kms_encrypted 1.6.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 976b11beef2b23b84bfd0b3d55571594c98ab2c94cb36298e76e36bee216e50d
-  data.tar.gz: 1759acc732572f8dec16f33ce08d9d3ec20236fcc32e8607befab633ded7c08c
+  metadata.gz: ff4007985837815789e565e18c75fa56cf140d9fe80de15116da853f9ac97b8a
+  data.tar.gz: d7107117b2b91d20e30bb3fae1ccb56f1c488b47e9be336db43dd76bef62c92d
 SHA512:
-  metadata.gz: 809e313c6f24df49ba7393d17a3f72e033d3f73de06c2d19091227a631e4c973d2efdd2f5f5e34497dee1e2737608b79691410a9841cd8bc87a76fbb726ff505
-  data.tar.gz: d9cff0a3c98c637198d1f4e4524922d304f87f7913c60c9eae98c49f07f03a7a88d59a1f5b24c7da5c8b198ccdb9ef28742bc066b10b1e46ddc9612189a02661
+  metadata.gz: 36c756e49dabdce4f82b48d75bef9fceb8fbb91c2fc90b6137f9869d61d113464a9e10ff3db0ccd24a882b1746c19821113d64b23f3a9b5f27ecdd36f3c980c2
+  data.tar.gz: 94140b294489883bbb558a0f15d15c170193398ea0b629d7bf45d606b7de227d43afa6822c08490b388c8d4869016a009b58bc4f7ef1cd10c83ceffe9347e803

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+## 1.8.0 (2025-10-16)
+
+- Added `client` option
+- Dropped support for Rails < 7.2
+
+## 1.7.0 (2025-04-03)
+
+- Dropped support for Ruby < 3.2 and Rails < 7.1
+
 ## 1.6.0 (2024-06-24)
 
 - Dropped support for Ruby < 3.1 and Rails < 6.1

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2017-2024 Andrew Kane
+Copyright (c) 2017-2025 Andrew Kane
 
 MIT License
 

data/README.md

@@ -10,7 +10,7 @@ With KMS Encrypted:
 - Decryption can be disabled if an attack is detected
 - It’s easy to rotate keys
 
-Supports [AWS KMS](https://aws.amazon.com/kms/), [Google Cloud KMS](https://cloud.google.com/kms/), and [Vault](https://www.vaultproject.io/)
+Supports [AWS KMS](https://aws.amazon.com/kms/), [Google Cloud KMS](https://cloud.google.com/kms/), [Vault](https://developer.hashicorp.com/vault), and [OpenBao](https://openbao.org/)
 
 Check out [this post](https://ankane.org/sensitive-data-rails) for more info on securing sensitive data with Rails
 
@@ -36,7 +36,7 @@ And follow the instructions for your key management service:
 
 - [AWS KMS](#aws-kms)
 - [Google Cloud KMS](#google-cloud-kms)
-- [Vault](#vault)
+- [Vault and OpenBao](#vault-and-openbao)
 
 ### AWS KMS
 
@@ -78,7 +78,7 @@ Create a [KMS key ring and key](https://console.cloud.google.com/iam-admin/kms)
 KMS_KEY_ID=projects/my-project/locations/global/keyRings/my-key-ring/cryptoKeys/my-key
 ```
 
-### Vault
+### Vault and OpenBao
 
 Add this line to your application’s Gemfile:
 
@@ -86,19 +86,23 @@ Add this line to your application’s Gemfile:
 gem "vault"
 ```
 
-Enable the [transit](https://www.vaultproject.io/docs/secrets/transit/index.html) secrets engine
+Enable the transit secrets engine for [Vault](https://developer.hashicorp.com/vault/docs/secrets/transit) or [OpenBao](https://openbao.org/docs/secrets/transit/)
 
 ```sh
 vault secrets enable transit
+# or
+bao secrets enable transit
 ```
 
 And create a key
 
 ```sh
 vault write -f transit/keys/my-key derived=true
+# or
+bao write -f transit/keys/my-key derived=true
 ```
 
