lockbox 0.4.7 → 0.4.8

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3f8c447dd90537203a1a3038c347c10de0e48f5b29795b382a2a77019e6e5764
4
- data.tar.gz: 9133e9eb0c2132b7c77c39f8c24a3c27ea9b3cbb1d3d82f7f069b2db9992198f
3
+ metadata.gz: a560c020c3adf21952f81767ffc9b5b4586784f62d748f484e7bacbd4076a64a
4
+ data.tar.gz: 59d05b405b4cd46da679ef4f03a53fae03cc78d7cdfe89bab13cd6981b76a4da
5
5
  SHA512:
6
- metadata.gz: 4396ee4ead0de0592e7a3574b563f98d58f0402198dd8662cbdc374cc5f8a39e629f6397414b498456c665e8a635518db3a532056ecd42154206fde4ab938e5c
7
- data.tar.gz: 6057ea6f43db261580a0ee0ae13f1303251d2ee8ef2b1bcdba8399b6a858dca1fdf6c84e25f5da85a059a6d260be7094969e2118ff11a8c1d2565617c48f74cd
6
+ metadata.gz: 8d6217f47cc9c38ad8cf3db11b2a3a2936950b97f91ea168c5f2e4f8a1d9a5916c832286f08156869fbecf89d05dfc9bd7c4ecade9b9b4384488c936a292a1a6
7
+ data.tar.gz: 3ddf36244c68b6b0bebad62801366d9827e6bee520717f1d544cfc6a18e798c644a158b68ac295fa87cef45ce5b922f37e89c5e39a5882ccb9fe512e725e778b
@@ -1,3 +1,9 @@
1
+ ## 0.4.8 (2020-08-30)
2
+
3
+ - Added `key_table` and `key_attribute` options
4
+ - Added warning when no attributes specified
5
+ - Fixed error when Active Support partially loaded
6
+
1
7
  ## 0.4.7 (2020-08-18)
2
8
 
3
9
  - Added `lockbox_options` method to encrypted CarrierWave uploaders
data/README.md CHANGED
@@ -2,12 +2,10 @@
2
2
 
3
3
  :package: Modern encryption for Rails
4
4
 
5
- - Uses state-of-the-art algorithms
6
5
  - Works with database fields, files, and strings
6
+ - Maximizes compatibility with existing code and libraries
7
7
  - Makes migrating existing data and key rotation easy
8
8
 
9
- Lockbox aims to make encryption as friendly and intuitive as possible. Encrypted fields and files behave just like unencrypted ones for maximum compatibility with 3rd party libraries and existing code.
10
-
11
9
  Learn [the principles behind it](https://ankane.org/modern-encryption-rails), [how to secure emails with Devise](https://ankane.org/securing-user-emails-lockbox), and [how to secure sensitive data in Rails](https://ankane.org/sensitive-data-rails).
12
10
 
13
11
  [![Build Status](https://travis-ci.org/ankane/lockbox.svg?branch=master)](https://travis-ci.org/ankane/lockbox)
@@ -89,6 +87,16 @@ User.create!(email: "hi@example.org")
89
87
 
90
88
  If you need to query encrypted fields, check out [Blind Index](https://github.com/ankane/blind_index).
91
89
 
90
+ #### Multiple Fields
91
+
92
+ You can specify multiple fields in single line.
93
+
94
+ ```ruby
95
+ class User < ApplicationRecord
96
+ encrypts :email, :phone, :city
97
+ end
98
+ ```
99
+
92
100
  #### Types
93
101
 
