lockbox 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: fa1a57ca8235a58fd8d638cab1ec624888e72b79f8a3f279588bb358ea8f6cb0
+  data.tar.gz: ffe1edd74efb5e8bf121b73816edd6b9209b8a217590816a2791adf6d1ad3dad
+SHA512:
+  metadata.gz: 80b49150b2d01aafceaddf9bd6c47b6412ee4cfb5361ff2f7f11633a65847d1f09dd7377794ef68b58c87f0f29210fe981d4b08a981840b51a553d7fb18ccc66
+  data.tar.gz: b3e8ae7d2395cc13903d80da1e8f8f3f2f0416a9f9ec8b1fa29b6b6eb155f97724f0effd1a7afd7c5162421b1be35494b5a7d4a6a25344de202a1bab0ef15305

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+## 0.1.0
+
+- First release

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Andrew Kane
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,215 @@
+# Lockbox
+
+:lock: File encryption for Ruby and Rails
+
+Supports Active Storage and CarrierWave
+
+Uses AES-GCM by default for [authenticated encryption](https://tonyarcieri.com/all-the-crypto-code-youve-ever-written-is-probably-broken)
+
+## Installation
+
+Add this line to your application’s Gemfile:
+
+```ruby
+gem 'lockbox'
+```
+
+## Key Generation
+
+Generate an encryption key.
+
+```ruby
+SecureRandom.hex(32)
+```
+
+Store the key with your other secrets (typically Rails secrets or an environment variable).
+
+Alternatively, you can use a [key management service](#key-management) to manage your keys.
+
+## Files
+
+Create a box
+
+```ruby
+box = Lockbox.new(key: key)
+```
+
+Encrypt
+
+```ruby
+box.encrypt(File.binread("license.jpg"))
+```
+
+Decrypt
+
+```ruby
+box.decrypt(File.binread("license.jpg.enc"))
+```
+
+## Active Storage
+
+Add to your model:
+
+```ruby
+class User < ApplicationRecord
+  has_one_attached :license
+  attached_encrypted :license, key: key
+end
+```
+
+Works with multiple attachments as well.
+
+```ruby
+class User < ApplicationRecord
+  has_many_attached :documents
+  attached_encrypted :documents, key: key
+end
+```
+
+There are a few limitations to be aware of:
+
+- Metadata like image width and height are not extracted when encrypted
+- Direct uploads cannot be encrypted
+
+## CarrierWave
+
+Add to your uploader:
+
+```ruby
+class LicenseUploader < CarrierWave::Uploader::Base
+  encrypt key: key
+end
+```
+
+Encryption is applied to all versions after processing.
+
+## Serving Files
+
+To serve encrypted files, use a controller action.
+
+```ruby
+def license
+  send_data @user.license.download, type: @user.license.content_type
+end
+```
+
+Use `read` instead of `download` for CarrierWave.
+
+## Key Rotation
+
+To make key rotation easy, you can pass previous versions of keys that can decrypt.
+
+```ruby
+Lockbox.new(key: key, previous_versions: [{key: previous_key}])
+```
+
+For Active Storage use:
+
+```ruby
+class User < ApplicationRecord
+  attached_encrypted :license, key: key, previous_versions: [{key: previous_key}]
+end
+```
+
+To rotate existing files, use:
+
+```ruby
+user.license.rotate_encryption!
+```
+
+For CarrierWave, use:
+
+```ruby
+class LicenseUploader < CarrierWave::Uploader::Base
+  encrypt key: key, previous_versions: [{key: previous_key}]
+end
+```
+
+To rotate existing files, use:
+
+```ruby
+user.license.rotate_encryption!
+```
+
+## Algorithms
+
+### AES-GCM
+
+The default algorithm is AES-GCM with a 256-bit key. Rotate the key every 2 billion files to minimize the chance of a [nonce collision](https://www.cryptologie.net/article/402/is-symmetric-security-solved/).
+
+### XChaCha20
+
+[Install Libsodium](https://github.com/crypto-rb/rbnacl/wiki/Installing-libsodium) and add [rbnacl](https://github.com/crypto-rb/rbnacl) to your application’s Gemfile:
+
+```ruby
+gem 'rbnacl'
+```
+
+Then pass the `algorithm` option:
+
+```ruby
+# files
+box = Lockbox.new(key: key, algorithm: "xchacha20")
+
+# Active Storage
+class User < ApplicationRecord
+  attached_encrypted :license, key: key, algorithm: "xchacha20"
+end
+
+# CarrierWave
+class LicenseUploader < CarrierWave::Uploader::Base
+  encrypt key: key, algorithm: "xchacha20"
+end
+```
+
+Make it the default with:
+
+```ruby
+Lockbox.default_options = {algorithm: "xchacha20"}
+```
+
+You can also pass an algorithm to `previous_versions` for key rotation.
+
+## Key Management
+
+You can use a key management service to manage your keys with [KMS Encrypted](https://github.com/ankane/kms_encrypted).
+
+For Active Storage, use:
+
+```ruby
+class User < ApplicationRecord
+  attached_encrypted :license, key: :kms_key
+end
+```
+
+For CarrierWave, use:
+
+```ruby
+class LicenseUploader < CarrierWave::Uploader::Base
+  encrypt key: -> { model.kms_key }
+end
+```
+
+**Note:** KMS Encrypted’s key rotation does not know to rotate encrypted files, so avoid calling `record.rotate_kms_key!` on models with file uploads for now.
+
+## Reference
+
+Pass associated data to encryption and decryption
+
+```ruby
+box.encrypt(message, associated_data: "bingo")
+box.decrypt(ciphertext, associated_data: "bingo")
+```
+
+## History
+
+View the [changelog](https://github.com/ankane/lockbox/blob/master/CHANGELOG.md)
+
+## Contributing
+
+Everyone is encouraged to help improve this project. Here are a few ways you can help:
+
+- [Report bugs](https://github.com/ankane/lockbox/issues)
+- Fix bugs and [submit pull requests](https://github.com/ankane/lockbox/pulls)
+- Write, clarify, or fix documentation
+- Suggest or add new features