-Set it in your environment along with your Vault credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
+Set it in your environment along with your credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
 
 ```sh
 KMS_KEY_ID=vault/my-key
@@ -218,11 +222,11 @@ You should also use other tools to detect breaches, like an [IDS](https://www.al
 
 Follow the [instructions here](https://cloud.google.com/kms/docs/logging) to set up data access logging. There is not currently a way to see what data is being decrypted, since the additional authenticated data is not logged. For this reason, we recommend another KMS provider.
 
-### Vault
+### Vault and OpenBao
 
-Follow the [instructions here](https://www.vaultproject.io/docs/audit/) to set up data access logging.
+Follow the instructions for [Vault](https://developer.hashicorp.com/vault/docs/audit) or [OpenBao](https://openbao.org/docs/audit/) to set up data access logging.
 
-**Note:** Vault will only verify this value if `derived` was set to true when creating the key. If this is not done, the context cannot be trusted.
+**Note:** Vault and OpenBao will only verify this value if `derived` was set to true when creating the key. If this is not done, the context cannot be trusted.
 
 Context will show up hashed in the audit logs. To get the hash for a record, use:
 
@@ -289,7 +293,7 @@ To decrypt the data, use an IAM policy with:
 
 todo: document
 
-### Vault
+### Vault and OpenBao
 
 To encrypt the data, use a policy with:
 
@@ -313,12 +317,16 @@ Apply a policy with:
 
 ```sh
 vault policy write encrypt encrypt.hcl
+# or
+bao policy write encrypt encrypt.hcl
 ```
 
 And create a token with specific policies with:
 
