
+
|
439
|
+
# Lockbox
|
440
|
+
encrypts :email, key: :kms_key
|
441
|
+
encrypts :phone, key: :kms_key_phone
|
442
|
+
|
443
|
+
# attr_encrypted
|
444
|
+
attr_encrypted :email, key: :kms_key
|
445
|
+
attr_encrypted :phone, key: :kms_key_phone
|
446
|
+
end
|
447
|
+
```
|
448
|
+
|
449
|
+
To rotate keys, use:
|
450
|
+
|
451
|
+
```ruby
|
452
|
+
user.rotate_kms_key_phone!
|
453
|
+
```
|
454
|
+
|
455
|
+
For custom context, use:
|
456
|
+
|
457
|
+
```ruby
|
458
|
+
class User < ApplicationRecord
|
459
|
+
def kms_encryption_context_phone
|
460
|
+
# some hash
|
461
|
+
end
|
462
|
+
end
|
463
|
+
```
|
34
464
|
|
35
465
|
## Outside Models
|
36
466
|
|
@@ -98,3 +528,12 @@ Everyone is encouraged to help improve this project. Here are a few ways you can
|
|
98
528
|
- Fix bugs and [submit pull requests](https://github.com/ankane/kms_encrypted/pulls)
|
99
529
|
- Write, clarify, or fix documentation
|
100
530
|
- Suggest or add new features
|
531
|
+
|
532
|
+
To get started with development and testing:
|
533
|
+
|
534
|
+
```sh
|
535
|
+
git clone https://github.com/ankane/kms_encrypted.git
|
536
|
+
cd kms_encrypted
|
537
|
+
bundle install
|
538
|
+
bundle exec rake test
|
539
|
+
```
|
data/lib/kms_encrypted.rb
CHANGED
@@ -27,6 +27,7 @@ module KmsEncrypted
|
|
27
27
|
attr_writer :aws_client
|
28
28
|
attr_writer :google_client
|
29
29
|
attr_writer :vault_client
|
30
|
+
attr_writer :key_id
|
30
31
|
|
31
32
|
def aws_client
|
32
33
|
@aws_client ||= Aws::KMS::Client.new(
|
@@ -54,6 +55,10 @@ module KmsEncrypted
|
|
54
55
|
@vault_client ||= ::Vault::Client.new
|
55
56
|
end
|
56
57
|
|
58
|
+
def key_id
|
59
|
+
@key_id ||= ENV["KMS_KEY_ID"]
|
60
|
+
end
|
61
|
+
|
57
62
|
# hash is independent of key, but specific to audit device
|
58
63
|
def context_hash(context, path:)
|
59
64
|
context = Base64.encode64(context.to_json)
|
data/lib/kms_encrypted/box.rb
CHANGED
@@ -3,7 +3,7 @@ module KmsEncrypted
|
|
3
3
|
attr_reader :key_id, :version, :previous_versions
|
4
4
|
|
5
5
|
def initialize(key_id: nil, version: nil, previous_versions: nil)
|
6
|
-
@key_id = key_id ||
|
6
|
+
@key_id = key_id || KmsEncrypted.key_id
|
7
7
|
@version = version || 1
|
8
8
|
@previous_versions = previous_versions || {}
|
9
9
|
end
|
data/lib/kms_encrypted/client.rb
CHANGED
@@ -1,11 +1,9 @@
|
|
1
1
|
module KmsEncrypted
|
2
2
|
class Client
|
3
|
-
delegate :encrypt, :decrypt, to: :client
|
4
|
-
|
5
3
|
attr_reader :key_id, :data_key
|
6
4
|
|
7
5
|
def initialize(key_id: nil, legacy_context: false, data_key: false)
|
8
|
-
@key_id = key_id ||
|
6
|
+
@key_id = key_id || KmsEncrypted.key_id
|
9
7
|
@legacy_context = legacy_context
|
10
8
|
@data_key = data_key
|
11
9
|
end
|
@@ -11,7 +11,7 @@ module KmsEncrypted
|
|
11
11
|
|
12
12
|
# ensure namespace gets loaded
|
13
13
|
client = KmsEncrypted.google_client
|
14
|
-
request = ::Google::Apis::CloudkmsV1::EncryptRequest.new(options)
|
14
|
+
request = ::Google::Apis::CloudkmsV1::EncryptRequest.new(**options)
|
15
15
|
response = client.encrypt_crypto_key(key_id, request)
|
16
16
|
|
17
17
|
@last_key_version = response.name
|
@@ -12,6 +12,8 @@ module KmsEncrypted
|
|
12
12
|
def decrypt(ciphertext, context: nil)
|
13
13
|
prefix, plaintext, stored_context = ciphertext.split(":")
