lockbox 0.3.1 → 0.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 775a12c813fb58a8e3a7f799d85af74d8a461b8cb6578beb672919dd1a4030f2
-  data.tar.gz: 41ab60ea29776ade74d0300ce4f933a0dc10e8f07c20bf48c2e604cab0aa4c13
+  metadata.gz: 17af286829bd927b3f3dcf156672a4dbced52dcc083d8920a24230cb89f5104a
+  data.tar.gz: 30ec2e0be697c31933b88930c02a43e5544708fe8f847b813a42bd05cd9354dc
 SHA512:
-  metadata.gz: 1208cd3e38d59425f09db7d2830b7f69809d6ae601b2b59d232001325d1721fad3087683eb44690d8ad672cd2c9c8adc22cae283ed1f56c31d906d3ed4bcaee2
-  data.tar.gz: 02e1faac0de9a9d8fcf168e01474792b5c9275fab7006f7e6fd4668dcae22a0b5e716bd983324104b66b4dd4ef55aede488f341f04bd7039a085ffb798f0b35d
+  metadata.gz: a2b0cfd5fff48b4907a29d1d67499e3bdb81d29f81c9843fae1f447ecf5dfad5d61bb383877324e6cb35f3aac9987f867f12a4106108fe5bc638f93b6fffe39a
+  data.tar.gz: be8abd51a5f0b8cea3d6cbd18d75bf1248333b9a575a5088b3d36c428fa1103f1645b5ca6b94bbf8dfcf2e9b1d3c31a14bd6f06fe9b9da8c26022bbb78e428c7

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 0.3.2 (2020-02-14)
+
+- Added `encode` option to `Lockbox::Encryptor`
+- Added support for `master_key` in `previous_versions`
+- Added `Lockbox.rotate` method
+- Improved performance of `migrate` method
+- Added generator for audits
+
 ## 0.3.1 (2019-12-26)
 
 - Fixed encoding for `encrypt_io` and `decrypt_io` in Ruby 2.7

data/LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2018-2019 Andrew Kane
+Copyright (c) 2018-2020 Andrew Kane
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -4,11 +4,11 @@
 
 - Uses state-of-the-art algorithms
 - Works with database fields, files, and strings
-- Stores encrypted data in a single field
-- Requires you to only manage a single encryption key (with the option to have more)
 - Makes migrating existing data and key rotation easy
 
-Learn [the principles behind it](https://ankane.org/modern-encryption-rails), [how to secure emails](https://ankane.org/securing-user-emails-lockbox), and [how to secure sensitive data in Rails](https://ankane.org/sensitive-data-rails)
+Lockbox aims to make encryption as friendly and intuitive as possible. Encrypted fields and files behave just like unencrypted ones for maximum compatibility with 3rd party libraries and existing code.
+
+Learn [the principles behind it](https://ankane.org/modern-encryption-rails), [how to secure emails with Devise](https://ankane.org/securing-user-emails-lockbox), and [how to secure sensitive data in Rails](https://ankane.org/sensitive-data-rails).
 
 [![Build Status](https://travis-ci.org/ankane/lockbox.svg?branch=master)](https://travis-ci.org/ankane/lockbox)
 
@@ -22,7 +22,7 @@ gem 'lockbox'
 
 ## Key Generation
 
-Generate an encryption key
+Generate a key
 
 ```ruby
 Lockbox.generate_key
@@ -42,29 +42,25 @@ or create `config/initializers/lockbox.rb` with something like
 Lockbox.master_key = Rails.application.credentials.lockbox_master_key
 ```
 
-Alternatively, you can use a [key management service](#key-management) to manage your keys.
-
-## Instructions
+Then follow the instructions below for the data you want to encrypt.
 