94
102
  Fields are strings by default. Specify the type of a field with:
@@ -188,6 +196,14 @@ class User < ApplicationRecord
188
196
  end
189
197
  ```
190
198
 
199
+ #### Decryption
200
+
201
+ To decrypt data outside the model, use:
202
+
203
+ ```ruby
204
+ User.decrypt_email_ciphertext(user.email_ciphertext)
205
+ ```
206
+
191
207
  ## Action Text
192
208
 
193
209
  **Note:** Action Text uses direct uploads for files, which cannot be encrypted with application-level encryption like Lockbox. This only encrypts the database field.
@@ -222,6 +238,10 @@ Lockbox.encrypts_action_text_body
222
238
 
223
239
  And drop the unencrypted column.
224
240
 
241
+ #### Options
242
+
243
+ You can pass any Lockbox options to the `encrypts_action_text_body` method.
244
+
225
245
  ## Mongoid
226
246
 
227
247
  Add to your model:
@@ -743,15 +763,41 @@ Make sure `decryption_key` is `nil` on servers that shouldn’t decrypt.
743
763
 
744
764
  This uses X25519 for key exchange and XSalsa20 for encryption.
745
765
 
746
- ## Key Separation
766
+ ## Key Configuration
767
+
768
+ Lockbox supports a few different ways to set keys for database fields and files.
769
+
770
+ 1. Master key
771
+ 2. Per field/uploader
772
+ 3. Per record
773
+
774
+ ### Master Key
747
775
 
748
- The master key is used to generate unique keys for each column. This technique comes from [CipherSweet](https://ciphersweet.paragonie.com/internals/key-hierarchy). The table name and column name are both used in this process. If you need to rename a table with encrypted columns, or an encrypted column itself, get the key:
776
+ By default, the master key is used to generate unique keys for each field/uploader. This technique comes from [CipherSweet](https://ciphersweet.paragonie.com/internals/key-hierarchy). The table name and column/uploader name are both used in this process. You can get an individual key with:
749
777
 
750
778
  ```ruby
751
779
  Lockbox.attribute_key(table: "users", attribute: "email_ciphertext")
752
780
  ```
753
781
 
754
- And set it directly before renaming:
782
+ To rename a table with encrypted columns/uploaders, use:
783
+
784
+ ```ruby
785
+ class User < ApplicationRecord
786
+ encrypts :email, key_table: "original_table"
787
+ end
788
+ ```
789
+
790
+ To rename an encrypted column itself, use:
791
+
792
+ ```ruby
793
+ class User < ApplicationRecord
794
+ encrypts :email, key_attribute: "original_column"
795
+ end
796
+ ```
797
+
798
+ ### Per Field/Uploader
799
+
800
+ To set a key for an individual field/uploader, use a string:
755
801
 
756
802
  ```ruby
757
803
  class User < ApplicationRecord
@@ -759,6 +805,28 @@ class User < ApplicationRecord
759
805
  end
760
806
  ```
761
807
 
808
+ Or a proc:
809
+
810
+ ```ruby
811
+ class User < ApplicationRecord
812
+ encrypts :email, key: -> { code }
813
+ end
814
+ ```
815
+
816
+ ### Per Record
817
+
818
+ To use a different key for each record, use a symbol:
819
+
820
+ ```ruby
821
+ class User < ApplicationRecord
822
+ encrypts :email, key: :some_method
823
+
824
+ def some_method
825
+ # code to get key
826
+ end
827
+ end
828
+ ```
829
+
762
830
  ## Key Management
763
831
 
764
832
  You can use a key management service to manage your keys with [KMS Encrypted](https://github.com/ankane/kms_encrypted).
@@ -19,10 +19,12 @@ require "lockbox/version"
19
19
  require "lockbox/carrier_wave_extensions" if defined?(CarrierWave)
20
20
  require "lockbox/railtie" if defined?(Rails)
21
21
 
22
- if defined?(ActiveSupport)
22
+ if defined?(ActiveSupport::LogSubscriber)
23
23
  require "lockbox/log_subscriber"
24
24
  Lockbox::LogSubscriber.attach_to :lockbox
25
+ end
25
26
 
27
+ if defined?(ActiveSupport.on_load)
26
28
  ActiveSupport.on_load(:active_record) do
27
29
  extend Lockbox::Model
28
30
  extend Lockbox::Model::Attached
@@ -27,6 +27,11 @@ module Lockbox
27
27
  activerecord = defined?(ActiveRecord::Base) && self < ActiveRecord::Base
28
28
  raise ArgumentError, "Type not supported yet with Mongoid" if options[:type] && !activerecord
29
29
 
30
+ # TODO raise ArgumentError in 0.5.0
31
+ warn "[lockbox] WARNING: No attributes specified" if attributes.empty?
32
+
33
+ raise ArgumentError, "Cannot use key_attribute with multiple attributes" if options[:key_attribute] && attributes.size > 1
34
+
30
35
  attributes.each do |name|
31
36
  # add default options
32
37
  encrypted_attribute = "#{name}_ciphertext"
@@ -16,7 +16,13 @@ module Lockbox
16
16
  end
17
17
 
18
18
  unless options[:key] || options[:encryption_key] || options[:decryption_key]
19
- options[:key] = Lockbox.attribute_key(table: table, attribute: attribute, master_key: options.delete(:master_key), encode: false)
19
+ options[:key] =
20
+ Lockbox.attribute_key(
21
+ table: options.delete(:key_table) || table,
22
+ attribute: options.delete(:key_attribute) || attribute,
23
+ master_key: options.delete(:master_key),
24
+ encode: false
25
+ )
20
26
  end
21
27
 
22
28
  if options[:previous_versions].is_a?(Array)
@@ -1,3 +1,3 @@
1
1
  module Lockbox
2
- VERSION = "0.4.7"
2
+ VERSION = "0.4.8"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: lockbox
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.7
4
+ version: 0.4.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - Andrew Kane
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-08-19 00:00:00.000000000 Z
11
+ date: 2020-08-31 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler