strongbox 0.6.0 → 0.7.0

data/.travis.yml

@@ -0,0 +1,10 @@
+rvm:
+  - 1.9.2
+  - 1.9.3
+  - 1.8.7
+
+gemfile:
+  - gemfiles/2.3.gemfile
+  - gemfiles/3.0.gemfile
+  - gemfiles/3.1.gemfile
+  - gemfiles/3.2.gemfile

data/README.md

@@ -0,0 +1,271 @@
+# Strongbox
+
+Strongbox provides [Public Key
+Encryption](http://en.wikipedia.org/wiki/Public-key_cryptography) for
+ActiveRecord. By using a public key, sensitive information can be
+encrypted and stored automatically. Once stored a password is required
+to access the information.
+
+Because the largest amount of data that can practically be encrypted
+with a public key is 245 bytes, by default Strongbox uses a two layer
+approach. First it encrypts the attribute using symmetric encryption
+with a randomly generated key and initialization vector (IV) (which
+can just be thought of as a second key), then it encrypts those with
+the public key.
+
+Strongbox stores the encrypted attribute in a database column by the
+same name, i.e. if you tell Strongbox to encrypt "secret" then it will
+be store in `secret` in the database, just as the unencrypted
+attribute would be. If symmetric encryption is used (the default) two
+additional columns `secret_key` and `secret_iv` are needed as well.
+
+The attribute is automatically encrypted simply by setting it:
+
+```ruby
+user.secret = "Shhhhhhh..."
+```
+
+and decrypted by calling the `decrypt` method with the private key password.
+
+```ruby
+plain_text = user.secret.decrypt 'letmein'
+```
+
+## Environment
+
+Strongbox is tested against Rails 2.3 and 3.x using Ruby 1.8.7, 1.9.2,
+and 1.9.3.
+
+## Installation
+
+Include the gem in your Gemfile:
+
+```ruby
+gem "strongbox"
+```
+
+Still using 2.x without a Gemfile? Put the following in
+`config/environment.rb`:
+
+```ruby
+config.gem "strongbox"
+```
+
+## Quick Start
+
+In your model:
+
+```ruby
+class User < ActiveRecord::Base
+  encrypt_with_public_key :secret,
+    :key_pair => Rails.root.join('config','keypair.pem')
+end
+```
+  
+In your migrations:
+
+```ruby
+class AddSecretColumnsToUser < ActiveRecord::Migration
+  def change
+    add_column :users, :secret, :binary
+    add_column :users, :secret_key, :binary
+    add_column :users, :secret_iv, :binary
+  end
+end
+```
+  
+Generate a key pair:
+
+(Choose a strong password.)
+
+```shell
+openssl genrsa -des3 -out config/private.pem 2048
+openssl rsa -in config/private.pem -out config/public.pem -outform PEM -pubout
+cat config/private.pem  config/public.pem >> config/keypair.pem
+```
+
+In your views and forms you don't need to do anything special to
+encrypt data. To decrypt call:
+
+```ruby
+user.secret.decrypt 'password'
+```
+
+## Usage
+
+The `encrypt_with_public_key` method sets up the attribute it's called
+on for automatic encryption.  It's simplest form is:
+
+```ruby
+class User < ActiveRecord::Base
+  encrypt_with_public_key :secret,
+    :key_pair => Rails.root.join('config','keypair.pem')
+end
+```
+
+Which will encrypt the attribute `secret`. The attribute will be
+encrypted using symmetric encryption with an automatically generated
+key and IV encrypted using the public key. This requires three columns
+in the database `secret`, `secret_key`, and `secret_iv` (see below).
+
+Options to `encrypt_with_public_key` are:
+
+* `:public_key` - Public key. Overrides :key_pair. See Key Formats below.
+
+* `:private_key` - Private key. Overrides :key_pair.
+
+* `:key_pair` - Key pair, containing both the public and private keys.
+
+* `:symmetric` `:always`/`:never` - Encrypt the date using symmetric encryption. The public key is used to encrypt an automatically generated key and IV. This allows for large amounts of data to be encrypted. The size of data that can be encrypted directly with the public is limit to key size (in bytes) - 11. So a 2048 key can encrypt *245 bytes*. Defaults to `:always`.
+
+* `:symmetric_cipher` - Cipher to use for symmetric encryption. Defaults to `aes-256-cbc`. Other ciphers support by OpenSSL may be used.
+
+* `:base64` `true`/`false` - Use Base64 encoding to convert encrypted data to text. Use when binary save data storage is not available.  Defaults to `false`.
+
+* `:padding` - Method used to pad data encrypted with the public key. Defaults to `RSA_PKCS1_PADDING`. The default should be fine unless you are dealing with legacy data.
+
+* `:ensure_required_columns` - Make sure the required database column(s) exist.  Defaults to `true`, set to `false` if you want to encrypt/decrypt data stored outside of the database.
+
+For example, encrypting a small attribute, providing only the public
+key for extra security, and Base64 encoding the encrypted data:
+
+```ruby
+class User < ActiveRecord::Base
+  validates_length_of :pin_code, :is => 4
+  encrypt_with_public_key :pin_code, 
+    :symmetric => :never,
+    :base64 => true,
+    :public_key => Rails.root.join('config','public.pem')
+end
+```
+
+Strongbox can encrypt muliple attributes. `encrypt_with_public_key`
+accepts a list of attributes, assuming they will use the same options:
+
+```ruby
+class User < ActiveRecord::Base
+  encrypt_with_public_key :secret, :double_secret,
+    :key_pair => Rails.root.join('config','keypair.pem')
+end
+```
+
+If you need different options, call `encrypt_with_public_key` for each
+attribute:
+
+```ruby
+class User < ActiveRecord::Base
+  encrypt_with_public_key :secret,
+    :key_pair => Rails.root.join('config','keypair.pem')
+  encrypt_with_public_key :double_secret,
+    :key_pair => Rails.root.join('config','another_key.pem')
+end
+```
+
+## Key Formats
+
+`:public_key`, `:private_key`, and `:key_pair` can be in one of the
+following formats:
+
+* A string containing path to a file. This is the default interpretation of a string.
+* A string contanting a key in PEM format, needs to match this the regex `/^-+BEGIN .* KEY-+$/`
+* A symbol naming a method to call. Can return any of the other valid key formats.
+* A instance of `OpenSSL::PKey::RSA`. Must be unlocked to be used as the private key.
+
+## Key Generation
+
+### In the shell
+
+Generate a key pair:
+
+```shell
+openssl genrsa -des3 -out config/private.pem 2048
+Generating RSA private key, 2048 bit long modulus
+......+++
+.+++
+e is 65537 (0x10001)
+Enter pass phrase for config/private.pem:
+Verifying - Enter pass phrase for config/private.pem:
+```
+
+and extract the the public key:
+
+```shell
+openssl rsa -in config/private.pem -out config/public.pem -outform PEM -pubout
+Enter pass phrase for config/private.pem:
+writing RSA key
+```
+
+If you are going to leave the private key installed it's easiest to
+create a single key pair file:
+
+```shell
+cat config/private.pem  config/public.pem >> config/keypair.pem
+```
+
+Or, for added security, store the private key file else where, leaving
+only the public key.
+
+### In code
+
+```ruby
+require 'openssl'
+rsa_key = OpenSSL::PKey::RSA.new(2048)
+cipher =  OpenSSL::Cipher::Cipher.new('des3')
+private_key = rsa_key.to_pem(cipher,'password')
+public_key = rsa_key.public_key.to_pem
+key_pair = private_key + public_key
+```
+
+`private_key`, `public_key`, and `key_pair` are strings, store as you see fit.
+
+## Table Creation
+
+In it's default configuration Strongbox requires three columns, one
+the encrypted data, one for the encrypted symmetric key, and one for
+the encrypted symmetric IV. If symmetric encryption is disabled then
+only the columns for the data being encrypted is needed.
+
+If your underlying database allows, use the **binary** column type. If
+you must store your data in text format be sure to enable Base64
+encoding and to use the *text* column type. If you use a *string*
+column and encrypt anything greater than 186 bytes (245 bytes if you
+don't enable Base64 encoding) **your data will be lost**.
+
+## Nil and Blank Attributes
+
+By default, attributes set to nil will remain encrypted to protect all
+information about the attribute. However, attributes may be set back
+to true nil explicitly:
+
+```ruby
+# Outside the model
+@object[:secret] = nil # or ''
+# Inside the model
+self[:secret] = '' # or nil
+```
+
+A setting to allow nil and blank attributes by default will be forth
+coming.
+
+## Security Caveats
+
+If you don't encrypt your data, then an attacker only needs to steal
+that data to get your secrets.
+
+If encrypt your data using symmetric encrypts and a stored key, then
+the attacker needs the data and the key stored on the server.
+
+If you use public key encryption, the attacker needs the data, the
+private key, and the password. This means the attacker has to sniff
+the password somehow, so that's what you need to protect against.
+
+## Authors
+
+Spike Ilacqua
+
+## Thanks
+
+Strongbox's implementation drew inspiration from Thoughtbot's
+[Paperclip gem](https://github.com/thoughtbot/paperclip).
+
+Thanks to everyone who's contributed!