-Database fields
+#### Database Fields
 
 - [Active Record](#active-record)
 - [Mongoid](#mongoid)
 
-Files
+#### Files
 
 - [Active Storage](#active-storage)
 - [CarrierWave](#carrierwave)
 - [Shrine](#shrine)
 - [Local Files](#local-files)
 
-Other
+#### Other
 
 - [Strings](#strings)
 
-## Database Fields
-
-### Active Record
+## Active Record
 
 Create a migration with:
 
@@ -94,7 +90,7 @@ If you need to query encrypted fields, check out [Blind Index](https://github.co
 
 #### Types
 
-Specify the type of a field with:
+Fields are strings by default. Specify the type of a field with:
 
 ```ruby
 class User < ApplicationRecord
@@ -110,7 +106,7 @@ class User < ApplicationRecord
 end
 ```
 
-**Note:** Always use a `text` or `binary` column for the ciphertext in migrations, regardless of the type
+**Note:** Use a `text` column for the ciphertext in migrations, regardless of the type
 
 Lockbox automatically works with serialized fields for maximum compatibility with existing code and libraries.
 
@@ -140,7 +136,55 @@ end
 
 Validations work as expected with the exception of uniqueness. Uniqueness validations require a [blind index](https://github.com/ankane/blind_index).
 
-### Mongoid
+#### Fixtures
+
+You can use encrypted attributes in fixtures with:
+
+```yml
+test_user:
+  email_ciphertext: <%= User.generate_email_ciphertext("secret").inspect %>
+```
+
+Be sure to include the `inspect` at the end or it won’t be encoded properly in YAML.
+
+#### Migrating Existing Data
+
+Lockbox makes it easy to encrypt an existing column. Add a new column for the ciphertext, then add to your model:
+
+```ruby
+class User < ApplicationRecord
+  encrypts :email, migrating: true
+end
+```
+
+Backfill the data in the Rails console:
+
+```ruby
+Lockbox.migrate(User)
+```
+
+Then update the model to the desired state:
+
+```ruby
+class User < ApplicationRecord
+  encrypts :email
+
+  # remove this line after dropping email column
+  self.ignored_columns = ["email"]
+end
+```
+
+Finally, drop the unencrypted column.
+
+If adding blind indexes, Lockbox can migrate them at the same time.
+
+```ruby
+class User < ApplicationRecord
+  blind_index :email, migrating: true
+end
+```
+
+## Mongoid
 
 Add to your model:
 
@@ -160,9 +204,7 @@ User.create!(email: "hi@example.org")
 
 If you need to query encrypted fields, check out [Blind Index](https://github.com/ankane/blind_index).
 
-## Files
-
-### Active Storage
+## Active Storage
 
 Add to your model:
 
@@ -191,11 +233,12 @@ To serve encrypted files, use a controller action.
 
 ```ruby
 def license
-  send_data @user.license.download, type: @user.license.content_type
+  user = User.find(params[:id])
+  send_data user.license.download, type: user.license.content_type
 end
 ```
 
-### CarrierWave
+## CarrierWave
 
 Add to your uploader:
 
@@ -207,50 +250,76 @@ end
 
 Encryption is applied to all versions after processing.
 
+You can mount the uploader [as normal](https://github.com/carrierwaveuploader/carrierwave#activerecord). With Active Record, this involves creating a migration:
+
+```ruby
+class AddLicenseToUsers < ActiveRecord::Migration[6.0]
+  def change
+    add_column :users, :license, :string
+  end
+end
+```
+
+And updating the model:
+
+```ruby
+class User < ApplicationRecord
+  mount_uploader :license, LicenseUploader
+end
+```
+
 To serve encrypted files, use a controller action.
 
 ```ruby
 def license
-  send_data @user.license.read, type: @user.license.content_type
+  user = User.find(params[:id])
+  send_data user.license.read, type: user.license.content_type
 end
 ```
 
-### Shrine
+## Shrine
 
-Create a box
+Generate a key
 
 ```ruby
-box = Lockbox.new(key: key)
+key = Lockbox.generate_key
+```
+
+Create a lockbox
+
+```ruby
+lockbox = Lockbox.new(key: key)
 ```
 
 Encrypt files before passing them to Shrine
 
 ```ruby
-LicenseUploader.upload(box.encrypt_io(file), :store)
+LicenseUploader.upload(lockbox.encrypt_io(file), :store)
 ```
 
