symmetric-encryption 3.7.2 → 3.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f92b1092b1192c42eb9b82d2ae059c548dbbe12d
-  data.tar.gz: dd540914e52a9a772bb860c9042d98c18e7eecaf
+  metadata.gz: 6bf012ca0a4d3ce067a363f363168e4fcc5bebf9
+  data.tar.gz: 005d3a55560d79f658464ba189957f5349d221e2
 SHA512:
-  metadata.gz: 54ff672e35c0d2bbe1545225e9da85294e032c5a0f8d211a74386659e7a9bafd354f1d4e8f64c922e6779ec0a51283a939303b7cc15c3ef27db52edd4c63e844
-  data.tar.gz: 5d1794d4203b3a1d951479c9be6d0802bb268ee8f4ce8cc795c215b35bae57b5a7ec8a5beddefd6b1ac17a007af8894f2b9f276402bb9c48fa115236043ef463
+  metadata.gz: 243de98a4079b584cd215f81f15caf4e6d6985047804a6e74dbcd46e25dbfd45a7f2a3e5d6610c47309a54b0845f6bc10bbb2d7cdd9ec8ac05e5b81361335647
+  data.tar.gz: 56b65cf943afec131341309628ff39101be17321b194f0136cf593d67030df52b41ea1a91abcc445805c3dd2882c5802bb5a84376e352f6282d1f415342156bc

data/README.md

@@ -1,16 +1,18 @@
-symmetric-encryption [![Build Status](https://secure.travis-ci.org/reidmorrison/symmetric-encryption.png?branch=master)](http://travis-ci.org/reidmorrison/symmetric-encryption) ![](http://ruby-gem-downloads-badge.herokuapp.com/symmetric-encryption?type=total)
-====================
+# symmetric-encryption
+![](https://img.shields.io/gem/v/symmetric-encryption.svg) ![](https://secure.travis-ci.org/reidmorrison/symmetric-encryption.png?branch=master) ![](https://img.shields.io/gem/dt/symmetric-encryption.svg)  ![](https://img.shields.io/badge/status-production%20ready-blue.svg)
 
 * http://github.com/reidmorrison/symmetric-encryption
 
+Transparently encrypt ActiveRecord, Mongoid, and MongoMapper attributes. Encrypt passwords in configuration files. Encrypt entire files at rest.
+
 ## Introduction
 
 Any project that wants to meet PCI compliance has to ensure that the data is encrypted
-whilst in flight and at rest. Amongst many other other requirements all passwords
-in configuration files have to be encrypted
+whilst in flight and at rest. Amongst many other requirements all passwords
+in configuration files also have to be encrypted.
 
-This Gem helps achieve compliance by supporting encryption of data in a simple
-and consistent way
+Symmetric Encryption helps achieve compliance by supporting encryption of data in a simple
+and consistent way.
 
 Symmetric Encryption uses OpenSSL to encrypt and decrypt data, and can therefore
 expose all the encryption algorithms supported by OpenSSL.
@@ -19,110 +21,90 @@ expose all the encryption algorithms supported by OpenSSL.
 
 For complete documentation see: http://reidmorrison.github.io/symmetric-encryption/
 
-## New features in V1.1 and V2
+## Dependencies
 
-* Ability to randomly generate a new initialization vector (iv) with every
-  encryption and put the iv in the encrypted data as its header, without having
-  to use SymmetricEncryption::Writer
+Symmetric Encryption works with the following Ruby interpreters:
 
-* With file encryption randomly generate a new key and initialization vector (iv) with every
-  file encryption and put the key and iv in the encrypted data as its header which
-  is encrypted using the global key and iv
-
-* Support for compression via SymmetricEncryption.encrypt, attr_encrypted and Mongoid
-  fields
-
-* SymmetricEncryption.encrypt has two additional optional parameters:
-```
-   random_iv [true|false]
-     Whether the encypted value should use a random IV every time the
-     field is encrypted.
-     It is recommended to set this to true where feasible. If the encrypted
-     value could be used as part of a SQL where clause, or as part
-     of any lookup, then it must be false.
-     Setting random_iv to true will result in a different encrypted output for
-     the same input string.
-     Note: Only set to true if the field will never be used as part of
-       the where clause in an SQL query.
-     Note: When random_iv is true it will add a 8 byte header, plus the bytes
-       to store the random IV in every returned encrypted string, prior to the
-       encoding if any.
-     Default: false
-     Highly Recommended where feasible: true
-
-   compress [true|false]
-     Whether to compress str before encryption
-     Should only be used for large strings since compression overhead and
-     the overhead of adding the 'magic' header may exceed any benefits of
-     compression
-     Note: Adds a 6 byte header prior to encoding, only if :random_iv is false
-     Default: false
-```
-
-## Upgrading from earlier versions to SymmetricEncryption V3
+* Ruby 1.9.3, 2.0, 2.1, 2.2, or greater
+* JRuby 1.7, 9.0.0, or greater
+* Rubinius 2.5, or greater
+
+## Upgrading to SymmetricEncryption V3
 