|
14
14
|
|
15
|
+
decryption_failed! if prefix != PREFIX
|
16
|
+
|
15
17
|
context = generate_context(context) if context
|
16
18
|
decryption_failed! if context != stored_context
|
17
19
|
|
@@ -43,11 +43,12 @@ module KmsEncrypted
|
|
43
43
|
def decrypt(ciphertext)
|
44
44
|
# determine version for context
|
45
45
|
m = /\Av(\d+):/.match(ciphertext)
|
46
|
-
|
47
|
-
context = (options[:upgrade_context] && !m) ? {} : context(
|
46
|
+
ciphertext_version = m ? m[1].to_i : 1
|
47
|
+
context = (options[:upgrade_context] && !m) ? {} : context(ciphertext_version)
|
48
48
|
|
49
49
|
KmsEncrypted::Box.new(
|
50
50
|
key_id: key_id,
|
51
|
+
version: version,
|
51
52
|
previous_versions: previous_versions
|
52
53
|
).decrypt(ciphertext, context: context)
|
53
54
|
end
|
data/lib/kms_encrypted/model.rb
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
module KmsEncrypted
|
2
2
|
module Model
|
3
3
|
def has_kms_key(name: nil, key_id: nil, eager_encrypt: false, version: 1, previous_versions: nil, upgrade_context: false)
|
4
|
-
key_id ||=
|
4
|
+
key_id ||= KmsEncrypted.key_id
|
5
5
|
|
6
6
|
key_method = name ? "kms_key_#{name}" : "kms_key"
|
7
7
|
key_column = "encrypted_#{key_method}"
|
@@ -55,16 +55,17 @@ module KmsEncrypted
|
|
55
55
|
end
|
56
56
|
end
|
57
57
|
|
58
|
-
# same pattern as attr_encrypted reload
|
59
58
|
if method_defined?(:reload)
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
59
|
+
m = Module.new do
|
60
|
+
define_method(:reload) do |*args, &block|
|
61
|
+
result = super(*args, &block)
|
62
|
+
self.class.kms_keys.keys.each do |key_method|
|
63
|
+
instance_variable_set("@#{key_method}", nil)
|
64
|
+
end
|
65
|
+
result
|
65
66
|
end
|
66
|
-
result
|
67
67
|
end
|
68
|
+
prepend m
|
68
69
|
end
|
69
70
|
end
|
70
71
|
|
@@ -106,27 +107,68 @@ module KmsEncrypted
|
|
106
107
|
}
|
107
108
|
end
|
108
109
|
|
110
|
+
# automatically detects attributes and files where the encryption key is:
|
111
|
+
# 1. a symbol that matches kms key method exactly
|
112
|
+
# does not detect attributes and files where the encryption key is:
|
113
|
+
# 1. callable (warns)
|
114
|
+
# 2. a symbol that internally calls kms key method
|
115
|
+
# it could try to get the exact key and compare
|
116
|
+
# (there's a very small chance this could have false positives)
|
117
|
+
# but bias towards simplicity for now
|
118
|
+
# TODO possibly raise error for callable keys in 2.0
|
119
|
+
# with option to override/specify attributes
|
109
120
|
define_method("rotate_#{key_method}!") do
|
110
121
|
# decrypt
|
111
122
|
plaintext_attributes = {}
|
112
123
|
|
113
124
|
# attr_encrypted
|
114
125
|
if self.class.respond_to?(:encrypted_attributes)
|
115
|
-
self.class.encrypted_attributes.
|
116
|
-
|
126
|
+
self.class.encrypted_attributes.each do |key, v|
|
127
|
+
if v[:key] == key_method.to_sym
|
128
|
+
plaintext_attributes[key] = send(key)
|
129
|
+
elsif v[:key].respond_to?(:call)
|
130
|
+
warn "[kms_encrypted] Can't detect if encrypted attribute uses this key"
|
131
|
+
end
|
117
132
|
end
|
118
133
|
end
|
119
134
|
|
120
135
|
# lockbox attributes
|
136
|
+
# only checks key, not previous versions
|
121
137
|
if self.class.respond_to?(:lockbox_attributes)
|
122
|
-
self.class.lockbox_attributes.
