RubyGems - strongbox - Versions diffs - 0.4.1 → 0.4.2 - Mend

strongbox 0.4.1 → 0.4.2

Files changed (5) hide show

data/README.html ADDED Viewed

@@ -0,0 +1,88 @@
+<h1>Strongbox</h1>
+<p>Strongbox provides Public Key Encryption for ActiveRecord. By using a public key sensitive information can be encrypted and stored automatically. Once stored a password is required to access the information.</p>
+<p>Because the largest amount of data that can practically be encrypted with a public key is 245 byte, by default Strongbox uses a two layer approach. First it encrypts the attribute using symmetric encryption with a randomly generated key and initialization vector (IV) (which can just be through to as a second key), then it encrypts those with the public key.</p>
+<p>Strongbox stores the encrypted attribute in a database column by the same name, i.e. if you tell Strongbox to encrypt &#8220;secret&#8221; then it will be store in &#8220;secret&#8221; in the database, just as the unencrypted attribute would be. If symmetric encryption is used (the default) two additional columns &#8220;secret_key&#8221; and &#8220;secret_iv&#8221; are needed as well.</p>
+<p>The attribute is automatically encrypted simply by setting it:</p>
+user.secret = &#8220;Shhhhhhh&#8230;&#8221;
+<p>and decrypted by calling the &#8220;decrypt&#8221; method with the private key password.</p>
+plain_text = user.secret.decrypt &#8216;letmein&#8217;
+<h2>Quick Start</h2>
+<p>In your model:</p>
+<pre><code>class User &lt; ActiveRecord::Base
+  encrypt_with_public_key :secret,
+    :key_pair =&gt; File.join(RAILS_ROOT,'config','keypair.pem')
+end</code></pre>
+<p>In your migrations:</p>
+<pre><code>class AddSecretColumnsToUser &lt; ActiveRecord::Migration
+  def self.up
+    add_column :users, :secret, :binary
+    add_column :users, :secret_key, :binary
+    add_column :users, :secret_iv, :binary
+  end
+  def self.down
+    remove_column :users, :secret
+    remove_column :users, :secret_key
+    remove_column :users, :secret_iv
+  end
+end</code></pre>
+<p>Generate a key pair:</p>
+<p>(Choose a strong password.)</p>
+<pre><code>openssl genrsa -des3 -out config/private.pem 2048
+openssl rsa -in config/private.pem -out config/public.pem -outform PEM -pubout
+cat config/private.pem  config/public.pem &gt;&gt; config/keypair.pem</code></pre>
+<p>In your views and forms you don&#8217;t need to do anything special to encrypt data. To decrypt call:</p>
+<pre><code>user.secret.decrypt 'password'</code></pre>
+<h2>Gem installation (Rails 2.1+)</h2>
+<p>In config/environment.rb:</p>
+<pre><code>config.gem "strongbox"</code></pre>
+<h2>Usage</h2>
+<p><em>encrypt_with_public_key</em> sets up the attribute it&#8217;s called on for automatic encryption.  It&#8217;s simplest form is:</p>
+<pre><code>class User &lt; ActiveRecord::Base
+  encrypt_with_public_key :secret,
+    :key_pair =&gt; File.join(RAILS_ROOT,'config','keypair.pem')
+end</code></pre>
+<p>Which will encrypt the attribute &#8220;secret&#8221;. The attribute will be encrypted using symmetric encryption with an automatically generated key and IV encrypted using the public key. This requires three columns in the database &#8220;secret&#8221;, &#8220;secret_key&#8221;, and &#8220;secret_iv&#8221; (see below).</p>
+<p>Options to encrypt_with_public_key are:</p>
+<p>:public_key &#8211; Path to the public key file.  Overrides :keypair.</p>
+<p>:private_key &#8211; Path to the private key file.  Overrides :keypair.</p>
+<p>:keypair &#8211; Path to a file containing both the public and private keys.</p>