 In version 3 of SymmetricEncryption, the following changes have been made that
 may have backward compatibility issues:
 
-* SymmetricEncryption.decrypt no longer rotates through all the decryption keys
+* `SymmetricEncryption.decrypt` no longer rotates through all the decryption keys
   when previous ciphers fail to decrypt the encrypted string.
   In a very small, yet significant number of cases it was possible to decrypt data
   using the incorrect key. Clearly the data returned was garbage, but it still
   returned a string of data instead of throwing an exception.
-  See SymmetricEncryption.select_cipher to supply your own custom logic to
+  See `SymmetricEncryption.select_cipher` to supply your own custom logic to
   determine the correct cipher to use when the encrypted string does not have a
   header and multiple ciphers are defined.
 
-* Configuration file format prior to V1 is no longer supported
+* Configuration file format prior to V1 is no longer supported.
 
 * New configuration option has been added to support setting encryption keys
-  from environment variables
+  from environment variables.
 
-* Cipher.parse_magic_header! now returns a Struct instead of an Array
+* `Cipher.parse_magic_header!` now returns a Struct instead of an Array.
 
-* New config options :encrypted_key and :encrypted_iv to support setting
-  the encryption key in environment variables
+* New config options `:encrypted_key` and `:encrypted_iv` to support setting
+  the encryption key in environment variables, or from other sources such as ldap
+  or a central directory service.
+
+## New features in V1.1 and V2
 
-Meta
-----
+* Ability to randomly generate a new initialization vector (iv) with every
+  encryption and put the iv in the encrypted data as its header, without having
+  to use `SymmetricEncryption::Writer`.
 
-* Code: `git clone git://github.com/reidmorrison/symmetric-encryption.git`
-* Home: <https://github.com/reidmorrison/symmetric-encryption>
-* Issues: <http://github.com/reidmorrison/symmetric-encryption/issues>
-* Gems: <http://rubygems.org/gems/symmetric-encryption>
+* With file encryption randomly generate a new key and initialization vector (iv) with every
+  file encryption and put the key and iv in the encrypted data as its header which
+  is encrypted using the global key and iv.
+
+* Support for compression.
+
+* `SymmetricEncryption.encrypt` has two additional optional parameters:
+    * random_iv `[true|false]`
+        * Whether the encypted value should use a random IV every time the
+          field is encrypted.
+        * It is recommended to set this to true where feasible. If the encrypted
+          value could be used as part of a SQL where clause, or as part
+          of any lookup, then it must be false.
+        * Setting random_iv to true will result in a different encrypted output for
+          the same input string.
+        * Note: Only set to true if the field will never be used as part of
+          the where clause in an SQL query.
+        * Note: When random_iv is true it will add a 8 byte header, plus the bytes
+          to store the random IV in every returned encrypted string, prior to the
+          encoding if any.
+        * Note: Adds a 6 byte header prior to encoding, if not already configured
+          to add the header to all encrypted values.
+        * Default: false
+        * Highly Recommended where feasible: true
+
+    * compress [true|false]
+        * Whether to compress prior to encryption.
+        * Should only be used for large strings since compression overhead and
+          the overhead of adding the 'magic' header may exceed any benefits of
+          compression.
+        * Default: false
+
+## Versioning
 
 This project uses [Semantic Versioning](http://semver.org/).
 
-Author
-------
+## Author
 
 [Reid Morrison](https://github.com/reidmorrison)
 
-Contributors
-------------
-
-* [M. Scott Ford](https://github.com/mscottford)
-* [Adam St. John](https://github.com/astjohn)
-
-License
--------
-
-Copyright 2012, 2013, 2014 Reid Morrison
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
+## Contributors
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+[Contributors](https://github.com/reidmorrison/symmetric-encryption/graphs/contributors)
 
-Disclaimer
-----------
+## Disclaimer
 
 Although this library has assisted in meeting PCI Compliance and has passed
 previous PCI audits, it in no way guarantees that PCI Compliance will be

data/Rakefile

@@ -1,21 +1,21 @@
 require 'rake/clean'
 require 'rake/testtask'
 
-$LOAD_PATH.unshift File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
 require 'symmetric_encryption/version'
 
 task :gem do
-  system "gem build symmetric-encryption.gemspec"
+  system 'gem build symmetric-encryption.gemspec'
 end
 
 task :publish => :gem do
   system "git tag -a v#{SymmetricEncryption::VERSION} -m 'Tagging #{SymmetricEncryption::VERSION}'"
-  system "git push --tags"
+  system 'git push --tags'
   system "gem push symmetric-encryption-#{SymmetricEncryption::VERSION}.gem"
   system "rm symmetric-encryption-#{SymmetricEncryption::VERSION}.gem"
 end
 
-desc "Run Test Suite"
+desc 'Run Test Suite'
 task :test do
   Rake::TestTask.new(:functional) do |t|
     t.test_files = FileList['test/*_test.rb']

data/lib/rails/generators/symmetric_encryption/config/config_generator.rb

@@ -1,12 +1,12 @@
 module SymmetricEncryption
   module Generators
     class ConfigGenerator < Rails::Generators::Base
-      desc "Creates a SymmetricEncryption configuration file at config/symmetric-encryption.yml"
+      desc 'Creates a SymmetricEncryption configuration file at config/symmetric-encryption.yml'
 
       argument :key_path, type: :string, optional: false
 
       def self.source_root
-        @_symmetric_encryption_source_root ||= File.expand_path("../templates", __FILE__)
+        @_symmetric_encryption_source_root ||= File.expand_path('../templates', __FILE__)
       end
 
       def app_name
@@ -14,7 +14,7 @@ module SymmetricEncryption
       end
 
       def create_config_file
-        template 'symmetric-encryption.yml', File.join('config', "symmetric-encryption.yml")
+        template 'symmetric-encryption.yml', File.join('config', 'symmetric-encryption.yml')
       end
 
     end

data/lib/rails/generators/symmetric_encryption/heroku_config/heroku_config_generator.rb

@@ -1,10 +1,10 @@
 module SymmetricEncryption
   module Generators
     class HerokuConfigGenerator < Rails::Generators::Base
-      desc "Creates a SymmetricEncryption configuration file at config/symmetric-encryption.yml for use in heroku"
+      desc 'Creates a SymmetricEncryption configuration file at config/symmetric-encryption.yml for use in heroku'
 
       def self.source_root
-        @_symmetric_encryption_source_root ||= File.expand_path("../templates", __FILE__)
+        @_symmetric_encryption_source_root ||= File.expand_path('../templates', __FILE__)
       end
 
       def app_name
@@ -12,7 +12,7 @@ module SymmetricEncryption
       end
 
       def create_config_file
-        template 'symmetric-encryption.yml', File.join('config', "symmetric-encryption.yml")
+        template 'symmetric-encryption.yml', File.join('config', 'symmetric-encryption.yml')
       end
 
     end

data/lib/rails/generators/symmetric_encryption/new_keys/new_keys_generator.rb

@@ -1,12 +1,12 @@
 module SymmetricEncryption
   module Generators
     class NewKeysGenerator < Rails::Generators::Base
-      desc "Generate new Symmetric key and initialization vector based on values in config/symmetric-encryption.yml"
+      desc 'Generate new Symmetric key and initialization vector based on values in config/symmetric-encryption.yml'
 
       argument :environment, type: :string, optional: false
 
       def create_config_file
-        SymmetricEncryption.generate_symmetric_key_files(File.join('config', "symmetric-encryption.yml"), environment)
+        SymmetricEncryption.generate_symmetric_key_files(File.join('config', 'symmetric-encryption.yml'), environment)
       end
 
     end

data/lib/symmetric_encryption.rb

@@ -8,15 +8,21 @@ require 'symmetric_encryption/cipher'
 require 'symmetric_encryption/symmetric_encryption'
 require 'symmetric_encryption/exception'
 