|
123
|
-
|
138
|
+
self.class.lockbox_attributes.each do |key, v|
|
139
|
+
if v[:key] == key_method.to_sym
|
140
|
+
plaintext_attributes[key] = send(key)
|
141
|
+
elsif v[:key].respond_to?(:call)
|
142
|
+
warn "[kms_encrypted] Can't detect if encrypted attribute uses this key"
|
143
|
+
end
|
144
|
+
end
|
145
|
+
end
|
146
|
+
|
147
|
+
# lockbox attachments
|
148
|
+
# only checks key, not previous versions
|
149
|
+
if self.class.respond_to?(:lockbox_attachments)
|
150
|
+
self.class.lockbox_attachments.each do |key, v|
|
151
|
+
if v[:key] == key_method.to_sym
|
152
|
+
# can likely add support at some point, but may be complicated
|
153
|
+
# ideally use rotate_encryption! from Lockbox
|
154
|
+
# but needs access to both old and new keys
|
155
|
+
# also need to update database atomically
|
156
|
+
raise KmsEncrypted::Error, "Can't rotate key used for encrypted files"
|
157
|
+
elsif v[:key].respond_to?(:call)
|
158
|
+
warn "[kms_encrypted] Can't detect if encrypted attachment uses this key"
|
159
|
+
end
|
124
160
|
end
|
125
161
|
end
|
126
162
|
|
127
|
-
#
|
128
|
-
|
129
|
-
|
163
|
+
# CarrierWave uploaders
|
164
|
+
if self.class.respond_to?(:uploaders)
|
165
|
+
self.class.uploaders.each do |_, uploader|
|
166
|
+
# for simplicity, only checks if key is callable
|
167
|
+
if uploader.respond_to?(:lockbox_options) && uploader.lockbox_options[:key].respond_to?(:call)
|
168
|
+
warn "[kms_encrypted] Can't detect if encrypted uploader uses this key"
|
169
|
+
end
|
170
|
+
end
|
171
|
+
end
|
130
172
|
|
131
173
|
# reset key
|
132
174
|
instance_variable_set("@#{key_method}", nil)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: kms_encrypted
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.2.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Andrew Kane
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-06-02 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -24,148 +24,8 @@ dependencies:
|
|
24
24
|
- - ">="
|
25
25
|
- !ruby/object:Gem::Version
|
26
26
|
version: '5'
|
27
|
-
|
28
|
-
|
29
|
-
requirement: !ruby/object:Gem::Requirement
|
30
|
-
requirements:
|
31
|
-
- - ">="
|
32
|
-
- !ruby/object:Gem::Version
|
33
|
-
version: '0'
|
34
|
-
type: :development
|
35
|
-
prerelease: false
|
36
|
-
version_requirements: !ruby/object:Gem::Requirement
|
37
|
-
requirements:
|
38
|
-
- - ">="
|
39
|
-
- !ruby/object:Gem::Version
|
40
|
-
version: '0'
|
41
|
-
- !ruby/object:Gem::Dependency
|
42
|
-
name: rake
|
43
|
-
requirement: !ruby/object:Gem::Requirement
|
44
|
-
requirements:
|
45
|
-
- - ">="
|
46
|
-
- !ruby/object:Gem::Version
|
47
|
-
version: '0'
|
48
|
-
type: :development
|
49
|
-
prerelease: false
|
50
|
-
version_requirements: !ruby/object:Gem::Requirement
|
51
|
-
requirements:
|
52
|
-
- - ">="
|
53
|
-
- !ruby/object:Gem::Version
|
54
|
-
version: '0'
|
55
|
-
- !ruby/object:Gem::Dependency
|
56
|
-
name: minitest
|
57
|
-
requirement: !ruby/object:Gem::Requirement
|
58
|
-
requirements:
|
59
|
-
- - ">="
|
60
|
-
- !ruby/object:Gem::Version
|
61
|
-
version: '0'
|
62
|
-
type: :development
|
63
|
-
prerelease: false
|
64
|
-
version_requirements: !ruby/object:Gem::Requirement
|
65
|
-
requirements:
|
66
|
-
- - ">="
|
67
|
-
- !ruby/object:Gem::Version
|
68
|
-
version: '0'
|
69
|
-
- !ruby/object:Gem::Dependency
|
70
|
-
name: sqlite3
|
71
|
-
requirement: !ruby/object:Gem::Requirement
|
72
|
-
requirements:
|
73
|
-
- - ">="
|
74
|
-
- !ruby/object:Gem::Version
|
75
|
-
version: '0'
|
76
|
-
type: :development
|
77
|
-
prerelease: false
|
78
|
-
version_requirements: !ruby/object:Gem::Requirement
|
79
|
-
requirements:
|
80
|
-
- - ">="
|
81
|
-
- !ruby/object:Gem::Version
|
82
|
-
version: '0'
|
83
|
-
- !ruby/object:Gem::Dependency
|
84
|
-
name: activerecord
|
85
|
-
requirement: !ruby/object:Gem::Requirement
|
86
|
-
requirements:
|
87
|
-
- - ">="
|
88
|
-
- !ruby/object:Gem::Version
|
89
|
-
version: '0'
|
90
|
-
type: :development
|
91
|
-
prerelease: false
|
92
|
-
version_requirements: !ruby/object:Gem::Requirement
|
93
|
-
requirements:
|
94
|
-
- - ">="
|
95
|
-
- !ruby/object:Gem::Version
|
96
|
-
version: '0'
|
97
|
-
- !ruby/object:Gem::Dependency
|
98
|
-
name: attr_encrypted
|
99
|
-
requirement: !ruby/object:Gem::Requirement
|
100
|
-
requirements:
|
101
|
-
- - ">="
|
102
|
-
- !ruby/object:Gem::Version
|
103
|
-
version: '0'
|
104
|
-
type: :development
|
105
|
-
prerelease: false
|
106
|
-
version_requirements: !ruby/object:Gem::Requirement
|
107
|
-
requirements:
|
108
|
-
- - ">="
|
109
|
-
- !ruby/object:Gem::Version
|
110
|
-
version: '0'
|
111
|
-
- !ruby/object:Gem::Dependency
|
112
|
-
name: lockbox
|
113
|
-
requirement: !ruby/object:Gem::Requirement
|
114
|
-
requirements:
|
115
|
-
- - ">="
|
116
|
-
- !ruby/object:Gem::Version
|
117
|
-
version: '0.2'
|
118
|
-
type: :development
|
119
|
-
prerelease: false
|
120
|
-
version_requirements: !ruby/object:Gem::Requirement
|
121
|
-
requirements:
|
122
|
-
- - ">="
|
123
|
-
- !ruby/object:Gem::Version
|
124
|
-
version: '0.2'
|
125
|
-
- !ruby/object:Gem::Dependency
|
126
|
-
name: aws-sdk-kms
|
127
|
-
requirement: !ruby/object:Gem::Requirement
|
128
|
-
requirements:
|
129
|
-
- - ">="
|
130
|
-
- !ruby/object:Gem::Version
|
131
|
-
version: '0'
|
132
|
-
type: :development
|
133
|
-
prerelease: false
|
134
|
-
version_requirements: !ruby/object:Gem::Requirement
|
135
|
-
requirements:
|
136
|
-
- - ">="
|
137
|
-
- !ruby/object:Gem::Version
|
138
|
-
version: '0'
|
139
|
-
- !ruby/object:Gem::Dependency
|
140
|
-
name: google-api-client
|
141
|
-
requirement: !ruby/object:Gem::Requirement
|
142
|
-
requirements:
|
143
|
-
- - ">="
|
144
|
-
- !ruby/object:Gem::Version
|
145
|
-
version: '0'
|
146
|
-
type: :development
|
147
|
-
prerelease: false
|
148
|
-
version_requirements: !ruby/object:Gem::Requirement
|
149
|
-
requirements:
|
150
|
-
- - ">="
|
151
|
-
- !ruby/object:Gem::Version
|
152
|
-
version: '0'
|
153
|
-
- !ruby/object:Gem::Dependency
|
154
|
-
name: vault
|
155
|
-
requirement: !ruby/object:Gem::Requirement
|
156
|
-
requirements:
|
157
|
-
- - ">="
|
158
|
-
- !ruby/object:Gem::Version
|
159
|
-
version: '0'
|
160
|
-
type: :development
|
161
|
-
prerelease: false
|
162
|
-
version_requirements: !ruby/object:Gem::Requirement
|
163
|
-
requirements:
|
164
|
-
- - ">="
|
165
|
-
- !ruby/object:Gem::Version
|
166
|
-
version: '0'
|
167
|
-
description:
|
168
|
-
email: andrew@chartkick.com
|
27
|
+
description:
|
28
|
+
email: andrew@ankane.org
|
169
29
|
executables: []
|
170
30
|
extensions: []
|
171
31
|
extra_rdoc_files: []
|
@@ -189,7 +49,7 @@ homepage: https://github.com/ankane/kms_encrypted
|
|
189
49
|
licenses:
|
190
50
|
- MIT
|
191
51
|
metadata: {}
|
192
|
-
post_install_message:
|
52
|
+
post_install_message:
|
193
53
|
rdoc_options: []
|
194
54
|
require_paths:
|
195
55
|
- lib
|
@@ -204,8 +64,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
204
64
|
- !ruby/object:Gem::Version
|
205
65
|
version: '0'
|
206
66
|
requirements: []
|
207
|
-
rubygems_version: 3.
|
208
|
-
signing_key:
|
67
|
+
rubygems_version: 3.2.3
|
68
|
+
signing_key:
|
209
69
|
specification_version: 4
|
210
70
|
summary: Simple, secure key management for Lockbox and attr_encrypted
|
211
71
|
test_files: []
|