+<p>:symmetric :always/:never &#8211; Encrypt the date using symmetric encryption. The public key is used to encrypt an automatically generated key and IV. This allows for large amounts of data to be encrypted. The size of data that can be encrypted directly with the public is limit to key size (in bytes) &#8211; 11. So a 2048 key can encrypt <strong>245 bytes</strong>. Defaults to <strong>:always</strong>.</p>
+<p>:symmetric_cipher &#8211; Cipher to use for symmetric encryption.  Defaults to <strong>&#8216;aes-256-cbc&#8217;</strong>.  Other ciphers support by OpenSSL may be used.</p>
+<p>:base64 true/false &#8211; Use Base64 encoding to convert encrypted data to text. Use when binary save data storage is not available.  Defaults to <strong>false</strong>.</p>
+<p>:padding &#8211; Method used to pad data encrypted with the public key. Defaults to <strong>RSA_PKCS1_PADDING</strong>. The default should be fine unless you are dealing with legacy data.</p>
+<p>:ensure_required_columns &#8211; Make sure the required database columns exist.  Defaults to <strong>true</strong>, set to false if you want to encrypt/decrypt data stored outside of the database.</p>
+<p>For example, encrypting a small attribute, providing only the public key for extra security, and Base64 encoding the encrypted data:</p>
+<pre><code>class User &lt; ActiveRecord::Base
+  validates_length_of :pin_code, :is =&gt; 4
+  encrypt_with_public_key :pin_code,
+    :symmetric =&gt; :never,
+    :base64 =&gt; true,
+    :public_key =&gt; File.join(RAILS_ROOT,'config','public.pem')
+end</code></pre>
+<h2>Key Generation</h2>
+<p>Generate a key pair:</p>
+<pre><code>openssl genrsa -des3 -out config/private.pem 2048
+Generating RSA private key, 2048 bit long modulus
+......+++
+.+++
+e is 65537 (0x10001)
+Enter pass phrase for config/private.pem:
+Verifying - Enter pass phrase for config/private.pem:</code></pre>
+<p>and extract the the public key:</p>
+<pre><code>openssl rsa -in config/private.pem -out config/public.pem -outform PEM -pubout
+Enter pass phrase for config/private.pem:
+writing RSA key</code></pre>
+<p>If you are going to leave the private key installed it&#8217;s easiest to create a single key pair file:</p>
+<pre><code>cat config/private.pem  config/public.pem &gt;&gt; config/keypair.pem</code></pre>
+<p>Or, for added security, store the private key file else where, leaving only the public key.</p>
+<h2>Table Creation</h2>
+<p>In it&#8217;s default configuration Strongbox requires three columns, one the encrypted data, one for the encrypted symmetric key, and one for the encrypted symmetric IV. If symmetric encryption is disabled then only the columns for the data being encrypted is needed.</p>
+<p>If your underlying database allows, use the <strong>binary</strong> column type. If you must store your data in text format be sure to enable Base64 encoding and to use the <strong>text</strong> column type. If you use a <em>string</em> column and encrypt anything greater than 186 bytes (245 bytes if you don&#8217;t enable Base64 encoding) <strong>your data will be lost</strong>.</p>
+<h2>Security Caveats</h2>
+<p>If you don&#8217;t encrypt your data, then an attacker only needs to steal that data to get your secrets.</p>
+<p>If encrypt your data using symmetric encrypts and a stored key, then the attacker needs the data and the key stored on the server.</p>
+<p>If you use public key encryption, the attacker needs the data, the private key, and the password. This means the attacker has to sniff the password somehow, so that&#8217;s what you need to protect against.</p>
+<h2>Authors</h2>
+<p>Spike Ilacqua</p>
+<h2>Thanks</h2>
+<p>Strongbox&#8217;s implementation drew inspiration from Thoughtbot&#8217;s Paperclip gem http://www.thoughtbot.com/projects/paperclip</p>