data/Rakefile

@@ -3,7 +3,7 @@ Bundler::GemHelper.install_tasks
 
 require 'rake'
 require 'rake/testtask'
-require 'rake/rdoctask'
+require 'rdoc/task'
 
 $LOAD_PATH << File.join(File.dirname(__FILE__), 'lib')
 require 'strongbox'
@@ -36,4 +36,4 @@ end
 desc "Build the gem"
 task :build  => :gemspec do
   Gem::Builder.new($spec).build
-end
+end

data/gemfiles/.gitignore

@@ -0,0 +1 @@
+*.lock

data/gemfiles/2.3.gemfile

@@ -0,0 +1,6 @@
+source "http://rubygems.org"
+
+gem "rails", "~> 2.3.15"
+gem "strongbox", :path=>"../"
+
+gemspec :path=>"../"

data/gemfiles/3.0.gemfile

@@ -0,0 +1,6 @@
+source "http://rubygems.org"
+
+gem "rails", "~> 3.0.19"
+gem "strongbox", :path=>"../"
+
+gemspec :path=>"../"

data/gemfiles/3.1.gemfile

@@ -0,0 +1,6 @@
+source "http://rubygems.org"
+
+gem "rails", "~> 3.1.10"
+gem "strongbox", :path=>"../"
+
+gemspec :path=>"../"

data/gemfiles/3.2.gemfile

@@ -0,0 +1,6 @@
+source "http://rubygems.org"
+
+gem "rails", "~> 3.2.10"
+gem "strongbox", :path=>"../"
+
+gemspec :path=>"../"

data/lib/strongbox.rb

@@ -5,7 +5,7 @@ require 'strongbox/lock'
 
 module Strongbox
 
-  VERSION = "0.6.0"
+  VERSION = "0.7.0"
 
   RSA_PKCS1_PADDING	= OpenSSL::PKey::RSA::PKCS1_PADDING
   RSA_SSLV23_PADDING	= OpenSSL::PKey::RSA::SSLV23_PADDING

data/lib/strongbox/lock.rb

@@ -143,7 +143,9 @@ private
 
       return key if key.is_a?(OpenSSL::PKey::RSA)
 
-      if key !~ /^-+BEGIN .* KEY-+$/
+      if key.respond_to?(:read)
+        key = key.read
+      elsif key !~ /^-+BEGIN .* KEY-+$/
         key = File.read(key)
       end
       return OpenSSL::PKey::RSA.new(key,password)

data/strongbox.gemspec

@@ -18,6 +18,8 @@ Gem::Specification.new do |s|
   s.files = `git ls-files`.split("\n")
   s.test_files = `git ls-files -- test/*`.split("\n")
   s.add_runtime_dependency 'activerecord'
-  s.add_development_dependency 'thoughtbot-shoulda'
-  s.add_development_dependency 'sqlite3'
+  s.add_development_dependency 'thoughtbot-shoulda', '>= 2.9.0'
+  s.add_development_dependency 'sqlite3', '~> 1.3.7'
+  s.add_development_dependency 'rake', '>= 10.0.0'
+  s.add_development_dependency 'rdoc', '>= 2.4.0'
 end

