symmetric-encryption 0.2.0 → 0.3.0

data/lib/symmetric/encryption.rb

@@ -10,141 +10,62 @@ module Symmetric
   # be distributed separately from the application
   class Encryption
 
-    # Binary encrypted data includes this magic header so that we can quickly
-    # identify binary data versus base64 encoded data that does not have this header
-    unless defined? MAGIC_HEADER
-      MAGIC_HEADER = '@EnC'
-      MAGIC_HEADER_SIZE = MAGIC_HEADER.size
-    end
-
-    # The minimum length for an encrypted string
-    def self.min_encrypted_length
-      @@min_encrypted_length ||= encrypt('1').length
-    end
-
-    # Returns [true|false] a best effort determination as to whether the supplied
-    # string is encrypted or not, without incurring the penalty of actually
-    # decrypting the supplied data
-    #   Parameters:
-    #     encrypted_data: Encrypted string
-    def self.encrypted?(encrypted_data)
-      # Simple checks first
-      return false if (encrypted_data.length < min_encrypted_length) || (!encrypted_data.end_with?("\n"))
-      # For now have to decrypt it fully
-      begin
-        decrypt(encrypted_data) ? true : false
-      rescue
-        false
-      end
-    end
+    # Defaults
+    @@cipher = nil
+    @@secondary_ciphers = []
 
-    # Set the Symmetric Cipher to be used
+    # Set the Primary Symmetric Cipher to be used
     def self.cipher=(cipher)
+      raise "Cipher must be similar to Symmetric::Ciphers" unless cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt) && cipher.respond_to?(:encrypted?)
       @@cipher = cipher
     end
 
-    # Returns the Symmetric Cipher being used
+    # Returns the Primary Symmetric Cipher being used
     def self.cipher
       @@cipher
     end
 
-    # Set the Symmetric Key to use for encryption and decryption
-    def self.key=(key)
-      @@key = key
-    end
-
-    # Set the Initialization Vector to use with Symmetric Key
-    def self.iv=(iv)
-      @@iv = iv
-    end
-
-    # Defaults
-    @@key = nil
-    @@iv = nil
-
-    # Load the Encryption Configuration from a YAML file
-    #  filename: Name of file to read.
-    #        Mandatory for non-Rails apps
-    #        Default: Rails.root/config/symmetry.yml
-    def self.load!(filename=nil, environment=nil)
-      config = YAML.load_file(filename || File.join(Rails.root, "config", "symmetric-encryption.yml"))[environment || Rails.env]
-      self.cipher = config['cipher'] || 'aes-256-cbc'
-      symmetric_key = config['symmetric_key']
-      symmetric_iv = config['symmetric_iv']
-
-      # Hard coded symmetric_key?
-      if symmetric_key
-        self.key = symmetric_key
-        self.iv = symmetric_iv
-      else
-        load_keys(config['symmetric_key_filename'], config['symmetric_iv_filename'], config['private_rsa_key'])
+    # Set the Secondary Symmetric Ciphers Array to be used
+    def self.secondary_ciphers=(secondary_ciphers)
+      raise "secondary_ciphers must be a collection" unless secondary_ciphers.respond_to? :each
+      secondary_ciphers.each do |cipher|
+        raise "secondary_ciphers can only consist of Symmetric::Ciphers" unless cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt) && cipher.respond_to?(:encrypted?)
       end
-      true
+      @@secondary_ciphers = secondary_ciphers
     end
 
-    # Load the symmetric key to use for encrypting and decrypting data
-    # Call from environment.rb before calling encrypt or decrypt
-    #
-    # private_key: Key used to unlock file containing the actual symmetric key
-    def self.load_keys(key_filename, iv_filename, private_key)
-      # Load Encrypted Symmetric keys
-      encrypted_key = File.read(key_filename)
-      encrypted_iv = File.read(iv_filename)
-
-      # Decrypt Symmetric Key
-      rsa = OpenSSL::PKey::RSA.new(private_key)
-      @@key = rsa.private_decrypt(encrypted_key)
-      @@iv = rsa.private_decrypt(encrypted_iv)
-      nil
-    end
-
-    # Generate new random symmetric keys for use with this Encryption library
-    #
-    # Creates Symmetric Key .key
-    #   and initilization vector .iv
-    #       which is encrypted with the above Public key
-    #
-    # Note: Existing files will be overwritten
-    def self.generate_symmetric_key_files(filename=nil, environment=nil)
-      # Temporary: Generate private key manually for now. Will automate soon.
-      #new_key = OpenSSL::PKey::RSA.generate(2048)
-
-      filename ||= File.join(Rails.root, "config", "symmetric-encryption.yml")
-      environment ||= (Rails.env || ENV['RAILS'])
-      config = YAML.load_file(filename)[environment]
-
-      raise "Missing mandatory 'key_filename' for environment:#{environment} in #{filename}" unless key_filename = config['symmetric_key_filename']
-      iv_filename = config['symmetric_iv_filename']
-      raise "Missing mandatory 'private_key' for environment:#{environment} in #{filename}" unless private_key = config['private_rsa_key']
-      rsa_key = OpenSSL::PKey::RSA.new(private_key)
-
-      # To ensure compatibility with C openssl code, remove RSA from pub file headers
-      #File.open(File.join(rsa_keys_path, 'private.key'), 'w') {|file| file.write(new_key.to_pem)}
-
-      # Generate Symmetric Key
-      openssl_cipher = OpenSSL::Cipher::Cipher.new(config['cipher'] || 'aes-256-cbc')
-      openssl_cipher.encrypt
-      @@key = openssl_cipher.random_key
-      @@iv = openssl_cipher.random_iv if iv_filename
-
-      # Save symmetric key after encrypting it with the private asymmetric key
-      File.open(key_filename, 'wb') {|file| file.write( rsa_key.public_encrypt(@@key) ) }
-      File.open(iv_filename, 'wb') {|file| file.write( rsa_key.public_encrypt(@@iv) ) } if iv_filename
-      puts("Generated new Symmetric Key for encryption. Please copy #{key_filename} and #{iv_filename} to the other web servers in #{environment}.")
-    end
-
-    # Generate a 22 character random password
-    def self.random_password
-      Base64.encode64(OpenSSL::Cipher::Cipher.new('aes-128-cbc').random_key)[0..-4]
+    # Returns the Primary Symmetric Cipher being used
+    def self.secondary_ciphers
+      @@secondary_ciphers
     end
 
     # AES Symmetric Decryption of supplied string
     #  Returns decrypted string
     #  Returns nil if the supplied str is nil
     #  Returns "" if it is a string and it is empty
+    #
+    # Note: If secondary ciphers are supplied in the configuration file the
+    #   first key will be used to decrypt 'str'. If it fails each cipher in the
+    #   order supplied will be tried.
+    #   It is slow to try each cipher in turn, so should be used during migrations
+    #   only
+    #
+    # Raises: OpenSSL::Cipher::CipherError when 'str' was not encrypted using
+    # the supplied key and iv
+    #
     def self.decrypt(str)
-      return str if str.nil? || (str.is_a?(String) && str.empty?)
-      self.crypt(:decrypt, Base64.decode64(str))
+      raise "Call Symmetric::Encryption.load! or Symmetric::Encryption.cipher= prior to encrypting or decrypting data" unless @@cipher
+      begin
+        @@cipher.decrypt(str)
+      rescue OpenSSL::Cipher::CipherError => exc
+        @@secondary_ciphers.each do |cipher|
+          begin
+            return cipher.decrypt(str)
+          rescue OpenSSL::Cipher::CipherError
+          end
+        end
+        raise exc
+      end
     end
 
     # AES Symmetric Encryption of supplied string
@@ -152,8 +73,8 @@ module Symmetric
     #  Returns nil if the supplied str is nil
     #  Returns "" if it is a string and it is empty
     def self.encrypt(str)
-      return str if str.nil? || (str.is_a?(String) && str.empty?)
-      Base64.encode64(self.crypt(:encrypt, str))
+      raise "Call Symmetric::Encryption.load! or Symmetric::Encryption.cipher= prior to encrypting or decrypting data" unless @@cipher
+      @@cipher.encrypt(str)
     end
 
     # Invokes decrypt
@@ -165,82 +86,176 @@ module Symmetric
     # in the test or development environments but still need to be able to load
     # YAML config files that contain encrypted development and production passwords
     def self.try_decrypt(str)
-      self.decrypt(str) rescue nil
+      raise "Call Symmetric::Encryption.load! or Symmetric::Encryption.cipher= prior to encrypting or decrypting data" unless @@cipher
+      begin
+        decrypt(str)
+      rescue OpenSSL::Cipher::CipherError
+        nil
+      end
     end
 
-    # AES Symmetric Encryption of supplied string
-    #  Returns result as a binary encrypted string
-    #  Returns nil if the supplied str is nil or empty
-    # Parameters
-    #  compress => Whether to compress the supplied string using zip before
-    #              encrypting
-    #              true | false
-    #              Default false
-    def self.encrypt_binary(str, compress=false)
-      return nil if str.nil? || (str.is_a?(String) && str.empty?)
-      # Bit Layout
-      # 15    => Compressed?
-      # 0..14 => Version number of encryption key/algorithm currently 0
-      flags = 0 # Same as 0b0000_0000_0000_0000
-      # If the data is to be compressed before being encrypted, set the flag and
-      # compress using zlib. Only compress if data is greater than 15 chars
-      str = str.to_s unless str.is_a?(String)
-      if compress && str.length > 15
-        flags |= 0b1000_0000_0000_0000
-        begin
-          ostream = StringIO.new
-          gz = Zlib::GzipWriter.new(ostream)
-          gz.write(str)
-          str = ostream.string
-        ensure
-          gz.close
+    # Returns [true|false] a best effort determination as to whether the supplied
+    # string is encrypted or not, without incurring the penalty of actually
+    # decrypting the supplied data
+    #   Parameters:
+    #     encrypted_data: Encrypted string
+    def self.encrypted?(encrypted_data)
+      raise "Call Symmetric::Encryption.load! or Symmetric::Encryption.cipher= prior to encrypting or decrypting data" unless @@cipher
+      @@cipher.encrypted?(encrypted_data)
+    end
+
+    # Load the Encryption Configuration from a YAML file
+    #  filename:
+    #    Name of file to read.
+    #        Mandatory for non-Rails apps
+    #        Default: Rails.root/config/symmetric-encryption.yml
+    #  environment:
+    #    Which environments config to load. Usually: production, development, etc.
+    #    Default: Rails.env
+    def self.load!(filename=nil, environment=nil)
+      config = read_config(filename, environment)
+
+      # Check for hard coded key, iv and cipher
+      if config[:key]
+        @@cipher = Cipher.new(config)
+        @@secondary_ciphers = []
+      else
+        private_rsa_key = config[:private_rsa_key]
+        @@cipher, *@@secondary_ciphers = config[:ciphers].collect do |cipher_conf|
+          cipher_from_encrypted_files(
+            private_rsa_key,
+            cipher_conf[:cipher],
+            cipher_conf[:key_filename],
+            cipher_conf[:iv_filename])
         end
       end
-      return nil unless encrypted = self.crypt(:encrypt, str)
-      # Resulting buffer consists of:
-      #   '@EnC'
-      #   unsigned short (32 bits) in little endian format for flags above
-      #   'actual encrypted buffer data'
-      "#{MAGIC_HEADER}#{[flags].pack('v')}#{encrypted}"
+
+      true
     end
 
-    # AES Symmetric Decryption of supplied Binary string
-    #  Returns decrypted string
-    #  Returns nil if the supplied str is nil
-    #  Returns "" if it is a string and it is empty
-    def self.decrypt_binary(str)
-      return str if str.nil? || (str.is_a?(String) && str.empty?)
-      str = str.to_s unless str.is_a?(String)
-      encrypted = if str.starts_with? MAGIC_HEADER
-        # Remove header and extract flags
-        header, flags = str.unpack(@@unpack ||= "A#{MAGIC_HEADER_SIZE}v")
-        # Uncompress if data is compressed and remove header
-        if flags & 0b1000_0000_0000_0000
-          begin
-            gz = Zlib::GzipReader.new(StringIO.new(str[MAGIC_HEADER_SIZE,-1]))
-            gz.read
-          ensure
-            gz.close
-          end
-        else
-          str[MAGIC_HEADER_SIZE,-1]
+    # Future: Generate private key in config file generator
+    #new_key = OpenSSL::PKey::RSA.generate(2048)
+
+    # Generate new random symmetric keys for use with this Encryption library
+    #
+    # Note: Only the current Encryption key settings are used
+    #
+    # Creates Symmetric Key .key
+    #   and initilization vector .iv
+    #       which is encrypted with the above Public key
+    #
+    # Warning: Existing files will be overwritten
+    def self.generate_symmetric_key_files(filename=nil, environment=nil)
+      config = read_config(filename, environment)
+      cipher_cfg = config[:ciphers].first
+      key_filename = cipher_cfg[:key_filename]
+      iv_filename = cipher_cfg[:iv_filename]
+      cipher = cipher_cfg[:cipher]
+
+      raise "The configuration file must contain a 'private_rsa_key' parameter to generate symmetric keys" unless config[:private_rsa_key]
+      rsa_key = OpenSSL::PKey::RSA.new(config[:private_rsa_key])
+
+      # Generate a new Symmetric Key pair
+      key_pair = Symmetric::Cipher.random_key_pair(cipher || 'aes-256-cbc', !iv_filename.nil?)
+
+      # Save symmetric key after encrypting it with the private RSA key, backing up existing files if present
+      File.rename(key_filename, "#{key_filename}.#{Time.now.to_i}") if File.exist?(key_filename)
+      File.open(key_filename, 'wb') {|file| file.write( rsa_key.public_encrypt(key_pair[:key]) ) }
+
+      if iv_filename
+        File.rename(iv_filename, "#{iv_filename}.#{Time.now.to_i}") if File.exist?(iv_filename)
+        File.open(iv_filename, 'wb') {|file| file.write( rsa_key.public_encrypt(key_pair[:iv]) ) }
+      end
+      puts("Generated new Symmetric Key for encryption. Please copy #{key_filename} and #{iv_filename} to the other web servers in #{environment}.")
+    end
+
+    # Generate a 22 character random password
+    def self.random_password
+      Base64.encode64(OpenSSL::Cipher.new('aes-128-cbc').random_key)[0..-4]
+    end
+
+    protected
+
+    # Returns the Encryption Configuration
+    #
+    # Read the configuration from the YAML file and return in the latest format
+    #
+    #  filename:
+    #    Name of file to read.
+    #        Mandatory for non-Rails apps
+    #        Default: Rails.root/config/symmetric-encryption.yml
+    #  environment:
+    #    Which environments config to load. Usually: production, development, etc.
+    def self.read_config(filename=nil, environment=nil)
+      config = YAML.load_file(filename || File.join(Rails.root, "config", "symmetric-encryption.yml"))[environment || Rails.env]
+
+      # Default cipher
+      default_cipher = config['cipher'] || 'aes-256-cbc'
+      cfg = {}
+
+      # Hard coded symmetric_key? - Dev / Testing use only!
+      if symmetric_key = (config['key'] || config['symmetric_key'])
+        raise "Symmetric::Encryption Cannot hard code Production encryption keys in #{filename}" if (environment || Rails.env) == 'production'
+        cfg[:key]     = symmetric_key
+        cfg[:iv]      = config['iv'] || config['symmetric_iv']
+        cfg[:cipher]  = default_cipher
+
+      elsif ciphers = config['ciphers']
+        raise "Missing mandatory config parameter 'private_rsa_key'" unless cfg[:private_rsa_key] = config['private_rsa_key']
+
+        cfg[:ciphers] = ciphers.collect do |cipher_cfg|
+          key_filename = cipher_cfg['key_filename'] || cipher_cfg['symmetric_key_filename']
+          raise "Missing mandatory 'key_filename' for environment:#{environment} in #{filename}" unless key_filename
+          iv_filename = cipher_cfg['iv_filename'] || cipher_cfg['symmetric_iv_filename']
+          {
+            :cipher       => cipher_cfg['cipher'] || default_cipher,
+            :key_filename => key_filename,
+            :iv_filename  => iv_filename,
+          }
         end
+
       else
-        Base64.decode64(str)
+        # Migrate old format config
+        raise "Missing mandatory config parameter 'private_rsa_key'" unless cfg['private_rsa_key'] = config['private_rsa_key']
+        cfg[:ciphers] = [ {
+            :cipher       => cipher['cipher'] || default_cipher,
+            :key_filename => config['symmetric_key_filename'],
+            :iv_filename  => config['symmetric_iv_filename'],
+          } ]
       end
-      self.crypt(:decrypt, encrypted)
+
+      cfg
     end
 
-    protected
+    # Returns an instance of Symmetric::Cipher initialized from keys
+    # stored in files
+    #
+    # Raises an Exception on failure
+    #
+    # Parameters:
+    #   cipher
+    #     Encryption cipher for the symmetric encryption key
+    #   private_key
+    #     Key used to unlock file containing the actual symmetric key
+    #   key_filename
+    #     Name of file containing symmetric key encrypted using the public
+    #     key matching the supplied private_key
+    #   iv_filename
+    #     Optional. Name of file containing symmetric key initialization vector
+    #     encrypted using the public key matching the supplied private_key
+    def self.cipher_from_encrypted_files(private_rsa_key, cipher, key_filename, iv_filename = nil)
+      # Load Encrypted Symmetric keys
+      encrypted_key = File.read(key_filename)
+      encrypted_iv = File.read(iv_filename) if iv_filename
 
-    def self.crypt(cipher_method, string) #:nodoc:
-      openssl_cipher = OpenSSL::Cipher::Cipher.new(self.cipher)
-      openssl_cipher.send(cipher_method)
-      raise "Encryption.key must be set before calling Encryption encrypt or decrypt" unless @@key
-      openssl_cipher.key = @@key
-      openssl_cipher.iv = @@iv if @@iv
-      result = openssl_cipher.update(string.to_s)
-      result << openssl_cipher.final
+      # Decrypt Symmetric Keys
+      rsa = OpenSSL::PKey::RSA.new(private_rsa_key)
+      iv = rsa.private_decrypt(encrypted_iv) if iv_filename
+      Cipher.new(
+        :key    => rsa.private_decrypt(encrypted_key),
+        :iv     => iv,
+        :cipher => cipher
+      )
     end
 
   end

data/lib/symmetric/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module Symmetric #:nodoc
-  VERSION = "0.2.0"
+  VERSION = "0.3.0"
 end

data/lib/symmetric-encryption.rb

@@ -1,4 +1,5 @@
 require 'symmetric/version'
+require 'symmetric/cipher'
 require 'symmetric/encryption'
 if defined?(Rails)
   require 'symmetric/railtie'

data/test/attr_encrypted_test.rb

@@ -9,26 +9,10 @@ require 'shoulda'
 require 'active_record'
 require 'symmetric-encryption'
 
-# #TODO Need to supply the model and migrations for this test
-# Adding to existing AR model User
-# Unit Test for Symmetric::Encryption
-#
-
-#ROOT = File.join(File.dirname(__FILE__), '..')
-
-#['/lib', '/db'].each do |folder|
-#  $:.unshift File.join(ROOT, folder)
-#end
-
 ActiveRecord::Base.logger = Logger.new($stderr)
 ActiveRecord::Base.configurations = YAML::load(ERB.new(IO.read('test/config/database.yml')).result)
 ActiveRecord::Base.establish_connection('test')
 
-#ActiveRecord::Base.connection.create_database 'symmetric_encryption_test', :charset => :utf8
-#require 'db/schema'
-
-#The file db/schema.rb contains, for example:
-
 ActiveRecord::Schema.define :version => 0 do
   create_table :users, :force => true do |t|
     t.string :encrypted_bank_account_number
@@ -44,6 +28,10 @@ class User < ActiveRecord::Base
   validates :encrypted_social_security_number, :symmetric_encrypted => true
 end
 
+#
+# Unit Test for attr_encrypted and validation aspects of Symmetric::Encryption
+#
+
 class AttrEncryptedTest < Test::Unit::TestCase
   context 'initialized' do
 
@@ -66,10 +54,10 @@ class AttrEncryptedTest < Test::Unit::TestCase
 
         setup do
           @bank_account_number = "1234567890"
-          @bank_account_number_encrypted = "QUxoUU8O/mi0o9ykgXNBFg==\n"
+          @bank_account_number_encrypted = "L94ArJeFlJrZp6SYsvoOGA==\n"
 
           @social_security_number = "987654321"
-          @social_security_number_encrypted = "Jj7dKb3B0aUCnqH/YKGvKw==\n"
+          @social_security_number_encrypted = "S+8X1NRrqdfEIQyFHVPuVA==\n"
 
           @user = User.new(
             # Encrypted Attribute

data/test/cipher_test.rb

@@ -0,0 +1,71 @@
+# Allow examples to be run in-place without requiring a gem install
+$LOAD_PATH.unshift File.dirname(__FILE__) + '/../lib'
+
+require 'rubygems'
+require 'test/unit'
+require 'shoulda'
+require 'symmetric/cipher'
+
+# Unit Test for Symmetric::Cipher
+#
+class CipherTest < Test::Unit::TestCase
+  context 'standalone' do
+
+    should "allow setting the cipher" do
+      cipher = Symmetric::Cipher.new(
+        :cipher => 'aes-128-cbc',
+        :key => '1234567890ABCDEF1234567890ABCDEF',
+        :iv  => '1234567890ABCDEF'
+      )
+      assert_equal 'aes-128-cbc', cipher.cipher
+    end
+
+    should "not require an iv" do
+      cipher = Symmetric::Cipher.new(
+        :key => '1234567890ABCDEF1234567890ABCDEF'
+      )
+      assert_equal "wjzpl29q+tsxyLBWAQsn5g==\n", cipher.encrypt('Hello World')
+    end
+
+    should "throw an exception on bad data" do
+      cipher = Symmetric::Cipher.new(
+        :cipher => 'aes-128-cbc',
+        :key => '1234567890ABCDEF1234567890ABCDEF',
+        :iv  => '1234567890ABCDEF'
+      )
+      assert_raise OpenSSL::Cipher::CipherError do
+        cipher.decrypt('bad data')
+      end
+    end
+
+  end
+
+  context 'with configuration' do
+    setup do
+      @cipher = Symmetric::Cipher.new(
+        :key => '1234567890ABCDEF1234567890ABCDEF',
+        :iv  => '1234567890ABCDEF'
+      )
+      @social_security_number = "987654321"
+      @social_security_number_encrypted = "Qd0qzN6oVuATJQBTf8X6tg==\n"
+    end
+
+    should "default to 'aes-256-cbc'" do
+      assert_equal 'aes-256-cbc', @cipher.cipher
+    end
+
+    should "encrypt simple string" do
+      assert_equal @social_security_number_encrypted, @cipher.encrypt(@social_security_number)
+    end
+
+    should "decrypt string" do
+      assert_equal @social_security_number, @cipher.decrypt(@social_security_number_encrypted)
+    end
+
+    should "determine if string is encrypted" do
+      assert_equal true, @cipher.encrypted?(@social_security_number_encrypted)
+      assert_equal false, @cipher.encrypted?(@social_security_number)
+    end
+
+  end
+end

data/test/config/symmetric-encryption.yml

@@ -1,9 +1,10 @@
 #
-# Test Config
+# Test Config with multiple keys
 #
 ---
 test:
-  # Sample RSA Key, do not use this one as is, generate a new one
+  # Test RSA Key, DO NOT use this RSA key, generate a new one using
+  #    openssl genrsa 2048
   private_rsa_key: |
     -----BEGIN RSA PRIVATE KEY-----
     MIIEpAIBAAKCAQEAxIL9H/jYUGpA38v6PowRSRJEo3aNVXULNM/QNRpx2DTf++KH
@@ -33,11 +34,14 @@ test:
     r1URaMAun2PfAB4g2N/kEZTExgeOGqXjFhvvjdzl97ux2cTyZhaTXg==
     -----END RSA PRIVATE KEY-----
 