 And decrypt them after reading
 
 ```ruby
-box.decrypt(uploaded_file.read)
+lockbox.decrypt(uploaded_file.read)
 ```
 
 For models, encrypt with:
 
 ```ruby
 license = params.require(:user).fetch(:license)
-@user.license = box.encrypt_io(license)
+user.license = lockbox.encrypt_io(license)
 ```
 
 To serve encrypted files, use a controller action.
 
 ```ruby
 def license
-  send_data box.decrypt(@user.license.read), type: @user.license.mime_type
+  user = User.find(params[:id])
+  send_data box.decrypt(user.license.read), type: user.license.mime_type
 end
 ```
 
-### Local Files
+## Local Files
 
 Read the file as a binary string
 
@@ -262,58 +331,31 @@ Then follow the instructions for encrypting a string below.
 
 ## Strings
 
-Create a box
-
-```ruby
-box = Lockbox.new(key: key)
-```
-
-Encrypt
-
-```ruby
-ciphertext = box.encrypt(message)
-```
-
-Decrypt
+Generate a key
 
 ```ruby
-box.decrypt(ciphertext)
+key = Lockbox.generate_key
 ```
 
-Decrypt and return UTF-8 instead of binary
+Create a lockbox
 
 ```ruby
-box.decrypt_str(ciphertext)
+lockbox = Lockbox.new(key: key, encode: true)
 ```
 
-## Migrating Existing Data
-
-Lockbox makes it easy to encrypt an existing column. Add a new column for the ciphertext, then add to your model:
+Encrypt
 
 ```ruby
-class User < ApplicationRecord
-  encrypts :email, migrating: true
-end
+ciphertext = lockbox.encrypt("hello")
 ```
 
-Backfill the data in the Rails console:
+Decrypt
 
 ```ruby
-Lockbox.migrate(User)
+lockbox.decrypt(ciphertext)
 ```
 
-Then update the model to the desired state:
-
-```ruby
-class User < ApplicationRecord
-  encrypts :email
-
-  # remove this line after dropping email column
-  self.ignored_columns = ["email"]
-end
-```
-
-Finally, drop the unencrypted column.
+Use `decrypt_str` get the value as UTF-8
 
 ## Key Rotation
 
@@ -321,7 +363,7 @@ To make key rotation easy, you can pass previous versions of keys that can decry
 
 ### Active Record
 
-For Active Record, use:
+Update your model:
 
 ```ruby
 class User < ApplicationRecord
@@ -329,15 +371,19 @@ class User < ApplicationRecord
 end
 ```
 
-To rotate, use:
+Use `master_key` instead of `key` if passing the master key.
+
+To rotate existing records, use:
 
 ```ruby
-user.update!(email: user.email)
+Lockbox.rotate(User, attributes: [:email])
 ```
 
+Once all records are rotated, you can remove `previous_versions` from the model.
+
 ### Mongoid
 
-For Mongoid, use:
+Update your model:
 
 ```ruby
 class User
@@ -345,15 +391,19 @@ class User
 end
 ```
 
-To rotate, use:
+Use `master_key` instead of `key` if passing the master key.
+
+To rotate existing records, use:
 
 ```ruby
-user.update!(email: user.email)
+Lockbox.rotate(User, attributes: [:email])
 ```
 
+Once all records are rotated, you can remove `previous_versions` from the model.
+
 ### Active Storage
 
-For Active Storage use:
+Update your model:
 
 ```ruby
 class User < ApplicationRecord
@@ -361,15 +411,21 @@ class User < ApplicationRecord
 end
 ```
 
+Use `master_key` instead of `key` if passing the master key.
+
 To rotate existing files, use:
 
 ```ruby
-user.license.rotate_encryption!
+User.find_each do |user|
+  user.license.rotate_encryption!
+end
 ```
 
+Once all files are rotated, you can remove `previous_versions` from the model.
+
 ### CarrierWave
 
-For CarrierWave, use:
+Update your model:
 
 ```ruby
 class LicenseUploader < CarrierWave::Uploader::Base
@@ -377,12 +433,18 @@ class LicenseUploader < CarrierWave::Uploader::Base
 end
 ```
 