data/test/method_key_test.rb

@@ -0,0 +1,77 @@
+require 'test/test_helper'
+
+class MethodKeyTest < Test::Unit::TestCase
+  context 'With an attribute containing a string for the key pair' do
+    setup do
+      @password = 'boost facile'
+      rebuild_model :key_pair => :key_pair_attribute
+      Dummy.class_eval do
+        attr_accessor :key_pair_attribute
+      end
+
+      @dummy = Dummy.new
+      @dummy.key_pair_attribute = File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+
+  context 'With a methods returning the key pair' do
+    setup do
+      @password = 'boost facile'
+      rebuild_model :key_pair => :key_pair_method
+      Dummy.class_eval do
+        def key_pair_method
+          File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+        end
+      end
+
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+
+  context 'With attributes containing strings for the keys' do
+    setup do
+      @password = 'boost facile'
+      rsa_key = OpenSSL::PKey::RSA.new(2048)
+      cipher =  OpenSSL::Cipher::Cipher.new('des3')
+      rebuild_model :public_key => :public_key_attribute,
+                    :private_key => :private_key_attribute
+      Dummy.class_eval do
+        attr_accessor :public_key_attribute, :private_key_attribute
+      end
+      @dummy = Dummy.new
+      @dummy.public_key_attribute = rsa_key.public_key.to_pem
+      @dummy.private_key_attribute = rsa_key.to_pem(cipher,@password)
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+
+  context 'With methods returning the keys' do
+    setup do
+      @password = 'boost facile'
+      rebuild_model :public_key => :public_key_method,
+                    :private_key => :private_key_method
+      Dummy.class_eval do
+        def public_key_method
+          File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+        end
+
+        def private_key_method
+          File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+        end
+      end
+
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+end

data/test/proc_key_test.rb

@@ -0,0 +1,57 @@
+require 'test/test_helper'
+
+class ProcKeyTest < Test::Unit::TestCase
+  context 'With a Proc returning a string for a key pair' do
+    setup do
+      @password = 'boost facile'
+      rebuild_model :key_pair => Proc.new {
+        File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+      }
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+
+  context 'With a Proc returning a key object' do
+    setup do
+      @password = 'boost facile'
+      @private_key = OpenSSL::PKey::RSA.new(2048)
+      rebuild_model :key_pair => Proc.new { @private_key }
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+
+  context 'With Procs returning public and private key strings' do
+    setup do
+      @password = 'boost facile'
+      @key_pair = File.read(File.join(FIXTURES_DIR,'keypair.pem'))
+
+      rebuild_model :public_key => Proc.new { @key_pair },
+                    :private_key => Proc.new { @key_pair } 
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+
+  context 'With Procs returning public and private key objects' do
+    setup do
+      @password = 'boost facile'
+      @private_key = OpenSSL::PKey::RSA.new(2048)
+      @public_key = @private_key.public_key
+
+      rebuild_model :public_key => Proc.new { @public_key },
+                    :private_key => Proc.new { @private_key } 
+      @dummy = Dummy.new
+      @dummy.secret = 'Shhhh'
+    end
+
+    should_encypted_and_decrypt
+  end
+end

data/test/strongbox_multiply_test.rb

@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 require 'test/test_helper'
 
-class StrongboxMultiPlyTest < Test::Unit::TestCase
+class StrongboxMultiplyTest < Test::Unit::TestCase
   context 'A Class with two secured fields' do
     setup do
       @password = 'boost facile'

data/test/strongbox_test.rb

@@ -46,7 +46,7 @@ class StrongboxTest < Test::Unit::TestCase
          end
        end
 