-  # Filename containing Symmetric Encryption Key
-  # Note: The file contents must be RSA 2048 bit encrypted
-  #       with the public key derived from the private key above
-  symmetric_key_filename: test/config/test.key
-  symmetric_iv_filename:  test/config/test.iv
+  ciphers:
+    # Current / Newest Symmetric Encryption Key
+    - key_filename: /Users/rmorrison/Sandbox/symmetric-encryption/test/config/test_new.key
+      iv_filename:  /Users/rmorrison/Sandbox/symmetric-encryption/test/config/test_new.iv
+      cipher:       aes-128-cbc
+
+    # Previous Symmetric Encryption Key
+    - key_filename: /Users/rmorrison/Sandbox/symmetric-encryption/test/config/test_secondary_1.key
+      iv_filename:  /Users/rmorrison/Sandbox/symmetric-encryption/test/config/test_secondary_1.iv
+      cipher:       aes-128-cbc
 
-  # Use aes-256-cbc encryption
-  cipher: aes-256-cbc

data/test/config/test_secondary_1.iv

@@ -0,0 +1 @@
+N�ʤd�X0��Vܝ���5]��$�y؎��=���Mq>�pP����g
Y���}+_�0�)�6���{�F�gN���#��Gρ'�۪���Q�I-�+f���S��~�x|t����C~�h�t8l��V簤�z+�ĺO�MKz"7N��?<�?ր�5B��D�<mq!ۺcH򯼜wHcH��?�]/_�s���[��iH^:��ٰ�{V�|�C~y\�B�y Fc,8i�5��r�ƍQ<첀

data/test/config/test_secondary_1.key

@@ -0,0 +1,2 @@
+3���l������㾮/2�(NkA�7�����և��r�
+��3���I�,۩�cu���/��6����P�PV\>��	6$�UJ�L�
�Z��pg)O�S�`PS��6�'��oȜ�'c�S{�e�ȘqR�@��p(�”���V�#8�Jʓ
x�Ih?L�;}m [g(� � #�\��Ѯ�9e�]�`�Bi�\bִ<�D_Tɳ�/,�`�?�o*��t��^�[fTmі���,�*�j�J��r

data/test/encryption_test.rb

@@ -5,22 +5,28 @@ require 'rubygems'
 require 'test/unit'
 require 'shoulda'
 
+Symmetric::Encryption.load!(File.join(File.dirname(__FILE__), 'config', 'symmetric-encryption.yml'), 'test')
+
 # Unit Test for Symmetric::Encryption
 #
 class EncryptionTest < Test::Unit::TestCase
   context 'initialized' do
 
-    setup do
-      Symmetric::Encryption.load!(File.join(File.dirname(__FILE__), 'config', 'symmetric-encryption.yml'), 'test')
+    context 'Symmetric::Encryption configuration' do
+      setup do
+        @config = Symmetric::Encryption.send(:read_config, File.join(File.dirname(__FILE__), 'config', 'symmetric-encryption.yml'), 'test')
+      end
+
+      should "match config file" do
+        assert_equal @config[:ciphers][0][:cipher], Symmetric::Encryption.cipher.cipher
+      end
     end
 
     context 'Symmetric::Encryption tests' do
       setup do
-        @bank_account_number = "1234567890"
-        @bank_account_number_encrypted = "QUxoUU8O/mi0o9ykgXNBFg==\n"
-
         @social_security_number = "987654321"
-        @social_security_number_encrypted = "Jj7dKb3B0aUCnqH/YKGvKw==\n"
+        @social_security_number_encrypted = "S+8X1NRrqdfEIQyFHVPuVA==\n"
+        @social_security_number_encrypted_with_secondary_1 = "D1UCu38pqJ3jc0GvwJHiow==\n"
       end
 
       should "encrypt simple string" do
@@ -35,6 +41,10 @@ class EncryptionTest < Test::Unit::TestCase
         assert_equal true, Symmetric::Encryption.encrypted?(@social_security_number_encrypted)
         assert_equal false, Symmetric::Encryption.encrypted?(@social_security_number)
       end
+
+      should "decrypt with secondary key when first one fails" do
+        assert_equal @social_security_number, Symmetric::Encryption.decrypt(@social_security_number_encrypted)
+      end
     end
   end