 ```sh
 vault token create -policy=encrypt -policy=decrypt -no-default-policy
+# or
+bao token create -policy=encrypt -policy=decrypt -no-default-policy
 ```
 
 ## Testing
@@ -341,11 +349,8 @@ Key management services allow you to rotate the master key without any code chan
 
 - For AWS KMS, you can use [automatic key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
 - For Google Cloud, use the Google Cloud Console or API
-- For Vault, use:
-
-```sh
-vault write -f transit/keys/my-key/rotate
-```
+- For Vault, use `vault write -f transit/keys/my-key/rotate`
+- For OpenBao, use `bao write -f transit/keys/my-key/rotate`
 
 New data will be encrypted with the new master key version. To encrypt existing data with new master key version, run:
 

data/lib/kms_encrypted/box.rb

@@ -1,17 +1,18 @@
 module KmsEncrypted
   class Box
-    attr_reader :key_id, :version, :previous_versions
+    attr_reader :key_id, :version, :previous_versions, :client
 
-    def initialize(key_id: nil, version: nil, previous_versions: nil)
+    def initialize(key_id: nil, version: nil, previous_versions: nil, client: nil)
       @key_id = key_id || KmsEncrypted.key_id
       @version = version || 1
       @previous_versions = previous_versions || {}
+      @client = client
     end
 
     def encrypt(plaintext, context: nil)
       context = version_context(context, version)
       key_id = version_key_id(version)
-      ciphertext = KmsEncrypted::Client.new(key_id: key_id, data_key: true).encrypt(plaintext, context: context)
+      ciphertext = KmsEncrypted::Client.new(key_id: key_id, data_key: true, client: client).encrypt(plaintext, context: context)
       "v#{version}:#{encode64(ciphertext)}"
     end
 
@@ -43,11 +44,13 @@ module KmsEncrypted
       key_id ||= version_key_id(version)
       ciphertext = decode64(ciphertext)
       context = version_context(context, version)
+      client = version_client(version)
 
       KmsEncrypted::Client.new(
         key_id: key_id,
         data_key: true,
-        legacy_context: legacy_context
+        legacy_context: legacy_context,
+        client: client
       ).decrypt(ciphertext, context: context)
     end
 
@@ -68,6 +71,10 @@ module KmsEncrypted
       key_id
     end
 
+    def version_client(version)
+      previous_versions.dig(version, :client) || self.client
+    end
+
     def version_context(context, version)
       if context.respond_to?(:call)
         if context.arity == 0

data/lib/kms_encrypted/client.rb

@@ -2,10 +2,11 @@ module KmsEncrypted
   class Client
     attr_reader :key_id, :data_key
 
-    def initialize(key_id: nil, legacy_context: false, data_key: false)
+    def initialize(key_id: nil, legacy_context: false, data_key: false, client: nil)
       @key_id = key_id || KmsEncrypted.key_id
       @legacy_context = legacy_context
       @data_key = data_key
+      @service_client = client
     end
 
     def encrypt(plaintext, context: nil)
@@ -60,7 +61,7 @@ module KmsEncrypted
             KmsEncrypted::Clients::Aws
           end
 
-        klass.new(key_id: key_id, legacy_context: @legacy_context)
+        klass.new(key_id: key_id, legacy_context: @legacy_context, client: @service_client)
       end
     end
   end

data/lib/kms_encrypted/clients/aws.rb

@@ -8,7 +8,7 @@ module KmsEncrypted
         }
         options[:encryption_context] = generate_context(context) if context
 
-        KmsEncrypted.aws_client.encrypt(options).ciphertext_blob
+        client.encrypt(options).ciphertext_blob
       end
 
       def decrypt(ciphertext, context: nil)
@@ -18,7 +18,7 @@ module KmsEncrypted
         options[:encryption_context] = generate_context(context) if context
 
         begin
-          KmsEncrypted.aws_client.decrypt(options).plaintext
+          client.decrypt(options).plaintext
         rescue ::Aws::KMS::Errors::InvalidCiphertextException
           decryption_failed!
         end
@@ -26,6 +26,10 @@ module KmsEncrypted
 
       private
 
+      def client
+        @client ||= KmsEncrypted.aws_client
+      end
+
       # make integers strings for convenience
       def generate_context(context)
         raise ArgumentError, "Context must be a hash" unless context.is_a?(Hash)

data/lib/kms_encrypted/clients/base.rb

@@ -3,9 +3,10 @@ module KmsEncrypted
     class Base
       attr_reader :key_id
 
-      def initialize(key_id: nil, legacy_context: false)
+      def initialize(key_id: nil, legacy_context: false, client: nil)
         @key_id = key_id
         @legacy_context = legacy_context
+        @client = client
       end
 
       protected

data/lib/kms_encrypted/clients/google.rb

@@ -10,9 +10,9 @@ module KmsEncrypted
         options[:additional_authenticated_data] = generate_context(context) if context
 
         # ensure namespace gets loaded
-        client = KmsEncrypted.google_client
+        client = self.client
 
-        if defined?(::Google::Apis::CloudkmsV1::CloudKMSService) && KmsEncrypted.google_client.is_a?(::Google::Apis::CloudkmsV1::CloudKMSService)
+        if defined?(::Google::Apis::CloudkmsV1::CloudKMSService) && client.is_a?(::Google::Apis::CloudkmsV1::CloudKMSService)
           request = ::Google::Apis::CloudkmsV1::EncryptRequest.new(**options)
           response = client.encrypt_crypto_key(key_id, request)
           @last_key_version = response.name
@@ -32,9 +32,9 @@ module KmsEncrypted