-       should 'impliment to_json' do
+       should 'implement to_json' do
         assert_nothing_raised do
           @dummy.secret.to_json
         end
@@ -156,11 +156,11 @@ class StrongboxTest < Test::Unit::TestCase
   end
 
   context 'when a private key is not provided' do
-     setup do
+    setup do
       @password = 'boost facile'
       rebuild_class(:public_key => File.join(FIXTURES_DIR,'keypair.pem'))
       @dummy = Dummy.new(:secret => 'Shhhh')
-     end
+    end
 
     should 'raise on decrypt with a password' do
       assert_raises(Strongbox::StrongboxError) do

data/test/test_helper.rb

@@ -2,12 +2,10 @@ ROOT       = File.join(File.dirname(__FILE__), '..')
 RAILS_ROOT = ROOT
 $LOAD_PATH << File.join(ROOT, 'lib')
 
-require 'rubygems'
 require 'test/unit'
 require 'sqlite3'
 require 'active_record'
 require 'logger'
-gem 'thoughtbot-shoulda', ">= 2.9.0"
 require 'shoulda'
 begin require 'redgreen'; rescue LoadError; end
 
@@ -55,12 +53,12 @@ end
 
 def assert_has_errors_on(model,attribute)
   # Rails 2.X && Rails 3.X
-  !model.errors[attribute].empty?
+  assert !model.errors[attribute].empty?
 end
 
 def assert_does_not_have_errors_on(model,attribute)
   # Rails 2.X                     Rails 3.X
-  model.errors[attribute].nil? || model.errors[attribute].empty?
+  assert model.errors[attribute].nil? || model.errors[attribute].empty?
 end
 
 def generate_key_pair(password = nil,size = 2048)

data/test/validations_test.rb

@@ -26,7 +26,6 @@ class ValidationsTest < Test::Unit::TestCase
     
     context 'using validates_length_of' do
       setup do
-        rebuild_class(:key_pair => File.join(FIXTURES_DIR,'keypair.pem'))
         Dummy.send(:validates_length_of,
                    :secret,
                    :in => 5..10,
@@ -64,7 +63,6 @@ class ValidationsTest < Test::Unit::TestCase
     if defined?(ActiveModel::Validations)  # Rails 3
       context 'using validates for length' do
         setup do
-          rebuild_class(:key_pair => File.join(FIXTURES_DIR,'keypair.pem'))
           Dummy.send(:validates,
                      :secret,
                      :length => {:minimum => 4, :maximum => 16})

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: strongbox
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-04-18 00:00:00.000000000Z
+date: 2013-02-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
-  requirement: &70366421924900 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,29 +21,76 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70366421924900
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: thoughtbot-shoulda
-  requirement: &70366421905620 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.9.0
   type: :development
   prerelease: false
-  version_requirements: *70366421905620
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.9.0
 - !ruby/object:Gem::Dependency
   name: sqlite3
-  requirement: &70366421904420 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.3.7
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.3.7
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 10.0.0
   type: :development
   prerelease: false
-  version_requirements: *70366421904420
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 10.0.0
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.4.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.4.0
 description: ! "    Strongbox provides Public Key Encryption for ActiveRecord. By
   using a\n    public key sensitive information can be encrypted and stored automatically.\n
   \   Once stored a password is required to access the information. dependencies\n
@@ -54,10 +101,16 @@ extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
+- .travis.yml
 - Gemfile
 - LICENSE
-- README.textile
+- README.md
 - Rakefile
+- gemfiles/.gitignore
+- gemfiles/2.3.gemfile
+- gemfiles/3.0.gemfile
+- gemfiles/3.1.gemfile
+- gemfiles/3.2.gemfile
 - init.rb
 - lib/strongbox.rb
 - lib/strongbox/lock.rb
@@ -66,7 +119,9 @@ files:
 - test/database.yml
 - test/fixtures/encrypted
 - test/fixtures/keypair.pem
+- test/method_key_test.rb
 - test/missing_attributes_test.rb
+- test/proc_key_test.rb
 - test/strongbox_multiply_test.rb
 - test/strongbox_test.rb
 - test/test_helper.rb
@@ -91,7 +146,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.10
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: Secures ActiveRecord fields with public key encryption.
@@ -99,7 +154,9 @@ test_files:
 - test/database.yml
 - test/fixtures/encrypted
 - test/fixtures/keypair.pem
+- test/method_key_test.rb
 - test/missing_attributes_test.rb
+- test/proc_key_test.rb
 - test/strongbox_multiply_test.rb
 - test/strongbox_test.rb
 - test/test_helper.rb