data/lib/lockbox.rb

@@ -0,0 +1,56 @@
+# dependencies
+require "openssl"
+require "securerandom"
+
+# modules
+require "lockbox/box"
+require "lockbox/utils"
+require "lockbox/version"
+
+# integrations
+require "lockbox/carrier_wave_extensions" if defined?(CarrierWave)
+require "lockbox/railtie" if defined?(Rails)
+
+class Lockbox
+  class Error < StandardError; end
+  class DecryptionError < Error; end
+
+  class << self
+    attr_accessor :default_options
+  end
+  self.default_options = {algorithm: "aes-gcm"}
+
+  def initialize(key: nil, algorithm: nil, previous_versions: nil)
+    default_options = self.class.default_options
+    key ||= default_options[:key]
+    algorithm ||= default_options[:algorithm]
+    previous_versions ||= default_options[:previous_versions]
+
+    @boxes =
+      [Box.new(key, algorithm: algorithm)] +
+      Array(previous_versions).map { |v| Box.new(v[:key], algorithm: v[:algorithm]) }
+  end
+
+  def encrypt(*args)
+    @boxes.first.encrypt(*args)
+  end
+
+  def decrypt(ciphertext, **options)
+    raise TypeError, "can't convert ciphertext to string" unless ciphertext.respond_to?(:to_str)
+
+    # ensure binary
+    ciphertext = ciphertext.to_str
+    if ciphertext.encoding != Encoding::BINARY
+      # dup to prevent mutation
+      ciphertext = ciphertext.dup.force_encoding(Encoding::BINARY)
+    end
+
+    @boxes.each_with_index do |box, i|
+      begin
+        return box.decrypt(ciphertext, **options)
+      rescue DecryptionError, RbNaCl::LengthError, RbNaCl::CryptoError
+        raise DecryptionError, "Decryption failed" if i == @boxes.size - 1
+      end
+    end
+  end
+end

data/lib/lockbox/active_storage_extensions.rb

@@ -0,0 +1,148 @@
+class Lockbox
+  module ActiveStorageExtensions
+    module Attached
+      protected
+
+      def encrypted?
+        # could use record_type directly
+        # but record should already be loaded most of the time
+        Utils.encrypted_options(record, name).present?
+      end
+
+      def encrypt_attachable(attachable)
+        options = Utils.encrypted_options(record, name)
+        box = Utils.build_box(record, options)
+
+        case attachable
+        when ActiveStorage::Blob
+          raise NotImplemented, "Not supported yet"
+        when ActionDispatch::Http::UploadedFile, Rack::Test::UploadedFile
+          attachable = {
+            io: StringIO.new(box.encrypt(attachable.read)),
+            filename: attachable.original_filename,
+            content_type: attachable.content_type
+          }
+        when Hash
+          attachable = {
+            io: StringIO.new(box.encrypt(attachable[:io].read)),
+            filename: attachable[:filename],
+            content_type: attachable[:content_type]
+          }
+        when String
+          raise NotImplemented, "Not supported yet"
+        else
+          nil
+        end
+
+        attachable
+      end
+
+      def rebuild_attachable(attachment)
+        {
+          io: StringIO.new(attachment.download),
+          filename: attachment.filename,
+          content_type: attachment.content_type
+        }
+      end
+    end
+
+    module AttachedOne
+      def attach(attachable)
+        attachable = encrypt_attachable(attachable) if encrypted?
+        super(attachable)
+      end
+
+      def rotate_encryption!
+        raise "Not encrypted" unless encrypted?
+
+        attach(rebuild_attachable(self)) if attached?
+
+        true
+      end
+    end
+
+    module AttachedMany
+      def attach(*attachables)
+        if encrypted?
+          attachables =
+            attachables.flatten.collect do |attachable|
+              encrypt_attachable(attachable)
+            end
+        end
+
+        super(attachables)
+      end
+
+      def rotate_encryption!
+        raise "Not encrypted" unless encrypted?
+
+        # must call to_a - do not change
+        previous_attachments = attachments.to_a
+
+        attachables =
+          previous_attachments.map do |attachment|
+            rebuild_attachable(attachment)
+          end
+
+        ActiveStorage::Attachment.transaction do
+          attach(attachables)
+          previous_attachments.each(&:purge)
+        end
+
+        attachments.reload
+
+        true
+      end
+    end
+
+    module Attachment
+      extend ActiveSupport::Concern
+
+      def download
+        result = super
+
+        options = Utils.encrypted_options(record, name)
+        if options
+          result = Utils.build_box(record, options).decrypt(result)
+        end
+
+        result
+      end
+
+      def mark_analyzed
+        if Utils.encrypted_options(record, name)
+          blob.update!(metadata: blob.metadata.merge(analyzed: true))
+        end
+      end
+
+      included do
+        after_save :mark_analyzed
+      end
+    end
+
+    module Model
+      def attached_encrypted(name, **options)
+        class_eval do
+          @encrypted_attachments ||= {}
+
+          unless respond_to?(:encrypted_attachments)
+            def self.encrypted_attachments
+              parent_attachments =
+                if superclass.respond_to?(:encrypted_attachments)
+                  superclass.encrypted_attachments
+                else
+                  {}
+                end
+
+              parent_attachments.merge(@encrypted_attachments || {})
+            end
+          end
+
+          raise ArgumentError, "Duplicate encrypted attachment: #{name}" if encrypted_attachments[name]
+
+          @encrypted_attachments[name] = options
+        end
+      end
+    end
+  end
+end

data/lib/lockbox/aes_gcm.rb

@@ -0,0 +1,74 @@
+class Lockbox
+  class AES_GCM
+    def initialize(key)
+      raise ArgumentError, "Key must be 32 bytes" unless key && key.bytesize == 32
+      raise ArgumentError, "Key must be binary" unless key.encoding == Encoding::BINARY
+
+      @key = key
+    end
+
+    def encrypt(nonce, message, associated_data)
+      cipher = OpenSSL::Cipher.new("aes-256-gcm")
+      cipher.encrypt
+      cipher.key = @key
+      cipher.iv = nonce
+      # From Ruby 2.5.3 OpenSSL::Cipher docs:
+      # If no associated data shall be used, this method must still be called with a value of ""
+      # In encryption mode, it must be set after calling #encrypt and setting #key= and #iv=
+      cipher.auth_data = associated_data || ""
+
+      ciphertext = cipher.update(message) + cipher.final
+      ciphertext << cipher.auth_tag
+
+      ciphertext
+    end
+
+    def decrypt(nonce, ciphertext, associated_data)
+      auth_tag, ciphertext = extract_auth_tag(ciphertext.to_s)
+
+      fail_decryption if nonce.to_s.bytesize != nonce_bytes
+      fail_decryption if auth_tag.to_s.bytesize != auth_tag_bytes
+      fail_decryption if ciphertext.to_s.bytesize == 0
+
+      cipher = OpenSSL::Cipher.new("aes-256-gcm")
+      cipher.decrypt
+      cipher.key = @key
+      cipher.iv = nonce
+      cipher.auth_tag = auth_tag
+      # From Ruby 2.5.3 OpenSSL::Cipher docs:
+      # If no associated data shall be used, this method must still be called with a value of ""
+      # When decrypting, set it only after calling #decrypt, #key=, #iv= and #auth_tag= first.
+      cipher.auth_data = associated_data || ""
+
+      begin
+        cipher.update(ciphertext) + cipher.final
+      rescue OpenSSL::Cipher::CipherError
+        fail_decryption
+      end
+    end
+
+    def nonce_bytes
+      12
+    end
+
+    # protect key
+    def inspect
+      to_s
+    end
+
+    private
+
+    def auth_tag_bytes
+      16
+    end
+
+    def extract_auth_tag(bytes)
+      auth_tag = bytes.slice(-auth_tag_bytes..-1)
+      [auth_tag, bytes.slice(0, bytes.bytesize - auth_tag_bytes)]
+    end
+
+    def fail_decryption
+      raise DecryptionError, "Decryption failed"
+    end
+  end
+end

data/lib/lockbox/box.rb

@@ -0,0 +1,54 @@
+class Lockbox
+  class Box
+    def initialize(key, algorithm: nil)
+      # decode hex key
+      if key.encoding != Encoding::BINARY && key =~ /\A[0-9a-f]{64}\z/i
+        key = [key].pack("H*")
+      end
+
+      algorithm ||= "aes-gcm"
+
+      case algorithm
+      when "aes-gcm"
+        require "lockbox/aes_gcm"
+        @box = AES_GCM.new(key)
+      when "xchacha20"
+        require "rbnacl"
+        @box = RbNaCl::AEAD::XChaCha20Poly1305IETF.new(key)
+      else
+        raise ArgumentError, "Unknown algorithm: #{algorithm}"
+      end
+    end
+
+    def encrypt(message, associated_data: nil)
+      nonce = generate_nonce
+      ciphertext = @box.encrypt(nonce, message, associated_data)
+      nonce + ciphertext
+    end
+
+    def decrypt(ciphertext, associated_data: nil)
+      nonce, ciphertext = extract_nonce(ciphertext)
+      @box.decrypt(nonce, ciphertext, associated_data)
+    end
+
+    # protect key for xchacha20
+    def inspect
+      to_s
+    end
+
+    private
+
+    def nonce_bytes
+      @box.nonce_bytes
+    end
+
+    def generate_nonce
+      SecureRandom.random_bytes(nonce_bytes)
+    end
+
+    def extract_nonce(bytes)
+      nonce = bytes.slice(0, nonce_bytes)
+      [nonce, bytes.slice(nonce_bytes..-1)]
+    end
+  end
+end

data/lib/lockbox/carrier_wave_extensions.rb

@@ -0,0 +1,46 @@
+class Lockbox
+  module CarrierWaveExtensions
+    class FileIO < StringIO
+      attr_accessor :original_filename
+    end
+
+    def encrypt(**options)
+      class_eval do
+        before :cache, :encrypt
+
+        def encrypt(file)
+          @file = CarrierWave::SanitizedFile.new(StringIO.new(lockbox.encrypt(file.read)))
+        end
+
+        def read
+          r = super
+          lockbox.decrypt(r) if r
+        end
+
+        def size
+          read.bytesize
+        end
+
+        def rotate_encryption!
+          io = FileIO.new(read)
+          io.original_filename = file.filename
+          previous_value = enable_processing
+          begin
+            self.enable_processing = false
+            store!(io)
+          ensure
+            self.enable_processing = previous_value
+          end
+        end
+
+        private
+
+        define_method :lockbox do
+          @lockbox ||= Utils.build_box(self, options)
+        end
+      end
+    end
+  end
+end
+
+CarrierWave::Uploader::Base.extend(Lockbox::CarrierWaveExtensions)

data/lib/lockbox/railtie.rb

@@ -0,0 +1,21 @@
+class Lockbox
+  class Railtie < Rails::Railtie
+    initializer "lockbox" do |app|
+      require "lockbox/carrier_wave_extensions" if defined?(CarrierWave)
+
+      if defined?(ActiveStorage)
+        require "lockbox/active_storage_extensions"
+        ActiveStorage::Attached.prepend(Lockbox::ActiveStorageExtensions::Attached)
+        ActiveStorage::Attached::One.prepend(Lockbox::ActiveStorageExtensions::AttachedOne)
+        ActiveStorage::Attached::Many.prepend(Lockbox::ActiveStorageExtensions::AttachedMany)
+        ActiveRecord::Base.extend(Lockbox::ActiveStorageExtensions::Model) if defined?(ActiveRecord)
+      end
+
+      app.config.to_prepare do
+        if defined?(ActiveStorage)
+          ActiveStorage::Attachment.include(Lockbox::ActiveStorageExtensions::Attachment)
+        end
+      end
+    end
+  end
+end

data/lib/lockbox/utils.rb

@@ -0,0 +1,20 @@
+class Lockbox
+  class Utils
+    def self.build_box(context, options)
+      options = options.dup
+      options.each do |k, v|
+        if v.is_a?(Proc)
+          options[k] = context.instance_exec(&v) if v.respond_to?(:call)
+        elsif v.is_a?(Symbol)
+          options[k] = context.send(v)
+        end
+      end
+
+      Lockbox.new(options)
+    end
+
+    def self.encrypted_options(record, name)
+      record.class.respond_to?(:encrypted_attachments) && record.class.encrypted_attachments[name.to_sym]
+    end
+  end
+end

data/lib/lockbox/version.rb

@@ -0,0 +1,3 @@
+class Lockbox
+  VERSION = "0.1.0"
+end

metadata

@@ -0,0 +1,180 @@
+--- !ruby/object:Gem::Specification
+name: lockbox
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Andrew Kane
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: carrierwave
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activestorage
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activejob
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: combustion
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rbnacl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email: andrew@chartkick.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- lib/lockbox.rb
+- lib/lockbox/active_storage_extensions.rb
+- lib/lockbox/aes_gcm.rb
+- lib/lockbox/box.rb
+- lib/lockbox/carrier_wave_extensions.rb
+- lib/lockbox/railtie.rb
+- lib/lockbox/utils.rb
+- lib/lockbox/version.rb
+homepage: https://github.com/ankane/lockbox
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: File encryption for Ruby and Rails. Supports Active Storage and CarrierWave.
+test_files: []