data/README.textile CHANGED Viewed

@@ -1,19 +1,10 @@
 h1. Strongbox
-Strongbox provides Public Key Encryption for ActiveRecord. By using a public key
-sensitive information can be encrypted and stored automatically. Once stored a
-password is required to access the information.
+Strongbox provides Public Key Encryption for ActiveRecord. By using a public key sensitive information can be encrypted and stored automatically. Once stored a password is required to access the information.
-Because the largest amount of data that can practically be encrypted with a public
-key is 245 byte, by default Strongbox uses a two layer approach. First it encrypts
-the attribute using symmetric encryption with a randomly generated key and
-initialization vector (IV) (which can just be through to as a second key), then it
-encrypts those with the public key.
+Because the largest amount of data that can practically be encrypted with a public key is 245 byte, by default Strongbox uses a two layer approach. First it encrypts the attribute using symmetric encryption with a randomly generated key and initialization vector (IV) (which can just be through to as a second key), then it encrypts those with the public key.
-Strongbox stores the encrypted attribute in a database column by the same name, i.e.
-if you tell Strongbox to encrypt "secret" then it will be store in "secret" in the
-database, just as the unencrypted attribute would be. If symmetric encryption is used
-(the default) two additional columns "secret_key" and "secret_iv" are needed as well.
+Strongbox stores the encrypted attribute in a database column by the same name, i.e. if you tell Strongbox to encrypt "secret" then it will be store in "secret" in the database, just as the unencrypted attribute would be. If symmetric encryption is used (the default) two additional columns "secret_key" and "secret_iv" are needed as well.
 The attribute is automatically encrypted simply by setting it:
@@ -55,8 +46,7 @@ bc. openssl genrsa -des3 -out config/private.pem 2048
 openssl rsa -in config/private.pem -out config/public.pem -outform PEM -pubout
 cat config/private.pem  config/public.pem >> config/keypair.pem
-In your views and forms you don't need to do anything special to encrypt data. To
-decrypt call:
+In your views and forms you don't need to do anything special to encrypt data. To decrypt call:
 bc. user.secret.decrypt 'password'
@@ -68,18 +58,14 @@ bc. config.gem "strongbox"
 h2. Usage
-_encrypt_with_public_key_ sets up the attribute it's called on for automatic
-encryption.  It's simplest form is:
+_encrypt_with_public_key_ sets up the attribute it's called on for automatic encryption.  It's simplest form is:
 bc. class User < ActiveRecord::Base
   encrypt_with_public_key :secret,
     :key_pair => File.join(RAILS_ROOT,'config','keypair.pem')
 end
-Which will encrypt the attribute "secret". The attribute will be encrypted using
-symmetric encryption with an automatically generated key and IV encrypted using the
-public key. This requires three columns in the database "secret", "secret_key", and
-"secret_iv" (see below).
+Which will encrypt the attribute "secret". The attribute will be encrypted using symmetric encryption with an automatically generated key and IV encrypted using the public key. This requires three columns in the database "secret", "secret_key", and "secret_iv" (see below).
 Options to encrypt_with_public_key are:
@@ -89,22 +75,17 @@ Options to encrypt_with_public_key are:
 :keypair - Path to a file containing both the public and private keys.
-:symmetric :always/:never - Encrypt the date using symmetric encryption. The public
-key is used to encrypt an automatically generated key and IV. This allows for large
-amounts of data to be encrypted. The size of data that can be encrypted directly with
-the public is limit to key size (in bytes) - 11. So a 2048 key can encrypt *245 bytes*. Defaults to :always
+:symmetric :always/:never - Encrypt the date using symmetric encryption. The public key is used to encrypt an automatically generated key and IV. This allows for large amounts of data to be encrypted. The size of data that can be encrypted directly with the public is limit to key size (in bytes) - 11. So a 2048 key can encrypt *245 bytes*. Defaults to *:always*.