data/README.textile

@@ -1,182 +0,0 @@
-h1. Strongbox
-
-Strongbox provides Public Key Encryption for ActiveRecord. By using a public key sensitive information can be encrypted and stored automatically. Once stored a password is required to access the information.
-
-Because the largest amount of data that can practically be encrypted with a public key is 245 byte, by default Strongbox uses a two layer approach. First it encrypts the attribute using symmetric encryption with a randomly generated key and initialization vector (IV) (which can just be through to as a second key), then it encrypts those with the public key.
-
-Strongbox stores the encrypted attribute in a database column by the same name, i.e. if you tell Strongbox to encrypt "secret" then it will be store in "secret" in the database, just as the unencrypted attribute would be. If symmetric encryption is used (the default) two additional columns "secret_key" and "secret_iv" are needed as well.
-
-The attribute is automatically encrypted simply by setting it:
-
-  user.secret = "Shhhhhhh..."
-
-and decrypted by calling the "decrypt" method with the private key password.
-
-  plain_text = user.secret.decrypt 'letmein'
-
-h2. Quick Start
-
-In your model:
-
-bc. class User < ActiveRecord::Base
-  encrypt_with_public_key :secret,
-    :key_pair => File.join(RAILS_ROOT,'config','keypair.pem')
-end
-  
-In your migrations:
-
-bc. class AddSecretColumnsToUser < ActiveRecord::Migration
-  def self.up
-    add_column :users, :secret, :binary
-    add_column :users, :secret_key, :binary
-    add_column :users, :secret_iv, :binary
-  end
-  def self.down
-    remove_column :users, :secret
-    remove_column :users, :secret_key
-    remove_column :users, :secret_iv
-  end  
-end
-  
-Generate a key pair:
-
-(Choose a strong password.)
-
-bc. openssl genrsa -des3 -out config/private.pem 2048
-openssl rsa -in config/private.pem -out config/public.pem -outform PEM -pubout
-cat config/private.pem  config/public.pem >> config/keypair.pem
-
-In your views and forms you don't need to do anything special to encrypt data. To decrypt call:
-
-bc. user.secret.decrypt 'password'
-
-h2. Gem installation (Rails 2.1+)
-
-In config/environment.rb:
-
-bc. config.gem "strongbox"
-
-h2. Usage
-
-_encrypt_with_public_key_ sets up the attribute it's called on for automatic encryption.  It's simplest form is:
-
-bc. class User < ActiveRecord::Base
-  encrypt_with_public_key :secret,
-    :key_pair => File.join(RAILS_ROOT,'config','keypair.pem')
-end
-
-Which will encrypt the attribute "secret". The attribute will be encrypted using symmetric encryption with an automatically generated key and IV encrypted using the public key. This requires three columns in the database "secret", "secret_key", and "secret_iv" (see below).
-
-Options to encrypt_with_public_key are:
-
-:public_key -  Public key.  Overrides :key_pair. See Key Formats below.
-
-:private_key - Private key.  Overrides :key_pair.
-
-:key_pair - Key pair, containing both the public and private keys.
-
-:symmetric :always/:never - Encrypt the date using symmetric encryption. The public key is used to encrypt an automatically generated key and IV. This allows for large amounts of data to be encrypted. The size of data that can be encrypted directly with the public is limit to key size (in bytes) - 11. So a 2048 key can encrypt *245 bytes*. Defaults to *:always*.
-
-:symmetric_cipher - Cipher to use for symmetric encryption.  Defaults to *'aes-256-cbc'*.  Other ciphers support by OpenSSL may be used.
-
-:base64 true/false - Use Base64 encoding to convert encrypted data to text. Use when binary save data storage is not available.  Defaults to *false*.
-
-:padding - Method used to pad data encrypted with the public key. Defaults to *RSA_PKCS1_PADDING*. The default should be fine unless you are dealing with legacy data.
-