+Use `master_key` instead of `key` if passing the master key.
+
 To rotate existing files, use:
 
 ```ruby
-user.license.rotate_encryption!
+User.find_each do |user|
+  user.license.rotate_encryption!
+end
 ```
 
+Once all files are rotated, you can remove `previous_versions` from the model.
+
 ### Strings
 
 For strings, use:
@@ -391,22 +453,53 @@ For strings, use:
 Lockbox.new(key: key, previous_versions: [{key: previous_key}])
 ```
 
-## Fixtures
+## Auditing
 
-You can use encrypted attributes in fixtures with:
+It’s a good idea to track user and employee access to sensitive data. Lockbox provides a convenient way to do this with Active Record, but you can use a similar pattern to write audits to any location.
 
-```yml
-test_user:
-  email_ciphertext: <%= User.generate_email_ciphertext("secret").inspect %>
+```sh
+rails generate lockbox:audits
+rails db:migrate
 ```
 
-Be sure to include the `inspect` at the end or it won’t be encoded properly in YAML.
+Then create an audit wherever a user can view data:
+
+```ruby
+class UsersController < ApplicationController
+  def show
+    @user = User.find(params[:id])
+
+    LockboxAudit.create!(
+      subject: @user,
+      viewer: current_user,
+      data: ["email", "dob"],
+      context: "#{controller_name}##{action_name}",
+      ip: request.remote_ip
+    )
+  end
+end
+```
+
+Query audits with:
+
+```ruby
+LockboxAudit.last(100)
+```
+
+**Note:** This approach is not intended to be used in the event of a breach or insider attack, as it’s trivial for someone with access to your infrastructure to bypass.
 
 ## Algorithms
 
 ### AES-GCM
 
-This is the default algorithm. Rotate the key every 2 billion encryptions to minimize the chance of a [nonce collision](https://www.cryptologie.net/article/402/is-symmetric-security-solved/), which will expose the key.
+This is the default algorithm. It’s:
+
+- well-studied
+- NIST recommended
+- an IETF standard
+- fast thanks to a [dedicated instruction set](https://en.wikipedia.org/wiki/AES_instruction_set)
+
+**For users who do a lot of encryptions:** You should rotate an individual key after 2 billion encryptions to minimize the chance of a [nonce collision](https://www.cryptologie.net/article/402/is-symmetric-security-solved/), which will expose the key. Each database field and file uploader use a different key (derived from the master key) to extend this window.
 
 ### XSalsa20
 
@@ -550,29 +643,54 @@ end
 
 **Note:** KMS Encrypted’s key rotation does not know to rotate encrypted files, so avoid calling `record.rotate_kms_key!` on models with file uploads for now.
 
-## Padding
+## Data Leakage
+
+While encryption hides the content of a message, an attacker can still get the length of the message (since the length of the ciphertext is the length of the message plus a constant number of bytes).
+
+Let’s say you want to encrypt the status of a candidate’s background check. Valid statuses are `clear`, `consider`, and `fail`. Even with the data encrypted, it’s trivial to map the ciphertext to a status.
+
+```ruby
+lockbox = Lockbox.new(key: key)
+lockbox.encrypt("fail").bytesize      # 32
+lockbox.encrypt("clear").bytesize     # 33
+lockbox.encrypt("consider").bytesize  # 36
+```
 
 Add padding to conceal the exact length of messages.
 
 ```ruby
-Lockbox.new(padding: true)
+lockbox = Lockbox.new(key: key, padding: true)
+lockbox.encrypt("fail").bytesize      # 44
+lockbox.encrypt("clear").bytesize     # 44
+lockbox.encrypt("consider").bytesize  # 44
+```
+
+The block size for padding is 16 bytes by default. If we have a status larger than 15 bytes, it will have a different length than the others.
+
+```ruby
+box.encrypt("length15status!").bytesize   # 44
+box.encrypt("length16status!!").bytesize  # 60
 ```
 
-The block size for padding is 16 bytes by default. Change this with:
+Change the block size with:
 
 ```ruby
 Lockbox.new(padding: 32) # bytes
 ```
 
