RubyGems - kms_encrypted - Versions diffs - 0.1.4 → 0.2.0 - Mend

kms_encrypted 0.1.4 → 0.2.0

Files changed (11) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1e8f9ae8d4c6e01a94c6daa2ae422b57ce4bcec1
-  data.tar.gz: fe2ad3ac82398c643ae60c5a88830c6108864c1c
+  metadata.gz: 81d18dbb1dbaa5711a97eef2a4ece83fa44e2c2c
+  data.tar.gz: f7f8beede414a85f9ca399d8f499ff0f48b2bf53
 SHA512:
-  metadata.gz: aee2523daea0e3cc176606d845d94ed98ba8ca8a2a51beb90227c638e7d0f84e888639846d78585d446f5dae7371b41c5e98b603b50330423232c0e1e5fe1976
-  data.tar.gz: 841ec21de2384e5d062c6e3f69d3f4a12cabe8cb99f21f169d1bbb931191f21f9b42964dbb1d8f98015b349df931e41dfc0dcf958fc3cb736913918478de429b
+  metadata.gz: 3db72cc8666e461acedc3842829cc17e7ab0d32820eb9729e8fc1682dded9bed440f6d1201a28dacf5fdbcd350c6eaaa0035fe13274b37102a749cc8dd2c1a9f
+  data.tar.gz: 2964f2377c884927a6dc31ea1d48aa24d3e9ac6f4b70924da5fec5d05176bb98c715357f1d4032001b6f49485c63ddcf1550e4b5d271b05507e295bc6f52b9a4

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,7 @@
+## 0.2.0
+- Added support for Google KMS
 ## 0.1.4
 - Added `kms_keys` method to models

data/LICENSE.txt ADDED Viewed

@@ -0,0 +1,22 @@
+Copyright (c) 2017 Andrew Kane
+MIT License
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md CHANGED Viewed

@@ -9,7 +9,9 @@ The attr_encrypted gem is great for encryption, but:
 3. Doesn’t have a great audit trail to see how data has been accessed
 4. Doesn’t let you grant encryption and decryption permission separately
-[KMS](https://aws.amazon.com/kms/) addresses all of these issues and it’s easy to use them together.
+Key management services address all of these issues and it’s easy to use them together.
+Supports [Amazon KMS](https://aws.amazon.com/kms/) and [Google KMS](https://cloud.google.com/kms/)
 [![Build Status](https://travis-ci.org/ankane/kms_encrypted.svg?branch=master)](https://travis-ci.org/ankane/kms_encrypted)
@@ -17,269 +19,20 @@ The attr_encrypted gem is great for encryption, but:
 This approach uses KMS to manage encryption keys and attr_encrypted to do the encryption.
-To encrypt an attribute, we first generate a [data key](http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) from our KMS master key. KMS sends both encrypted and unencrypted versions of the data key. We pass the unencrypted version to attr_encrypted and store the encrypted version in the `encrypted_kms_key` column. For each record, we generate a different data key.
+To encrypt an attribute, we first generate a data key and encrypt it with KMS. This is known as [envelope encryption](https://cloud.google.com/kms/docs/envelope-encryption). We pass the unencrypted version to attr_encrypted and store the encrypted version in the `encrypted_kms_key` column. For each record, we generate a different data key.
 To decrypt an attribute, we first decrypt the data key with KMS. Once we have the decrypted key, we pass it to attr_encrypted to decrypt the data. We can easily track decryptions since we have a different data key for each record.
 ## Getting Started
-Add this line to your application’s Gemfile:
-```ruby
-gem 'kms_encrypted'
-```
-Add columns for the encrypted data and the encrypted KMS data keys
-```ruby
-add_column :users, :encrypted_email, :text
-add_column :users, :encrypted_email_iv, :text
-add_column :users, :encrypted_kms_key, :text
-```
-Create an [Amazon Web Services](https://aws.amazon.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on AWS.
-Create a [KMS master key](https://console.aws.amazon.com/iam/home#/encryptionKeys) and set it in your environment ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
-```sh
-KMS_KEY_ID=arn:aws:kms:...
-```
-You can also use the alias
-```sh
-KMS_KEY_ID=alias/my-alias
-```
-And update your model
-```ruby
-class User < ApplicationRecord
-  has_kms_key
-  attr_encrypted :email, key: :kms_key
-end
-```
-For each encrypted attribute, use the `kms_key` method for its key.
-## Auditing
-[AWS CloudTrail](https://aws.amazon.com/cloudtrail/) logs all decryption calls. However, to know what data is being decrypted, you’ll need to add context.
-Add a `kms_encryption_context` method to your model.
-```ruby
-class User < ApplicationRecord
-  def kms_encryption_context
-    # some hash
-  end
-end
-```
-The context is used as part of the encryption and decryption process, so it must be a value that doesn’t change. Otherwise, you won’t be able to decrypt. Read more about [encryption context here](http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html).
-The primary key is a good choice, but auto-generated ids aren’t available until a record is created, and we need to encrypt before this. One solution is to preload the primary key. Here’s what it looks like with Postgres:
-```ruby
-class User < ApplicationRecord
-  def kms_encryption_context
-    self.id ||= self.class.connection.execute("select nextval('#{self.class.sequence_name}')").first["nextval"]
-    {"Record" => "#{model_name}/#{id}"}
-  end
-end
-```
-[Amazon Athena](https://aws.amazon.com/athena/) is great for querying CloudTrail logs. Create a table (thanks to [this post](http://www.1strategy.com/blog/2017/07/25/auditing-aws-activity-with-cloudtrail-and-athena/) for the table structure) with:
-```sql
-CREATE EXTERNAL TABLE cloudtrail_logs (
-    eventversion STRING,
-    userIdentity STRUCT<
-        type:STRING,
-        principalid:STRING,
-        arn:STRING,
-        accountid:STRING,
