lockbox 0.3.6 → 0.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9d220724fb1331a7a9fdda8fdd073de62c19f601b2d15173a5fe22046e51071d
-  data.tar.gz: 9f144deb1211bd79d49f5eb2dccee29b25a2ea8869aadadad92ebda825012c00
+  metadata.gz: c072d4c6e5935ff9e176c0fc705c0e36228da4b1fc530a7eaf0249db57c71ddc
+  data.tar.gz: a0d293cb80ea7050deeccd039b5e0be01d51c09577181c1d9bf9df8a520764ac
 SHA512:
-  metadata.gz: 31492e71cafb170205944089f047269302249a5ba03f23533d302b45f45fc770ee221eb56af50f47c39ac44d980f8886ff0aa3cd50ed9dcc018638859ac06ace
-  data.tar.gz: 69faba8f29dca9c7b85c3e5d7905db625d96105b2ae74a61b0a3cd7094cbcea437caf909a731346ac53607f8624ec27b1b9d58bb44f80f294028c07ab813e938
+  metadata.gz: a46270931d8c21b25090be9d1825259e872eae678ba1d1df6ca7898f0e678f81edc2f590a4338502631686be3a7b2911e736c58d9704354918b707dbaafdba41
+  data.tar.gz: 7bd511b855d777da969ea03aa14d7ce336a9c96670f01ac3e20424bb6fe039d43f183e561a33acb5e320ac2b8230aae287d608c292c68c4a91b605dd2be0cdb9

data/CHANGELOG.md

@@ -1,3 +1,29 @@
+## 0.4.3 (2020-05-26)
+
+- Improved error message for bad key length
+- Fixed missing attribute error
+
+## 0.4.2 (2020-05-11)
+
+- Added experimental support for migrating Active Storage files
+- Fixed `metadata` support for Active Storage
+
+## 0.4.1 (2020-05-08)
+
+- Added support for Action Text
+- Added warning if unencrypted column exists and not migrating
+
+## 0.4.0 (2020-05-03)
+
+- Load encrypted attributes when `attributes` called
+- Added support for migrating and rotating relations
+- Removed deprecated `attached_encrypted` method
+- Removed legacy `attr_encrypted` encryptor
+
+## 0.3.7 (2020-04-20)
+
+- Added Active Support notifications for Active Storage and Carrierwave
+
 ## 0.3.6 (2020-04-19)
 
 - Fixed content type detection for Active Storage and CarrierWave

data/README.md

@@ -47,6 +47,7 @@ Then follow the instructions below for the data you want to encrypt.
 #### Database Fields
 
 - [Active Record](#active-record)
+- [Action Text](#action-text)
 - [Mongoid](#mongoid)
 
 #### Files
@@ -150,7 +151,9 @@ Be sure to include the `inspect` at the end or it won’t be encoded properly in
 
 #### Migrating Existing Data
 
-Lockbox makes it easy to encrypt an existing column. Add a new column for the ciphertext, then add to your model:
+Lockbox makes it easy to encrypt an existing column without downtime.
+
+Add a new column for the ciphertext, then add to your model:
 
 ```ruby
 class User < ApplicationRecord
@@ -185,6 +188,38 @@ class User < ApplicationRecord
 end
 ```
 
+## Action Text
+
+Create a migration with:
+
+```ruby
+class AddBodyCiphertextToRichTexts < ActiveRecord::Migration[6.0]
+  def change
+    add_column :action_text_rich_texts, :body_ciphertext, :text
+  end
+end
+```
+
+Create `config/initializers/lockbox.rb` with:
+
+```ruby
+Lockbox.encrypts_action_text_body(migrating: true)
+```
+
+Migrate existing data:
+
+```ruby
+Lockbox.migrate(ActionText::RichText)
+```
+
+Update the initializer:
+
+```ruby
+Lockbox.encrypts_action_text_body
+```
+
+And drop the unencrypted column.
+
 ## Mongoid
 
 Add to your model:
@@ -205,6 +240,8 @@ User.create!(email: "hi@example.org")
 
 If you need to query encrypted fields, check out [Blind Index](https://github.com/ankane/blind_index).
 