         options[:additional_authenticated_data] = generate_context(context) if context
 
         # ensure namespace gets loaded
-        client = KmsEncrypted.google_client
+        client = self.client
 
-        if defined?(::Google::Apis::CloudkmsV1::CloudKMSService) && KmsEncrypted.google_client.is_a?(::Google::Apis::CloudkmsV1::CloudKMSService)
+        if defined?(::Google::Apis::CloudkmsV1::CloudKMSService) && client.is_a?(::Google::Apis::CloudkmsV1::CloudKMSService)
           request = ::Google::Apis::CloudkmsV1::DecryptRequest.new(**options)
           begin
             client.decrypt_crypto_key(key_id, request).plaintext
@@ -52,6 +52,12 @@ module KmsEncrypted
           end
         end
       end
+
+      private
+
+      def client
+        @client ||= KmsEncrypted.google_client
+      end
     end
   end
 end

data/lib/kms_encrypted/clients/vault.rb

@@ -7,7 +7,7 @@ module KmsEncrypted
         }
         options[:context] = generate_context(context) if context
 
-        response = KmsEncrypted.vault_client.logical.write(
+        response = client.logical.write(
           "transit/encrypt/#{key_id.sub("vault/", "")}",
           options
         )
@@ -23,7 +23,7 @@ module KmsEncrypted
 
         response =
           begin
-            KmsEncrypted.vault_client.logical.write(
+            client.logical.write(
               "transit/decrypt/#{key_id.sub("vault/", "")}",
               options
             )
@@ -42,6 +42,10 @@ module KmsEncrypted
 
       private
 
+      def client
+        @client ||= KmsEncrypted.vault_client
+      end
+
       # turn hash into json
       def generate_context(context)
         Base64.encode64(super)

data/lib/kms_encrypted/database.rb

@@ -20,6 +20,10 @@ module KmsEncrypted
       @previous_versions ||= evaluate_option(:previous_versions)
     end
 
+    def client
+      @client ||= evaluate_option(:client)
+    end
+
     def context(version)
       name = options[:name]
       context_method = name ? "kms_encryption_context_#{name}" : "kms_encryption_context"
@@ -36,7 +40,8 @@ module KmsEncrypted
       KmsEncrypted::Box.new(
         key_id: key_id,
         version: version,
-        previous_versions: previous_versions
+        previous_versions: previous_versions,
+        client: client
       ).encrypt(plaintext, context: context)
     end
 
@@ -49,7 +54,8 @@ module KmsEncrypted
       KmsEncrypted::Box.new(
         key_id: key_id,
         version: version,
-        previous_versions: previous_versions
+        previous_versions: previous_versions,
+        client: client
       ).decrypt(ciphertext, context: context)
     end
 

data/lib/kms_encrypted/model.rb

@@ -1,6 +1,6 @@
 module KmsEncrypted
   module Model
-    def has_kms_key(name: nil, key_id: nil, eager_encrypt: false, version: 1, previous_versions: nil, upgrade_context: false)
+    def has_kms_key(name: nil, key_id: nil, eager_encrypt: false, version: 1, previous_versions: nil, upgrade_context: false, client: nil)
       key_id ||= KmsEncrypted.key_id
 
       key_method = name ? "kms_key_#{name}" : "kms_key"
@@ -28,7 +28,8 @@ module KmsEncrypted
           name: name,
           version: version,
           previous_versions: previous_versions,
-          upgrade_context: upgrade_context
+          upgrade_context: upgrade_context,
+          client: client
         }
 
         if @kms_keys.size == 1
@@ -81,8 +82,12 @@ module KmsEncrypted
                 key = SecureRandom.random_bytes(32)
 
                 if eager_encrypt == :fetch_id
-                  raise ArgumentError, ":fetch_id only works with Postgres" unless self.class.connection.adapter_name.match?(/postg/i)
-                  self.id ||= self.class.connection.execute("select nextval('#{self.class.sequence_name}')").first["nextval"]
+                  unless self.class.connection_db_config.adapter.to_s.match?(/postg/i)
+                    raise ArgumentError, ":fetch_id only works with Postgres"
+                  end
+
+                  sequence_name = self.class.sequence_name
+                  self.id ||= self.class.connection_pool.with_connection { |c| c.execute("select nextval('#{sequence_name}')").first["nextval"] }
                 end
 
                 if eager_encrypt == true || ([:try, :fetch_id].include?(eager_encrypt) && id)

data/lib/kms_encrypted/version.rb

@@ -1,3 +1,3 @@
 module KmsEncrypted
-  VERSION = "1.6.0"
+  VERSION = "1.8.0"
 end

data/lib/kms_encrypted.rb

@@ -1,6 +1,8 @@
 # dependencies
 require "active_support"
 require "base64"
+
+# stdlib
 require "json"
 require "securerandom"
 

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: kms_encrypted
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Andrew Kane
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-24 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,15 +15,28 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '7.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '6.1'
-description:
+        version: '7.2'
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 email: andrew@ankane.org
 executables: []
 extensions: []
@@ -49,7 +61,6 @@ homepage: https://github.com/ankane/kms_encrypted
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -57,15 +68,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3.1'
+      version: '3.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Simple, secure key management for Lockbox and attr_encrypted
 test_files: []