-        invokedby:STRING,
-        accesskeyid:STRING,
-        userName:String,
-        sessioncontext:STRUCT<
-            attributes:STRUCT<
-                mfaauthenticated:STRING,
-                creationdate:STRING>,
-            sessionIssuer:STRUCT<
-                type:STRING,
-                principalId:STRING,
-                arn:STRING,
-                accountId:STRING,
-                userName:STRING>>>,
-    eventTime STRING,
-    eventSource STRING,
-    eventName STRING,
-    awsRegion STRING,
-    sourceIpAddress STRING,
-    userAgent STRING,
-    errorCode STRING,
-    errorMessage STRING,
-    requestId  STRING,
-    eventId  STRING,
-    resources ARRAY<STRUCT<
-        ARN:STRING,
-        accountId:STRING,
-        type:STRING>>,
-    eventType STRING,
-    apiVersion  STRING,
-    readOnly BOOLEAN,
-    recipientAccountId STRING,
-    sharedEventID STRING,
-    vpcEndpointId STRING,
-    requestParameters STRING,
-    responseElements STRING,
-    additionalEventData STRING,
-    serviceEventDetails STRING
-)
-ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
-STORED  AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
-OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
-LOCATION  's3://my-cloudtrail-logs/'
-```
-Change the last line to point to your CloudTrail log bucket and query away
-```sql
-SELECT
-    eventTime,
-    userIdentity.userName,
-    requestParameters
-FROM
-    cloudtrail_logs
-WHERE
-    eventName = 'Decrypt'
-    AND resources[1].arn = 'arn:aws:kms:...'
-ORDER BY 1
-```
-There will also be `GenerateDataKey` events.
-## Alerting
-We recommend setting up alerts on suspicious behavior.
-## Key Rotation
-KMS supports [automatic key rotation](http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html). No action is required in this case.
-To manually rotate keys, replace the old KMS key id with the new key id in your model. Your app does not need the old key id to perform rotation (however, the key must still be enabled in your AWS account).
-```sh
-KMS_KEY_ID=arn:aws:kms:...
-```
-and run
-```ruby
-User.find_each do |user|
-  user.rotate_kms_key!
-end
-```
-## IAM Permissions
-A great feature of KMS is the ability to grant encryption and decryption permission separately.
-To encrypt the data, use a policy with:
-```json
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "EncryptData",
-            "Effect": "Allow",
-            "Action": "kms:GenerateDataKey",
-            "Resource": "arn:aws:kms:..."
-        }
-    ]
-}
-```
-If a system can only encrypt, you must clear out existing data and data keys before updates.
-```ruby
-user.encrypted_email = nil
-user.encrypted_kms_key = nil
-# before user.save or user.update
-```
-To decrypt the data, use a policy with:
-```json
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "DecryptData",
-            "Effect": "Allow",
-            "Action": "kms:Decrypt",
-            "Resource": "arn:aws:kms:..."
-        }
-    ]
-}
-```
-Be extremely selective of systems you allow to decrypt.
-## Testing
-For testing, you can prevent network calls to KMS by setting:
-```sh
-KMS_KEY_ID=insecure-test-key
-```
-## Multiple Keys Per Record
-You may want to protect different columns with different data keys (or even master keys).
-To do this, add more columns
-```ruby
-add_column :users, :encrypted_phone, :text
-add_column :users, :encrypted_phone_iv, :text
-add_column :users, :encrypted_kms_key_phone, :text
-```
-And update your model
-```ruby
-class User < ApplicationRecord
-  has_kms_key
-  has_kms_key name: :phone, key_id: "..."
-  attr_encrypted :email, key: :kms_key
-  attr_encrypted :phone, key: :kms_key_phone
-end
-```
-For context, use:
-```ruby
-class User < ApplicationRecord
-  def kms_encryption_context_phone
-    # some hash
-  end
-end
-```
-To rotate keys, use:
+Follow the instructions for your key management service:
-```ruby
-user.rotate_kms_key_phone!
-```
+- [Amazon KMS](guides/Amazon.md)
+- [Google KMS](guides/Google.md)
 ## History
-View the [changelog](https://github.com/ankane/kms_encrypted/blob/master/CHANGELOG.md)
+View the [changelog](CHANGELOG.md)
 ## Contributing

data/guides/Amazon.md ADDED Viewed

@@ -0,0 +1,262 @@
+# Amazon KMS
+Add this line to your application’s Gemfile:
+```ruby
+gem 'aws-sdk-kms'
+gem 'kms_encrypted'
+```
+Add columns for the encrypted data and the encrypted KMS data keys
+```ruby
+add_column :users, :encrypted_email, :text
+add_column :users, :encrypted_email_iv, :text
+add_column :users, :encrypted_kms_key, :text
+```
+Create an [Amazon Web Services](https://aws.amazon.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on AWS.
+Create a [KMS master key](https://console.aws.amazon.com/iam/home#/encryptionKeys) and set it in your environment along with your AWS credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
+```sh
+KMS_KEY_ID=arn:aws:kms:...
+AWS_ACCESS_KEY_ID=...
+AWS_SECRET_ACCESS_KEY=...
+```
+You can also use the alias
+```sh
+KMS_KEY_ID=alias/my-alias
+```
+And update your model
+```ruby
+class User < ApplicationRecord
+  has_kms_key
+  attr_encrypted :email, key: :kms_key
+end
+```
+For each encrypted attribute, use the `kms_key` method for its key.
+## Auditing
+[AWS CloudTrail](https://aws.amazon.com/cloudtrail/) logs all decryption calls. However, to know what data is being decrypted, you’ll need to add context.
+Add a `kms_encryption_context` method to your model.
+```ruby
+class User < ApplicationRecord
+  def kms_encryption_context
+    # some hash
+  end
+end
+```
+The context is used as part of the encryption and decryption process, so it must be a value that doesn’t change. Otherwise, you won’t be able to decrypt. Read more about [encryption context here](http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html).
+The primary key is a good choice, but auto-generated ids aren’t available until a record is created, and we need to encrypt before this. One solution is to preload the primary key. Here’s what it looks like with Postgres:
+```ruby
+class User < ApplicationRecord
+  def kms_encryption_context
+    self.id ||= self.class.connection.execute("select nextval('#{self.class.sequence_name}')").first["nextval"]
+    {"Record" => "#{model_name}/#{id}"}
+  end
+end
+```
+[Amazon Athena](https://aws.amazon.com/athena/) is great for querying CloudTrail logs. Create a table (thanks to [this post](http://www.1strategy.com/blog/2017/07/25/auditing-aws-activity-with-cloudtrail-and-athena/) for the table structure) with:
+```sql
+CREATE EXTERNAL TABLE cloudtrail_logs (
+    eventversion STRING,
+    userIdentity STRUCT<
+        type:STRING,
+        principalid:STRING,
+        arn:STRING,
+        accountid:STRING,
+        invokedby:STRING,
+        accesskeyid:STRING,
+        userName:String,
+        sessioncontext:STRUCT<
+            attributes:STRUCT<
+                mfaauthenticated:STRING,
+                creationdate:STRING>,
+            sessionIssuer:STRUCT<
+                type:STRING,
+                principalId:STRING,
+                arn:STRING,
+                accountId:STRING,
+                userName:STRING>>>,
+    eventTime STRING,
+    eventSource STRING,
+    eventName STRING,
+    awsRegion STRING,
+    sourceIpAddress STRING,
+    userAgent STRING,
+    errorCode STRING,
+    errorMessage STRING,
+    requestId  STRING,
+    eventId  STRING,
+    resources ARRAY<STRUCT<
+        ARN:STRING,
+        accountId:STRING,
+        type:STRING>>,
+    eventType STRING,
+    apiVersion  STRING,
+    readOnly BOOLEAN,
+    recipientAccountId STRING,
+    sharedEventID STRING,
+    vpcEndpointId STRING,
+    requestParameters STRING,
+    responseElements STRING,
+    additionalEventData STRING,
+    serviceEventDetails STRING
+)
+ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
+STORED  AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
+OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
+LOCATION  's3://my-cloudtrail-logs/'
+```
+Change the last line to point to your CloudTrail log bucket and query away
+```sql
+SELECT
+    eventTime,
+    userIdentity.userName,
+    requestParameters
+FROM
+    cloudtrail_logs
+WHERE
+    eventName = 'Decrypt'
+    AND resources[1].arn = 'arn:aws:kms:...'
+ORDER BY 1
+```
+There will also be `GenerateDataKey` events.
+## Alerting
+We recommend setting up alerts on suspicious behavior.
+## Key Rotation
+KMS supports [automatic key rotation](http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html). No action is required in this case.
+To manually rotate keys, replace the old KMS key id with the new key id in your model. Your app does not need the old key id to perform rotation (however, the key must still be enabled in your AWS account).
+```sh
+KMS_KEY_ID=arn:aws:kms:...
+```
+and run
+```ruby
+User.find_each do |user|
+  user.rotate_kms_key!
+end
+```
+## IAM Permissions
+A great feature of KMS is the ability to grant encryption and decryption permission separately.
+To encrypt the data, use a policy with:
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "EncryptData",
+            "Effect": "Allow",
+            "Action": "kms:GenerateDataKey",
+            "Resource": "arn:aws:kms:..."
+        }
+    ]
+}
+```
+If a system can only encrypt, you must clear out existing data and data keys before updates.
+```ruby
+user.encrypted_email = nil
+user.encrypted_kms_key = nil
+# before user.save or user.update
+```
+To decrypt the data, use a policy with:
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "DecryptData",
+            "Effect": "Allow",
+            "Action": "kms:Decrypt",
+            "Resource": "arn:aws:kms:..."
+        }
+    ]
+}
+```
+Be extremely selective of systems you allow to decrypt.
+## Testing
+For testing, you can prevent network calls to KMS by setting:
+```sh
+KMS_KEY_ID=insecure-test-key
+```
+## Multiple Keys Per Record
+You may want to protect different columns with different data keys (or even master keys).
+To do this, add more columns
+```ruby
+add_column :users, :encrypted_phone, :text
+add_column :users, :encrypted_phone_iv, :text
+add_column :users, :encrypted_kms_key_phone, :text
+```
+And update your model
+```ruby
+class User < ApplicationRecord
+  has_kms_key
+  has_kms_key name: :phone, key_id: "..."
+  attr_encrypted :email, key: :kms_key
+  attr_encrypted :phone, key: :kms_key_phone
+end
+```
+For context, use:
+```ruby
+class User < ApplicationRecord
+  def kms_encryption_context_phone
+    # some hash
+  end
+end
+```
+To rotate keys, use:
+```ruby
+user.rotate_kms_key_phone!
+```
+## File Uploads
+While outside the scope of this gem, you can also use KMS for sensitive file uploads. Check out [this guide](https://github.com/ankane/shorts/blob/master/AWS-Client-Side-Encryption.md) to learn more.

data/guides/Google.md ADDED Viewed

@@ -0,0 +1,131 @@
+# Google KMS
+Add this line to your application’s Gemfile:
+```ruby
+gem 'google-api-client'
+gem 'kms_encrypted', github: 'ankane/kms_encrypted'
+```
+Add columns for the encrypted data and the encrypted KMS data keys
+```ruby
+add_column :users, :encrypted_email, :text
+add_column :users, :encrypted_email_iv, :text
+add_column :users, :encrypted_kms_key, :text
+```
+Create a [Google Cloud Platform](https://cloud.google.com/) account if you don’t have one. KMS works great whether or not you run your infrastructure on GCP.
+Create a [KMS key ring and key](https://console.cloud.google.com/iam-admin/kms) and set it in your environment along with your GCP credentials ([dotenv](https://github.com/bkeepers/dotenv) is great for this)
+```sh
+KMS_KEY_ID=projects/.../locations/.../keyRings/.../cryptoKeys/...
+```
+And update your model
+```ruby
+class User < ApplicationRecord
+  has_kms_key
+  attr_encrypted :email, key: :kms_key
+end
+```
+For each encrypted attribute, use the `kms_key` method for its key.
+## Auditing
+Follow the [instructions here](https://cloud.google.com/kms/docs/logging) to set up data access logging. To know what data is being decrypted, you’ll need to add context.
+Add a `kms_encryption_context` method to your model.
+```ruby
+class User < ApplicationRecord
+  def kms_encryption_context
+    # some hash
+  end
+end
+```
+The context is used as part of the encryption and decryption process, so it must be a value that doesn’t change. Otherwise, you won’t be able to decrypt.
+The primary key is a good choice, but auto-generated ids aren’t available until a record is created, and we need to encrypt before this. One solution is to preload the primary key. Here’s what it looks like with Postgres:
+```ruby
+class User < ApplicationRecord
+  def kms_encryption_context
+    self.id ||= self.class.connection.execute("select nextval('#{self.class.sequence_name}')").first["nextval"]
+    {"Record" => "#{model_name}/#{id}"}
+  end
+end
+```
+## Alerting
+We recommend setting up alerts on suspicious behavior.
+## Key Rotation
+To manually rotate keys, replace the old key id with the new key id in your model. Your app does not need the old key id to perform rotation (however, the key must still be enabled in your GCP account).
+```sh
+KMS_KEY_ID=...
+```
+and run
+```ruby
+User.find_each do |user|
+  user.rotate_kms_key!
+end
+```
+## Testing
+For testing, you can prevent network calls to KMS by setting:
+```sh
+KMS_KEY_ID=insecure-test-key
+```
+## Multiple Keys Per Record
+You may want to protect different columns with different data keys (or even master keys).
+To do this, add more columns
+```ruby
+add_column :users, :encrypted_phone, :text
+add_column :users, :encrypted_phone_iv, :text
+add_column :users, :encrypted_kms_key_phone, :text
+```
+And update your model
+```ruby
+class User < ApplicationRecord
+  has_kms_key
+  has_kms_key name: :phone, key_id: "..."
+  attr_encrypted :email, key: :kms_key
+  attr_encrypted :phone, key: :kms_key_phone
+end
+```
+For context, use:
+```ruby
+class User < ApplicationRecord
+  def kms_encryption_context_phone
+    # some hash
+  end
+end
+```
+To rotate keys, use:
+```ruby
+user.rotate_kms_key_phone!
+```

data/kms_encrypted.gemspec CHANGED Viewed

@@ -11,6 +11,7 @@ Gem::Specification.new do |spec|
   spec.summary       = "Simple, secure key management for attr_encrypted"
   spec.homepage      = "https://github.com/ankane/kms_encrypted"
+  spec.license       = "MIT"
   spec.files         = `git ls-files -z`.split("\x0").reject do |f|
     f.match(%r{^(test|spec|features)/})
@@ -19,7 +20,6 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
-  spec.add_dependency "aws-sdk-kms"
   spec.add_dependency "activesupport"
   spec.add_development_dependency "bundler"
@@ -28,4 +28,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "sqlite3"
   spec.add_development_dependency "activerecord"
   spec.add_development_dependency "attr_encrypted"
+  spec.add_development_dependency "aws-sdk-kms"
+  spec.add_development_dependency "google-api-client"
 end

data/lib/kms_encrypted.rb CHANGED Viewed

@@ -1,6 +1,23 @@
 # dependencies
 require "active_support"
-require "aws-sdk-kms"
+begin
+  # aws-sdk v3
+  require "aws-sdk-kms"
+rescue LoadError
+  begin
+    # aws-sdk v2
+    require "aws-sdk"
+  rescue LoadError
+    # do nothing
+  end
+end
+begin
+  require "google/apis/cloudkms_v1"
+rescue LoadError
+  # do nothing
+end
 # modules
 require "kms_encrypted/log_subscriber"
@@ -32,6 +49,22 @@ module KmsEncrypted
     http_open_timeout: 2,
     http_read_timeout: 2
   }
+  module Google
+    class << self
+      attr_writer :kms_client
+      def kms_client
+        @kms_client ||= begin
+          client = ::Google::Apis::CloudkmsV1::CloudKMSService.new
+          client.authorization = ::Google::Auth.get_application_default(
+            "https://www.googleapis.com/auth/cloud-platform"
+          )
+          client
+        end
+      end
+    end
+  end
 end
 ActiveSupport.on_load(:active_record) do

data/lib/kms_encrypted/model.rb CHANGED Viewed

@@ -46,16 +46,35 @@ module KmsEncrypted
               }
               ActiveSupport::Notifications.instrument("generate_data_key.kms_encrypted", event) do
                 if key_id == "insecure-test-key"
-                  encrypted_key = "insecure-data-key-#{rand(1_000_000_000_000)}"
                   plaintext_key = "00000000000000000000000000000000"
+                  encrypted_key = "insecure-data-key-#{rand(1_000_000_000_000)}"
+                elsif key_id.start_with?("projects/")
+                  # generate random AES-256 key
+                  plaintext_key = OpenSSL::Random.random_bytes(32)
+                  # encrypt it
+                  request = ::Google::Apis::CloudkmsV1::EncryptRequest.new(
+                    plaintext: plaintext_key,
+                    additional_authenticated_data: context.to_json
+                  )
+                  response = KmsEncrypted::Google.kms_client.encrypt_crypto_key(key_id, request)
+                  key_version = response.name
+                  # shorten key to save space
+                  short_key_id = Base64.encode64(key_version.split("/").select.with_index { |p, i| i.odd? }.join("/"))
+                  # build encrypted key
+                  # we reference the key in the field for easy rotation
+                  encrypted_key = "$gc$#{short_key_id}$#{[response.ciphertext].pack(default_encoding)}"
                 else
+                  # generate data key from API
                   resp = KmsEncrypted.kms_client.generate_data_key(
                     key_id: key_id,
                     encryption_context: context,
                     key_spec: "AES_256"
                   )
-                  encrypted_key = [resp.ciphertext_blob].pack(default_encoding)
                   plaintext_key = resp.plaintext
+                  encrypted_key = [resp.ciphertext_blob].pack(default_encoding)
                 end
               end
@@ -72,8 +91,24 @@ module KmsEncrypted
                 context: context
               }
               ActiveSupport::Notifications.instrument("decrypt_data_key.kms_encrypted", event) do
-                if key_id == "insecure-test-key"
+                if encrypted_key.start_with?("insecure-data-key-")
                   plaintext_key = "00000000000000000000000000000000"
+                elsif encrypted_key.start_with?("$gc$")
+                  _, _, short_key_id, ciphertext = encrypted_key.split("$", 4)
+                  # restore key, except for cryptoKeyVersion
+                  stored_key_id = Base64.decode64(short_key_id).split("/")[0..3]
+                  stored_key_id.insert(0, "projects")
+                  stored_key_id.insert(2, "locations")
+                  stored_key_id.insert(4, "keyRings")
+                  stored_key_id.insert(6, "cryptoKeys")
+                  stored_key_id = stored_key_id.join("/")
+                  request = ::Google::Apis::CloudkmsV1::DecryptRequest.new(
+                    ciphertext: ciphertext.unpack(default_encoding).first,
+                    additional_authenticated_data: context.to_json
+                  )
+                  plaintext_key = KmsEncrypted::Google.kms_client.decrypt_crypto_key(stored_key_id, request).plaintext
                 else
                   plaintext_key = KmsEncrypted.kms_client.decrypt(
                     ciphertext_blob: encrypted_key.unpack(default_encoding).first,

data/lib/kms_encrypted/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module KmsEncrypted
-  VERSION = "0.1.4"
+  VERSION = "0.2.0"
 end

metadata CHANGED Viewed

@@ -1,17 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: kms_encrypted
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.2.0
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2017-12-04 00:00:00.000000000 Z
+date: 2018-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: aws-sdk-kms
+  name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -25,13 +25,13 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: activesupport
+  name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  type: :runtime
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
@@ -39,7 +39,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -53,7 +53,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -67,7 +67,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: minitest
+  name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -81,7 +81,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: sqlite3
+  name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -95,7 +95,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: activerecord
+  name: attr_encrypted
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -109,7 +109,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: attr_encrypted
+  name: aws-sdk-kms
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: google-api-client
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -133,15 +147,19 @@ files:
 - ".travis.yml"
 - CHANGELOG.md
 - Gemfile
+- LICENSE.txt
 - README.md
 - Rakefile
+- guides/Amazon.md
+- guides/Google.md
 - kms_encrypted.gemspec
 - lib/kms_encrypted.rb
 - lib/kms_encrypted/log_subscriber.rb
 - lib/kms_encrypted/model.rb
 - lib/kms_encrypted/version.rb
 homepage: https://github.com/ankane/kms_encrypted
-licenses: []
+licenses:
+- MIT
 metadata: {}
 post_install_message:
 rdoc_options: []