-:ensure_required_columns - Make sure the required database column(s) exist.  Defaults to *true*, set to false if you want to encrypt/decrypt data stored outside of the database.
-
-For example, encrypting a small attribute, providing only the public key for extra security, and Base64 encoding the encrypted data:
-
-bc. class User < ActiveRecord::Base
-  validates_length_of :pin_code, :is => 4
-  encrypt_with_public_key :pin_code, 
-    :symmetric => :never,
-    :base64 => true,
-    :public_key => File.join(RAILS_ROOT,'config','public.pem')
-end
-
-Strongbox can encrypt muliple attributes. _encrypt_with_public_key_ accepts a list of attributes, assuming they will use the same options:
-
-bc. class User < ActiveRecord::Base
-  encrypt_with_public_key :secret, :double_secret,
-    :key_pair => File.join(RAILS_ROOT,'config','keypair.pem')
-end
-
-If you need different options, call _encrypt_with_public_key_ for each attribute:
-
-bc. class User < ActiveRecord::Base
-  encrypt_with_public_key :secret,
-    :key_pair => File.join(RAILS_ROOT,'config','keypair.pem')
-  encrypt_with_public_key :double_secret,
-    :key_pair => File.join(RAILS_ROOT,'config','another_key.pem')
-end
-
-h2 Key Formats
-
-_:public_key_, _:private_key_, and _:key_pair_ can be in one of the following formats:
-
-* A string containing path to a file. This is the default interpretation of a string.
-* A string contanting a key in PEM format, needs to match this the regex /^-+BEGIN .* KEY-+$/
-* A symbol naming a method to call. Can return any of the other valid key formats.
-* A instance of OpenSSL::PKey::RSA. Must be unlocked to be used as the private key.
-
-h2. Key Generation
-
-h3. In the shell
-
-Generate a key pair:
-
-bc. openssl genrsa -des3 -out config/private.pem 2048
-Generating RSA private key, 2048 bit long modulus
-......+++
-.+++
-e is 65537 (0x10001)
-Enter pass phrase for config/private.pem:
-Verifying - Enter pass phrase for config/private.pem:
-
-and extract the the public key:
-
-bc. openssl rsa -in config/private.pem -out config/public.pem -outform PEM -pubout
-Enter pass phrase for config/private.pem:
-writing RSA key
-
-If you are going to leave the private key installed it's easiest to create a single key pair file:
-
-bc. cat config/private.pem  config/public.pem >> config/keypair.pem
-
-Or, for added security, store the private key file else where, leaving only the public key.
-
-h3. In code
-
-bc. require 'openssl'
-rsa_key = OpenSSL::PKey::RSA.new(2048)
-cipher =  OpenSSL::Cipher::Cipher.new('des3')
-private_key = rsa_key.to_pem(cipher,'password')
-public_key = rsa_key.public_key.to_pem
-key_pair = private_key + public_key
-
-_private_key_, _public_key_, and _key_pair_ are strings, store as you see fit.
-
-h2. Table Creation
-
-In it's default configuration Strongbox requires three columns, one the encrypted data, one for the encrypted symmetric key, and one for the encrypted symmetric IV. If symmetric encryption is disabled then only the columns for the data being encrypted is needed.
-
-If your underlying database allows, use the *binary* column type. If you must store your data in text format be sure to enable Base64 encoding and to use the *text* column type. If you use a _string_ column and encrypt anything greater than 186 bytes (245 bytes if you don't enable Base64 encoding) *your data will be lost*.
-
-
-h2. Security Caveats
-
-If you don't encrypt your data, then an attacker only needs to steal that data to get your secrets.
-
-If encrypt your data using symmetric encrypts and a stored key, then the attacker needs the data and the key stored on the server.
-
-If you use public key encryption, the attacker needs the data, the private key, and the password. This means the attacker has to sniff the password somehow, so that's what you need to protect against.
-
-h2. Authors
-
-Spike Ilacqua
-
-h2. Thanks
-
-Strongbox's implementation drew inspiration from Thoughtbot's Paperclip gem http://www.thoughtbot.com/projects/paperclip
-