-## Reference
+## Binary Columns
 
-Set default options in an initializer with:
+You can use `binary` columns for the ciphertext instead of `text` columns to save space.
 
 ```ruby
-Lockbox.default_options = {algorithm: "xsalsa20"}
+class AddEmailCiphertextToUsers < ActiveRecord::Migration[6.0]
+  def change
+    add_column :users, :email_ciphertext, :binary
+  end
+end
 ```
 
-For database fields, encrypted data is encoded in Base64. If you use `binary` columns instead of `text` columns, set:
+You should disable Base64 encoding if you do this.
 
 ```ruby
 class User < ApplicationRecord
@@ -580,6 +698,12 @@ class User < ApplicationRecord
 end
 ```
 
+or set it globally:
+
+```ruby
+Lockbox.default_options = {encode: false}
+```
+
 ## Compatibility
 
 It’s easy to read encrypted data in another language if needed.

data/lib/generators/lockbox/audits_generator.rb

@@ -0,0 +1,32 @@
+require "rails/generators/active_record"
+
+module Lockbox
+  module Generators
+    class AuditsGenerator < Rails::Generators::Base
+      include ActiveRecord::Generators::Migration
+      source_root File.join(__dir__, "templates")
+
+      def copy_migration
+        migration_template "migration.rb", "db/migrate/create_lockbox_audits.rb", migration_version: migration_version
+        template "model.rb", "app/models/lockbox_audit.rb"
+      end
+
+      def migration_version
+        "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+      end
+
+      def data_type
+        # use connection_config instead of connection.adapter
+        # so database connection isn't needed
+        case ActiveRecord::Base.connection_config[:adapter].to_s
+        when /postg/i # postgres, postgis
+          "jsonb"
+        when /mysql/i
+          "json"
+        else
+          "text"
+        end
+      end
+    end
+  end
+end

data/lib/generators/lockbox/templates/migration.rb.tt

@@ -0,0 +1,12 @@
+class <%= migration_class_name %> < ActiveRecord::Migration<%= migration_version %>
+  def change
+    create_table :lockbox_audits do |t|
+      t.references :subject, polymorphic: true
+      t.references :viewer, polymorphic: true
+      t.<%= data_type %> :data
+      t.string :context
+      t.string :ip
+      t.datetime :created_at
+    end
+  end
+end

data/lib/generators/lockbox/templates/model.rb.tt

@@ -0,0 +1,6 @@
+class LockboxAudit < ApplicationRecord
+  belongs_to :subject, polymorphic: true
+  belongs_to :viewer, polymorphic: true<% if data_type == "text" %>
+
+  serialize :data, JSON<% end %>
+end

data/lib/lockbox.rb

@@ -1,4 +1,5 @@
-# dependencies
+# stdlib
+require "base64"
 require "openssl"
 require "securerandom"
 
@@ -35,6 +36,8 @@ module Lockbox
   class DecryptionError < Error; end
   class PaddingError < Error; end
 
+  autoload :Audit, "lockbox/audit"
+
   extend Padding
 
   class << self
@@ -47,8 +50,12 @@ module Lockbox
     @master_key ||= ENV["LOCKBOX_MASTER_KEY"]
   end
 
-  def self.migrate(model, restart: false)
-    Migrator.new(model).migrate(restart: restart)
+  def self.migrate(relation, batch_size: 1000, restart: false)
+    Migrator.new(relation, batch_size: batch_size).migrate(restart: restart)
+  end
+
+  def self.rotate(relation, batch_size: 1000, attributes:)
+    Migrator.new(relation, batch_size: batch_size).rotate(attributes: attributes)
   end
 
   def self.generate_key

data/lib/lockbox/encryptor.rb

@@ -2,6 +2,7 @@ module Lockbox
   class Encryptor
     def initialize(**options)
       options = Lockbox.default_options.merge(options)
+      @encode = options.delete(:encode)
       previous_versions = options.delete(:previous_versions)
 