 :symmetric_cipher - Cipher to use for symmetric encryption.  Defaults to *'aes-256-cbc'*.  Other ciphers support by OpenSSL may be used.
-:base64 true/false - Use Base64 encoding to convert encrypted data to text. Use when
-binary save data storage is not available.  Defaults to *false*
+:base64 true/false - Use Base64 encoding to convert encrypted data to text. Use when binary save data storage is not available.  Defaults to *false*.
-:padding - Method used to pad data encrypted with the public key. Defaults to
-RSA_PKCS1_PADDING. The default should be fine unless you are dealing with legacy
-data.
+:padding - Method used to pad data encrypted with the public key. Defaults to *RSA_PKCS1_PADDING*. The default should be fine unless you are dealing with legacy data.
-For example, encrypting a small attribute, providing only the public key for extra
-security, and Base64 encoding the encrypted data:
+:ensure_required_columns - Make sure the required database column(s) exist.  Defaults to *true*, set to false if you want to encrypt/decrypt data stored outside of the database.
+For example, encrypting a small attribute, providing only the public key for extra security, and Base64 encoding the encrypted data:
 bc. class User < ActiveRecord::Base
   validates_length_of :pin_code, :is => 4
@@ -132,8 +113,7 @@ bc. openssl rsa -in config/private.pem -out config/public.pem -outform PEM -pubo
 Enter pass phrase for config/private.pem:
 writing RSA key
-If you are going to leave the private key installed it's easiest to create a single
-key pair file:
+If you are going to leave the private key installed it's easiest to create a single key pair file:
 bc. cat config/private.pem  config/public.pem >> config/keypair.pem
@@ -141,27 +121,18 @@ Or, for added security, store the private key file else where, leaving only the
 h2. Table Creation
-In it's default configuration Strongbox requires three columns, one the encrypted
-data, one for the encrypted symmetric key, and one for the encrypted symmetric IV. If
-symmetric encryption is disabled then only the columns for the data being encrypted
-is needed.
+In it's default configuration Strongbox requires three columns, one the encrypted data, one for the encrypted symmetric key, and one for the encrypted symmetric IV. If symmetric encryption is disabled then only the columns for the data being encrypted is needed.
-If your underlying database allows, use the *binary* column type. If you must store
-your data in text format be sure to enable Base64 encoding and to use the *text*
-column type. If you use a _string_ column and encrypt anything greater than 186 bytes (245 bytes if you don't enable Base64 encoding) *your data will be lost*.
+If your underlying database allows, use the *binary* column type. If you must store your data in text format be sure to enable Base64 encoding and to use the *text* column type. If you use a _string_ column and encrypt anything greater than 186 bytes (245 bytes if you don't enable Base64 encoding) *your data will be lost*.
 h2. Security Caveats
-If you don't encrypt your data, then an attacker only needs to steal that data to get
-your secrets.
+If you don't encrypt your data, then an attacker only needs to steal that data to get your secrets.
-If encrypt your data using symmetric encrypts and a stored key, then the attacker
-needs the data and the key stored on the server.
+If encrypt your data using symmetric encrypts and a stored key, then the attacker needs the data and the key stored on the server.
-If you use public key encryption, the attacker needs the data, the private key, and
-the password. This means the attacker has to sniff the password somehow, so that's
-what you need to protect against.
+If you use public key encryption, the attacker needs the data, the private key, and the password. This means the attacker has to sniff the password somehow, so that's what you need to protect against.
 h2. Authors
@@ -169,6 +140,5 @@ Spike Ilacqua
 h2. Thanks
-Strongbox's implementation drew inspiration from Thoughtbot's Paperclip gem
-http://www.thoughtbot.com/projects/paperclip
+Strongbox's implementation drew inspiration from Thoughtbot's Paperclip gem http://www.thoughtbot.com/projects/paperclip