+You can [migrate existing data](#migrating-existing-data) similarly to Active Record.
+
 ## Active Storage
 
 Add to your model:
@@ -239,6 +276,34 @@ def license
 end
 ```
 
+#### Migrating Existing Files [experimental]
+
+**Note:** This feature is experimental. Please try it in a non-production environment and [share](https://github.com/ankane/lockbox/issues/44) how it goes.
+
+Lockbox makes it easy to encrypt existing files without downtime.
+
+Add to your model:
+
+```ruby
+class User < ApplicationRecord
+  encrypts_attached :license, migrating: true
+end
+```
+
+Migrate existing files:
+
+```ruby
+Lockbox.migrate(User)
+```
+
+Then update the model to the desired state:
+
+```ruby
+class User < ApplicationRecord
+  encrypts_attached :license
+end
+```
+
 ## CarrierWave
 
 Add to your uploader:
@@ -278,6 +343,51 @@ def license
 end
 ```
 
+#### Migrating Existing Files
+
+Encrypt existing files without downtime. Create a new encrypted uploader:
+
+```ruby
+class LicenseV2Uploader < CarrierWave::Uploader::Base
+  encrypt key: Lockbox.attribute_key(table: "users", attribute: "license")
+end
+```
+
+Add a new column for the uploader, then add to your model:
+
+```ruby
+class User < ApplicationRecord
+  mount_uploader :license_v2, LicenseV2Uploader
+
+  before_save :migrate_license, if: :license_changed?
+
+  def migrate_license
+    self.license_v2 = license
+  end
+end
+```
+
+Migrate existing files:
+
+```ruby
+User.find_each do |user|
+  if user.license? && !user.license_v2?
+    user.migrate_license
+    user.save!
+  end
+end
+```
+
+Then update the model to the desired state:
+
+```ruby
+class User < ApplicationRecord
+  mount_uploader :license, LicenseV2Uploader, mount_on: :license_v2
+end
+```
+
+Finally, delete the unencrypted files and drop the column for the original uploader. You can also remove the `key` option from the uploader.
+
 ## Shrine
 
 Generate a key
@@ -316,19 +426,35 @@ To serve encrypted files, use a controller action.
 ```ruby
 def license
   user = User.find(params[:id])
-  send_data box.decrypt(user.license.read), type: user.license.mime_type
+  send_data lockbox.decrypt(user.license.read), type: user.license.mime_type
 end
 ```
 
 ## Local Files
 
-Read the file as a binary string
+Generate a key
+
+```ruby
+key = Lockbox.generate_key
+```
+
+Create a lockbox
 
 ```ruby
-message = File.binread("file.txt")
+lockbox = Lockbox.new(key: key)
 ```
 
-Then follow the instructions for encrypting a string below.
+Encrypt
+
+```ruby
+ciphertext = lockbox.encrypt(File.binread("file.txt"))
+```
+
+Decrypt
+
+```ruby
+lockbox.decrypt(ciphertext)
+```
 
 ## Strings
 
@@ -362,7 +488,7 @@ Use `decrypt_str` get the value as UTF-8
 
 To make key rotation easy, you can pass previous versions of keys that can decrypt.
 
-### Active Record
+### Active Record & Mongoid
 
 Update your model:
 
@@ -382,26 +508,6 @@ Lockbox.rotate(User, attributes: [:email])
 
 Once all records are rotated, you can remove `previous_versions` from the model.
 
-### Mongoid
-
-Update your model:
-
-```ruby
-class User
-  encrypts :email, previous_versions: [{key: previous_key}]
-end
-```
-
-Use `master_key` instead of `key` if passing the master key.
-
-To rotate existing records, use:
-
-```ruby
-Lockbox.rotate(User, attributes: [:email])
-```
-
-Once all records are rotated, you can remove `previous_versions` from the model.
-
 ### Active Storage
 
 Update your model:
@@ -417,7 +523,7 @@ Use `master_key` instead of `key` if passing the master key.
 To rotate existing files, use:
 
 ```ruby
-User.find_each do |user|
+User.with_attached_license.find_each do |user|
   user.license.rotate_encryption!
 end
 ```
@@ -446,9 +552,9 @@ end
 
 Once all files are rotated, you can remove `previous_versions` from the model.
 
-### Strings
+### Local Files & Strings
 
-For strings, use:
+For local files and strings, use:
 
 ```ruby
 Lockbox.new(key: key, previous_versions: [{key: previous_key}])
@@ -541,7 +647,7 @@ Heroku [comes with libsodium](https://devcenter.heroku.com/articles/stack-packag
 
 ##### Ubuntu
 
-For Ubuntu 18.04, use:
+For Ubuntu 20.04 and 18.04, use:
 
 ```sh
 sudo apt-get install libsodium23

data/lib/lockbox.rb

@@ -19,6 +19,9 @@ require "lockbox/carrier_wave_extensions" if defined?(CarrierWave)
 require "lockbox/railtie" if defined?(Rails)
 
 if defined?(ActiveSupport)
+  require "lockbox/log_subscriber"
+  Lockbox::LogSubscriber.attach_to :lockbox
+
   ActiveSupport.on_load(:active_record) do
     extend Lockbox::Model
     extend Lockbox::Model::Attached
@@ -26,8 +29,6 @@ if defined?(ActiveSupport)
 
   ActiveSupport.on_load(:mongoid) do
     Mongoid::Document::ClassMethods.include(Lockbox::Model)
-    # TODO remove in 0.4.0
-    Mongoid::Document::ClassMethods.include(Lockbox::Model::Attached)
   end
 end
 
@@ -92,4 +93,10 @@ module Lockbox
   def self.new(**options)
     Encryptor.new(**options)
   end
+
+  def self.encrypts_action_text_body(**options)
+    ActiveSupport.on_load(:action_text_rich_text) do
+      ActionText::RichText.encrypts :body, **options
+    end
+  end
 end

data/lib/lockbox/active_storage_extensions.rb

@@ -16,14 +16,6 @@ module Lockbox
       def encrypt_attachable(attachable)
         Utils.encrypt_attachable(record, name, attachable)
       end
-
-      def rebuild_attachable(attachment)
-        {
-          io: StringIO.new(attachment.download),
-          filename: attachment.filename,
-          content_type: attachment.content_type
-        }
-      end
     end
 
     module AttachedOne
@@ -37,7 +29,7 @@ module Lockbox
       def rotate_encryption!
         raise "Not encrypted" unless encrypted?
 
-        attach(rebuild_attachable(self)) if attached?
+        attach(Utils.rebuild_attachable(self)) if attached?
 
         true
       end
@@ -65,7 +57,7 @@ module Lockbox
 
         attachables =
           previous_attachments.map do |attachment|
-            rebuild_attachable(attachment)
+            Utils.rebuild_attachable(attachment)
           end
 
         ActiveStorage::Attachment.transaction do
@@ -88,14 +80,16 @@ module Lockbox
     end
 
     module Attachment
-      extend ActiveSupport::Concern
-
       def download
         result = super
 
         options = Utils.encrypted_options(record, name)
-        if options
-          result = Utils.build_box(record, options, record.class.table_name, name).decrypt(result)
+        # only trust the metadata when migrating
+        # as earlier versions of Lockbox won't have it
+        # and it's not a good practice to trust modifiable data
+        encrypted = options && (!options[:migrating] || blob.metadata["encrypted"])
+        if encrypted
+          result = Utils.decrypt_result(record, name, options, result)
         end
 
         result
@@ -105,14 +99,18 @@ module Lockbox
         def open(**options)
           blob.open(**options) do |file|
             options = Utils.encrypted_options(record, name)
-            if options
-              result = file.read
+            # only trust the metadata when migrating
+            # as earlier versions of Lockbox won't have it
+            # and it's not a good practice to trust modifiable data
+            encrypted = options && (!options[:migrating] || blob.metadata["encrypted"])
+            if encrypted
+              result = Utils.decrypt_result(record, name, options, file.read)
               file.rewind
               # truncate may not be available on all platforms
               # according to the Ruby docs
               # may need to create a new temp file instead
               file.truncate(0)
-              file.write(Utils.build_box(record, options, record.class.table_name, name).decrypt(result))
+              file.write(result)
               file.rewind
             end
 
@@ -120,16 +118,6 @@ module Lockbox
           end
         end
       end
-
-      def mark_analyzed
-        if Utils.encrypted_options(record, name)
-          blob.update!(metadata: blob.metadata.merge(analyzed: true))
-        end
-      end
-
-      included do
-        after_save :mark_analyzed
-      end
     end
 
     module Blob

data/lib/lockbox/carrier_wave_extensions.rb

@@ -5,13 +5,13 @@ module Lockbox
         before :cache, :encrypt
 
         def encrypt(file)
-          @file = CarrierWave::SanitizedFile.new(lockbox.encrypt_io(file))
+          @file = CarrierWave::SanitizedFile.new(with_notification("encrypt_file") { lockbox.encrypt_io(file) })
         end
 
         # TODO safe to memoize?
         def read
           r = super
-          lockbox.decrypt(r) if r
+          with_notification("decrypt_file") { lockbox.decrypt(r) } if r
         end
 
         def size
@@ -40,20 +40,39 @@ module Lockbox
         define_method :lockbox do
           @lockbox ||= begin
             table = model ? model.class.table_name : "_uploader"
-            attribute =
-              if mounted_as
-                mounted_as.to_s
-              else
-                uploader = self
-                while uploader.parent_version
-                  uploader = uploader.parent_version
-                end
-                uploader.class.name.sub(/Uploader\z/, "").underscore
-              end
+            attribute = lockbox_name
 
             Utils.build_box(self, options, table, attribute)
           end
         end
+
+        def lockbox_name
+          if mounted_as
+            mounted_as.to_s
+          else
+            uploader = self
+            while uploader.parent_version
+              uploader = uploader.parent_version
+            end
+            uploader.class.name.sub(/Uploader\z/, "").underscore
+          end
+        end
+
+        def with_notification(type)
+          if defined?(ActiveSupport::Notifications)
+            name = lockbox_name
+
+            # get version
+            version, _ = parent_version && parent_version.versions.find { |k, v| v == self }
+            name = "#{name} #{version} version" if version
+
+            ActiveSupport::Notifications.instrument("#{type}.lockbox", {name: name}) do
+              yield
+            end
+          else
+            yield
+          end
+        end
       end
     end
   end

data/lib/lockbox/encryptor.rb

@@ -82,25 +82,5 @@ module Lockbox
       target.content_type = source.content_type if source.respond_to?(:content_type)
       target.set_encoding(source.external_encoding) if source.respond_to?(:external_encoding)
     end
-
-    # TODO remove in 0.4.0
-    # legacy for attr_encrypted
-    def self.encrypt(options)
-      box(options).encrypt(options[:value])
-    end
-
-    # TODO remove in 0.4.0
-    # legacy for attr_encrypted
-    def self.decrypt(options)
-      box(options).decrypt(options[:value])
-    end
-
-    # TODO remove in 0.4.0
-    # legacy for attr_encrypted
-    def self.box(options)
-      options = options.slice(:key, :encryption_key, :decryption_key, :algorithm, :previous_versions)
-      options[:algorithm] = "aes-gcm" if options[:algorithm] == "aes-256-gcm"
-      Lockbox.new(options)
-    end
   end
 end

data/lib/lockbox/key_generator.rb

@@ -11,7 +11,7 @@ module Lockbox
       raise ArgumentError, "Missing attribute for key generation" if attribute.to_s.empty?
 
       c = "\xB4"*32
-      hkdf(Lockbox::Utils.decode_key(@master_key), salt: table.to_s, info: "#{c}#{attribute}", length: 32, hash: "sha384")
+      hkdf(Lockbox::Utils.decode_key(@master_key, name: "Master key"), salt: table.to_s, info: "#{c}#{attribute}", length: 32, hash: "sha384")
     end
 
     private

data/lib/lockbox/log_subscriber.rb

@@ -0,0 +1,21 @@
+module Lockbox
+  class LogSubscriber < ActiveSupport::LogSubscriber
+    def encrypt_file(event)
+      return unless logger.debug?
+
+      payload = event.payload
+      name = "Encrypt File (#{event.duration.round(1)}ms)"
+
+      debug "  #{color(name, YELLOW, true)} Encrypted #{payload[:name]}"
+    end
+
+    def decrypt_file(event)
+      return unless logger.debug?
+
+      payload = event.payload
+      name = "Decrypt File (#{event.duration.round(1)}ms)"
+
+      debug "  #{color(name, YELLOW, true)} Decrypted #{payload[:name]}"
+    end
+  end
+end

data/lib/lockbox/migrator.rb

@@ -24,29 +24,49 @@ module Lockbox
 
     # TODO add attributes option
     def migrate(restart:)
-      fields = model.lockbox_attributes.select { |k, v| v[:migrating] }
+      fields = model.respond_to?(:lockbox_attributes) ? model.lockbox_attributes.select { |k, v| v[:migrating] } : {}
 
       # need blind indexes for building relation
       blind_indexes = model.respond_to?(:blind_indexes) ? model.blind_indexes.select { |k, v| v[:migrating] } : {}
 
-      perform(fields: fields, blind_indexes: blind_indexes, restart: restart)
+      attachments = model.respond_to?(:lockbox_attachments) ? model.lockbox_attachments.select { |k, v| v[:migrating] } : {}
+
+      perform(fields: fields, blind_indexes: blind_indexes, restart: restart) if fields.any? || blind_indexes.any?
+      perform_attachments(attachments: attachments, restart: restart) if attachments.any?
     end
 
     private
 
-    def perform(fields:, blind_indexes: [], restart: true, rotate: false)
-      relation = @relation
+    def perform_attachments(attachments:, restart:)
+      relation = base_relation
 
-      # unscope if passed a model
-      unless ar_relation?(relation) || mongoid_relation?(relation)
-        relation = relation.unscoped
-      else
-        # TODO remove in 0.4.0
-        relation = relation.unscoped
+      # eager load attachments
+      attachments.each_key do |k|
+        relation = relation.send("with_attached_#{k}")
       end
 
-      # convert from possible class to ActiveRecord::Relation or Mongoid::Criteria
-      relation = relation.all
+      each_batch(relation) do |records|
+        records.each do |record|
+          attachments.each_key do |k|
+            attachment = record.send(k)
+            if attachment.attached?
+              if attachment.is_a?(ActiveStorage::Attached::One)
+                unless attachment.metadata["encrypted"]
+                  attachment.rotate_encryption!
+                end
+              else
+                unless attachment.all? { |a| a.metadata["encrypted"] }
+                  attachment.rotate_encryption!
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+
+    def perform(fields:, blind_indexes: [], restart: true, rotate: false)
+      relation = base_relation
 
       unless restart
         attributes = fields.map { |_, v| v[:encrypted_attribute] }
@@ -141,6 +161,18 @@ module Lockbox
       end
     end
 
+    def base_relation
+      relation = @relation
+
+      # unscope if passed a model
+      unless ar_relation?(relation) || mongoid_relation?(relation)
+        relation = relation.unscoped
+      end
+
+      # convert from possible class to ActiveRecord::Relation or Mongoid::Criteria
+      relation.all
+    end
+
     def ar_relation?(relation)
       defined?(ActiveRecord::Relation) && relation.is_a?(ActiveRecord::Relation)
     end

data/lib/lockbox/model.rb

@@ -81,6 +81,20 @@ module Lockbox
             end
 
             if activerecord
+              # TODO wrap in module?
+              def attributes
+                # load attributes
+                # essentially a no-op if already loaded
+                # an exception is thrown if decryption fails
+                self.class.lockbox_attributes.each do |_, lockbox_attribute|
+                  # it is possible that the encrypted attribute is not loaded, eg.
+                  # if the record was fetched partially (`User.select(:id).first`).
+                  # accessing a not loaded attribute raises an `ActiveModel::MissingAttributeError`.
+                  send(lockbox_attribute[:attribute]) if has_attribute?(lockbox_attribute[:encrypted_attribute])
+                end
+                super
+              end
+
               # needed for in-place modifications
               # assigned attributes are encrypted on assignment
               # and then again here
@@ -212,6 +226,20 @@ module Lockbox
 
             send("lockbox_direct_#{name}=", message)
 
+            # warn every time, as this should be addressed
+            # maybe throw an error in the future
+            if !options[:migrating]
+              if activerecord
+                if self.class.columns_hash.key?(name.to_s)
+                  warn "[lockbox] WARNING: Unencrypted column with same name: #{name}. Set `ignored_columns` or remove it to protect the data."
+                end
+              else
+                if self.class.fields.key?(name.to_s)
+                  warn "[lockbox] WARNING: Unencrypted field with same name: #{name}. Remove it to protect the data."
+                end
+              end
+            end
+
             super(message)
           end
 
@@ -259,7 +287,7 @@ module Lockbox
             table = activerecord ? table_name : collection_name.to_s
 
             unless message.nil?
-              # TODO use attribute type class in 0.4.0
+              # TODO use attribute type class in 0.5.0
               case options[:type]
               when :boolean
                 message = ActiveRecord::Type::Boolean.new.serialize(message)
@@ -313,7 +341,7 @@ module Lockbox
               end
 
             unless message.nil?
-              # TODO use attribute type class in 0.4.0
+              # TODO use attribute type class in 0.5.0
               case options[:type]
               when :boolean
                 message = message == "t"
@@ -391,12 +419,6 @@ module Lockbox
           end
         end
       end
-
-      # TODO remove in future version
-      def attached_encrypted(attribute, **options)
-        warn "[lockbox] DEPRECATION WARNING: Use encrypts_attached instead"
-        encrypts_attached(attribute, **options)
-      end
     end
   end
 end

data/lib/lockbox/railtie.rb

@@ -5,18 +5,27 @@ module Lockbox
 
       if defined?(ActiveStorage)
         require "lockbox/active_storage_extensions"
+
         ActiveStorage::Attached.prepend(Lockbox::ActiveStorageExtensions::Attached)
         if ActiveStorage::VERSION::MAJOR >= 6
           ActiveStorage::Attached::Changes::CreateOne.prepend(Lockbox::ActiveStorageExtensions::CreateOne)
         end
         ActiveStorage::Attached::One.prepend(Lockbox::ActiveStorageExtensions::AttachedOne)
         ActiveStorage::Attached::Many.prepend(Lockbox::ActiveStorageExtensions::AttachedMany)
-      end
 
-      app.config.to_prepare do
-        if defined?(ActiveStorage)
-          ActiveStorage::Attachment.include(Lockbox::ActiveStorageExtensions::Attachment)
-          ActiveStorage::Blob.prepend(Lockbox::ActiveStorageExtensions::Blob)
+        # use load hooks when possible
+        if ActiveStorage::VERSION::MAJOR >= 6
+          ActiveSupport.on_load(:active_storage_attachment) do
+            include Lockbox::ActiveStorageExtensions::Attachment
+          end
+          ActiveSupport.on_load(:active_storage_blob) do
+            prepend Lockbox::ActiveStorageExtensions::Blob
+          end
+        else
+          app.config.to_prepare do
+            ActiveStorage::Attachment.include(Lockbox::ActiveStorageExtensions::Attachment)
+            ActiveStorage::Blob.prepend(Lockbox::ActiveStorageExtensions::Blob)
+          end
         end
       end
     end

data/lib/lockbox/utils.rb

@@ -31,13 +31,13 @@ module Lockbox
       record.class.respond_to?(:lockbox_attachments) ? record.class.lockbox_attachments[name.to_sym] : nil
     end
 