       @boxes =
@@ -11,10 +12,13 @@ module Lockbox
 
     def encrypt(message, **options)
       message = check_string(message, "message")
-      @boxes.first.encrypt(message, **options)
+      ciphertext = @boxes.first.encrypt(message, **options)
+      ciphertext = Base64.strict_encode64(ciphertext) if @encode
+      ciphertext
     end
 
     def decrypt(ciphertext, **options)
+      ciphertext = Base64.decode64(ciphertext) if @encode
       ciphertext = check_string(ciphertext, "ciphertext")
 
       # ensure binary

data/lib/lockbox/migrator.rb

@@ -1,58 +1,126 @@
 module Lockbox
   class Migrator
-    def initialize(model)
-      @model = model
+    def initialize(relation, batch_size:)
+      @relation = relation
+      @transaction = @relation.respond_to?(:transaction)
+      @batch_size = batch_size
     end
 
-    def migrate(restart:)
-      model = @model
+    def model
+      @model ||= @relation
+    end
+
+    def rotate(attributes:)
+      fields = {}
+      attributes.each do |a|
+        # use key instad of v[:attribute] to make it more intuitive when migrating: true
+        field = model.lockbox_attributes[a]
+        raise ArgumentError, "Bad attribute: #{a}" unless field
+        fields[a] = field
+      end
 
-      # get fields
+      perform(fields: fields)
+    end
+
+    # TODO add attributes option
+    def migrate(restart:)
       fields = model.lockbox_attributes.select { |k, v| v[:migrating] }
 
-      # get blind indexes
       blind_indexes = model.respond_to?(:blind_indexes) ? model.blind_indexes.select { |k, v| v[:migrating] } : {}
 
-      # build relation
-      relation = model.unscoped
+      perform(fields: fields, blind_indexes: blind_indexes, restart: restart)
+    end
+
+    private
+
+    def perform(fields:, blind_indexes: [], restart: true)
+      relation = @relation
+
+      # remove true condition in 0.4.0
+      if true || (defined?(ActiveRecord::Base) && base_relation.is_a?(ActiveRecord::Base))
+        relation = relation.unscoped
+      end
+
+      # convert from possible class to ActiveRecord::Relation or Mongoid::Criteria
+      relation = relation.all
 
       unless restart
         attributes = fields.map { |_, v| v[:encrypted_attribute] }
         attributes += blind_indexes.map { |_, v| v[:bidx_attribute] }
 
-        if defined?(ActiveRecord::Base) && model.is_a?(ActiveRecord::Base)
+        if defined?(ActiveRecord::Relation) && relation.is_a?(ActiveRecord::Relation)
+          base_relation = relation.unscoped
+          or_relation = relation.unscoped
+
           attributes.each_with_index do |attribute, i|
-            relation =
+            or_relation =
               if i == 0
-                relation.where(attribute => nil)
+                base_relation.where(attribute => nil)
               else
-                relation.or(model.unscoped.where(attribute => nil))
+                or_relation.or(base_relation.where(attribute => nil))
               end
           end
+
+          relation = relation.merge(or_relation)
+        else
+          relation = relation.or(attributes.map { |a| {a => nil} })
         end
       end
 
-      if relation.respond_to?(:find_each)
-        relation.find_each do |record|
-          migrate_record(record, fields: fields, blind_indexes: blind_indexes, restart: restart)
+      each_batch(relation) do |records|
+        migrate_records(records, fields: fields, blind_indexes: blind_indexes, restart: restart)
+      end
+    end
+
+    def each_batch(relation)
+      if relation.respond_to?(:find_in_batches)
+        relation.find_in_batches(batch_size: @batch_size) do |records|
+          yield records
         end
       else
+        # https://github.com/karmi/tire/blob/master/lib/tire/model/import.rb
+        # use cursor for Mongoid
+        records = []
         relation.all.each do |record|
-          migrate_record(record, fields: fields, blind_indexes: blind_indexes, restart: restart)
+          records << record
+          if records.length == @batch_size
+            yield records
+            records = []
+          end
         end
+        yield records if records.any?
       end
     end
 