data/lib/strongbox.rb CHANGED Viewed

@@ -5,13 +5,13 @@ require 'strongbox/lock'
 module Strongbox
-  VERSION = "0.4.1"
+  VERSION = "0.4.2"
   RSA_PKCS1_PADDING	= OpenSSL::PKey::RSA::PKCS1_PADDING
   RSA_SSLV23_PADDING	= OpenSSL::PKey::RSA::SSLV23_PADDING
   RSA_NO_PADDING		= OpenSSL::PKey::RSA::NO_PADDING
   RSA_PKCS1_OAEP_PADDING	= OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
   class << self
     # Provides for setting the default options for Strongbox
     def options
@@ -19,10 +19,11 @@ module Strongbox
         :base64 => false,
         :symmetric => :always,
         :padding => RSA_PKCS1_PADDING,
-        :symmetric_cipher => 'aes-256-cbc'
+        :symmetric_cipher => 'aes-256-cbc',
+        :ensure_required_columns => true
       }
     end
     def included base #:nodoc:
       base.extend ClassMethods
     end
@@ -30,7 +31,7 @@ module Strongbox
   class StrongboxError < StandardError #:nodoc:
   end
   module ClassMethods
     # +encrypt_with_public_key+ gives the class it is called on an attribute that
     # when assigned is automatically encrypted using a public key.  This allows the
@@ -49,18 +50,18 @@ module Strongbox
       lock_options[name] = options.symbolize_keys.reverse_merge Strongbox.options
       define_method name do
         lock_for(name)
       end
       define_method "#{name}=" do | plaintext |
         lock_for(name).encrypt plaintext
       end
     end
   end
   module InstanceMethods
     def lock_for name
       @_locks ||= {}

data/lib/strongbox/lock.rb CHANGED Viewed

@@ -1,17 +1,17 @@
 module Strongbox
-  # The Lock class encrypts and decrypts the protected attribute.  It
+  # The Lock class encrypts and decrypts the protected attribute.  It
   # automatically encrypts the data when set and decrypts it when the private
   # key password is provided.
   class Lock
     def initialize name, instance, options = {}
       @name              = name
       @instance          = instance
       @size = nil
       options = Strongbox.options.merge(options)
       @base64 = options[:base64]
       @public_key = options[:public_key] || options[:key_pair]
       @private_key = options[:private_key] || options[:key_pair]
@@ -20,10 +20,11 @@ module Strongbox
       @symmetric_cipher = options[:symmetric_cipher]
       @symmetric_key = options[:symmetric_key] || "#{name}_key"
       @symmetric_iv = options[:symmetric_iv] || "#{name}_iv"
+      @ensure_required_columns = options[:ensure_required_columns]
     end
     def encrypt plaintext
-      ensure_required_columns
+      ensure_required_columns  if @ensure_required_columns
       unless @public_key
         raise StrongboxError.new("#{@instance.class} model does not have public key_file")
       end
@@ -55,22 +56,22 @@ module Strongbox
         @instance[@name] = ciphertext
       end
     end
     # Given the private key password decrypts the attribute.  Will raise
     # OpenSSL::PKey::RSAError if the password is wrong.
-    def decrypt password = nil
+    def decrypt password = nil, ciphertext = nil
       # Given a private key and a nil password OpenSSL::PKey::RSA.new() will
       # *prompt* for a password, we default to an empty string to avoid that.
-      ciphertext = @instance[@name]
+      ciphertext ||= @instance[@name]
       return nil if ciphertext.nil?
       return "" if ciphertext.empty?
       return "*encrypted*" if password.nil?
       unless @private_key
         raise StrongboxError.new("#{@instance.class} model does not have private key_file")
       end
       if ciphertext
         ciphertext = Base64.decode64(ciphertext) if @base64
         private_key = get_rsa_key(@private_key,password)
@@ -94,20 +95,20 @@ module Strongbox
         nil
       end
     end
     def to_s
       decrypt
     end
     # Needed for validations
     def blank?
       @instance[@name].blank?
     end
     def nil?
       @instance[@name].nil?
     end
     def size
       @size
     end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: strongbox
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 0.4.2
 platform: ruby
 authors:
 - Spike Ilacqua
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2010-10-09 00:00:00 -06:00
+date: 2011-01-17 00:00:00 -07:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency
@@ -53,6 +53,7 @@ extra_rdoc_files: []
 files:
 - LICENSE
 - Rakefile
+- README.html
 - README.textile
 - init.rb
 - lib/strongbox/lock.rb