-    def self.decode_key(key, size: 32)
+    def self.decode_key(key, size: 32, name: "Key")
       if key.encoding != Encoding::BINARY && key =~ /\A[0-9a-f]{#{size * 2}}\z/i
         key = [key].pack("H*")
       end
 
-      raise Lockbox::Error, "Key must use binary encoding" if key.encoding != Encoding::BINARY
-      raise Lockbox::Error, "Key must be 32 bytes" if key.bytesize != size
+      raise Lockbox::Error, "#{name} must be 32 bytes (64 hex digits)" if key.bytesize != size
+      raise Lockbox::Error, "#{name} must use binary encoding" if key.encoding != Encoding::BINARY
 
       key
     end
@@ -47,27 +47,33 @@ module Lockbox
     end
 
     def self.encrypt_attachable(record, name, attachable)
-      options = encrypted_options(record, name)
-      box = build_box(record, options, record.class.table_name, name)
       io = nil
 
-      case attachable
-      when ActionDispatch::Http::UploadedFile, Rack::Test::UploadedFile
-        io = attachable
-        attachable = {
-          io: box.encrypt_io(io),
-          filename: attachable.original_filename,
-          content_type: attachable.content_type
-        }
-      when Hash
-        io = attachable[:io]
-        attachable = {
-          io: box.encrypt_io(io),
-          filename: attachable[:filename],
-          content_type: attachable[:content_type]
-        }
-      else
-        raise NotImplementedError, "Not supported"
+      ActiveSupport::Notifications.instrument("encrypt_file.lockbox", {name: name}) do
+        options = encrypted_options(record, name)
+        box = build_box(record, options, record.class.table_name, name)
+
+        case attachable
+        when ActionDispatch::Http::UploadedFile, Rack::Test::UploadedFile
+          io = attachable
+          attachable = {
+            io: box.encrypt_io(io),
+            filename: attachable.original_filename,
+            content_type: attachable.content_type
+          }
+        when Hash
+          io = attachable[:io]
+          attachable = attachable.dup
+          attachable[:io] = box.encrypt_io(io)
+        else
+          # TODO raise ArgumentError
+          raise NotImplementedError, "Could not find or build blob: expected attachable, got #{attachable.inspect}"
+        end
+
+        # don't analyze encrypted data
+        metadata = {"analyzed" => true}
+        metadata["encrypted"] = true if options[:migrating]
+        attachable[:metadata] = (attachable[:metadata] || {}).merge(metadata)
       end
 
       # set content type based on unencrypted data
@@ -76,5 +82,19 @@ module Lockbox
 
       attachable
     end
+
+    def self.decrypt_result(record, name, options, result)
+      ActiveSupport::Notifications.instrument("decrypt_file.lockbox", {name: name}) do
+        Utils.build_box(record, options, record.class.table_name, name).decrypt(result)
+      end
+    end
+
+    def self.rebuild_attachable(attachment)
+      {
+        io: StringIO.new(attachment.download),
+        filename: attachment.filename,
+        content_type: attachment.content_type
+      }
+    end
   end
 end

data/lib/lockbox/version.rb

@@ -1,3 +1,3 @@
 module Lockbox
-  VERSION = "0.3.6"
+  VERSION = "0.4.3"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 0.3.6
+  version: 0.4.3
 platform: ruby
 authors:
 - Andrew Kane
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-20 00:00:00.000000000 Z
+date: 2020-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -42,16 +42,16 @@ dependencies:
   name: combustion
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.1.2
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.1.2
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -184,6 +184,7 @@ files:
 - lib/lockbox/encryptor.rb
 - lib/lockbox/io.rb
 - lib/lockbox/key_generator.rb
+- lib/lockbox/log_subscriber.rb
 - lib/lockbox/migrator.rb
 - lib/lockbox/model.rb
 - lib/lockbox/padding.rb