-    private
+    def migrate_records(records, fields:, blind_indexes:, restart:)
+      # do computation outside of transaction
+      # especially expensive blind index computation
+      records.each do |record|
+        fields.each do |k, v|
+          record.send("#{v[:attribute]}=", record.send(k)) if restart || !record.send(v[:encrypted_attribute])
+        end
+        blind_indexes.each do |k, v|
+          record.send("compute_#{k}_bidx") if restart || !record.send(v[:bidx_attribute])
+        end
+      end
+
+      records.select! { |r| r.changed? }
 
-    def migrate_record(record, fields:, blind_indexes:, restart:)
-      fields.each do |k, v|
-        record.send("#{v[:attribute]}=", record.send(k)) if restart || !record.send(v[:encrypted_attribute])
+      with_transaction do
+        records.each do |record|
+          record.save!(validate: false)
+        end
       end
-      blind_indexes.each do |k, v|
-        record.send("compute_#{k}_bidx") if restart || !record.send(v[:bidx_attribute])
+    end
+
+    def with_transaction
+      if @transaction
+        @relation.transaction do
+          yield
+        end
+      else
+        yield
       end
-      record.save(validate: false) if record.changed?
     end
   end
 end

data/lib/lockbox/model.rb

@@ -280,9 +280,7 @@ module Lockbox
             if message.nil? || (message == "" && !options[:padding])
               message
             else
-              ciphertext = Lockbox::Utils.build_box(opts[:context], options, table, encrypted_attribute).encrypt(message)
-              ciphertext = Base64.strict_encode64(ciphertext) if options[:encode]
-              ciphertext
+              Lockbox::Utils.build_box(opts[:context], options, table, encrypted_attribute).encrypt(message)
             end
           end
 
@@ -291,7 +289,6 @@ module Lockbox
               if ciphertext.nil? || (ciphertext == "" && !options[:padding])
                 ciphertext
               else
-                ciphertext = Base64.decode64(ciphertext) if options[:encode]
                 table = activerecord ? table_name : collection_name.to_s
                 Lockbox::Utils.build_box(opts[:context], options, table, encrypted_attribute).decrypt(ciphertext)
               end

data/lib/lockbox/utils.rb

@@ -1,7 +1,7 @@
 module Lockbox
   class Utils
     def self.build_box(context, options, table, attribute)
-      options = options.except(:attribute, :encrypted_attribute, :migrating, :attached, :type, :encode)
+      options = options.except(:attribute, :encrypted_attribute, :migrating, :attached, :type)
       options.each do |k, v|
         if v.is_a?(Proc)
           options[k] = context.instance_exec(&v) if v.respond_to?(:call)
@@ -14,6 +14,15 @@ module Lockbox
         options[:key] = Lockbox.attribute_key(table: table, attribute: attribute, master_key: options.delete(:master_key))
       end
 
+      if options[:previous_versions].is_a?(Array)
+        options[:previous_versions] = options[:previous_versions].dup
+        options[:previous_versions].each_with_index do |version, i|
+          if !(version[:key] || version[:encryption_key] || version[:decryption_key]) && version[:master_key]
+            options[:previous_versions][i] = version.merge(key: Lockbox.attribute_key(table: table, attribute: attribute, master_key: version.delete(:master_key)))
+          end
+        end
+      end
+
       Lockbox.new(**options)
     end
 

data/lib/lockbox/version.rb

@@ -1,3 +1,3 @@
 module Lockbox
-  VERSION = "0.3.1"
+  VERSION = "0.3.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lockbox
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.3.2
 platform: ruby
 authors:
 - Andrew Kane
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-27 00:00:00.000000000 Z
+date: 2020-02-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -164,20 +164,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: mongoid
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 description: 
 email: andrew@chartkick.com
 executables: []
@@ -187,6 +173,9 @@ files:
 - CHANGELOG.md
 - LICENSE.txt
 - README.md
+- lib/generators/lockbox/audits_generator.rb
+- lib/generators/lockbox/templates/migration.rb.tt
+- lib/generators/lockbox/templates/model.rb.tt
 - lib/lockbox.rb
 - lib/lockbox/active_storage_extensions.rb
 - lib/lockbox/aes_gcm.rb