+#@formatter:off
 module SymmetricEncryption
+  autoload :Coerce,    'symmetric_encryption/coerce'
+  autoload :Config,    'symmetric_encryption/config'
   autoload :Reader,    'symmetric_encryption/reader'
   autoload :Writer,    'symmetric_encryption/writer'
   autoload :Generator, 'symmetric_encryption/generator'
 end
+#@formatter:on
 
 # Add support for other libraries only if they have already been loaded
 require 'symmetric_encryption/railtie' if defined?(Rails)
-require 'symmetric_encryption/extensions/active_record/base' if defined?(ActiveRecord::Base)
+if defined?(ActiveRecord::Base) && !defined?(AttrEncrypted::Version)
+  require 'symmetric_encryption/extensions/active_record/base'
+end
 require 'symmetric_encryption/railties/symmetric_encryption_validator' if defined?(ActiveModel)
 require 'symmetric_encryption/extensions/mongoid/encrypted' if defined?(Mongoid)
 require 'symmetric_encryption/extensions/mongo_mapper/plugins/encrypted_key' if defined?(MongoMapper)

data/lib/symmetric_encryption/cipher.rb

@@ -18,12 +18,18 @@ module SymmetricEncryption
 
     # Defines the Header Structure returned when parsing the header
     HeaderStruct = Struct.new(
-      :compressed,          # [true|false] Whether the data is compressed, if supplied in the header
-      :iv,                  # [String] IV used to encrypt the data, if supplied in the header
-      :key,                 # [String] Key used to encrypt the data, if supplied in the header
-      :cipher_name,         # [String] Name of the cipher used, if supplied in the header
-      :version,             # [Integer] Version of the cipher used, if supplied in the header
-      :decryption_cipher    # [SymmetricEncryption::Cipher] Cipher matching the header, or SymmetricEncryption.cipher(default_version)
+      # [true|false] Whether the data is compressed, if supplied in the header
+      :compressed,
+      # [String] IV used to encrypt the data, if supplied in the header
+      :iv,
+      # [String] Key used to encrypt the data, if supplied in the header
+      :key,
+      # [String] Name of the cipher used, if supplied in the header
+      :cipher_name,
+      # [Integer] Version of the cipher used, if supplied in the header
+      :version,
+      # [SymmetricEncryption::Cipher] Cipher matching the header, or SymmetricEncryption.cipher(default_version)
+      :decryption_cipher
     )
 
     # Generate a new Symmetric Key pair
@@ -31,6 +37,10 @@ module SymmetricEncryption
     # Returns a hash containing a new random symmetric_key pair
     # consisting of a :key and :iv.
     # The cipher_name is also included for compatibility with the Cipher initializer
+    #
+    # Notes:
+    # * The key _must_ be properly secured
+    # * The iv can be stored in the clear and it is not necessary to encrypt it
     def self.random_key_pair(cipher_name = 'aes-256-cbc')
       openssl_cipher = ::OpenSSL::Cipher.new(cipher_name)
       openssl_cipher.encrypt
@@ -42,15 +52,77 @@ module SymmetricEncryption
       }
     end
 
+    # Generate new randomized keys and generate key and iv files if supplied
+    # Overwrites key files for the current environment
+    # See: #initialize for parameters
+    def self.generate_random_keys(params)
+      environment     = params[:environment]
+      private_rsa_key = config[:private_rsa_key]
+      rsa             = OpenSSL::PKey::RSA.new(private_rsa_key) if private_rsa_key
+      key_pair        = SymmetricEncryption::Cipher.random_key_pair(params[:cipher_name] || 'aes-256-cbc')
+      key             = key_pair[:key]
+      iv              = key_pair[:iv]
+
+      puts 'Generated new Symmetric Key for encryption'
+      if params.has_key?(:key)
+        puts 'Put this value in your configuration file for :key'
+        p key
+      elsif file_name = config.delete(:key_filename)
+        write_to_file(file_name, key, rsa)
+        puts("Please copy #{file_name} to the other servers in #{environment}.")
+      elsif params.has_key?(:encrypted_key)
+        encrypted_key = encrypt_key(key, rsa)
+        puts 'If running in Heroku, add the environment specific key:'
+        puts "heroku config:add #{environment.upcase}_KEY1=#{encrypted_key}"
+        puts
+        puts 'Otherwise, set the :encrypted_key value to:'
+        puts encrypted_key
+      end
+
+      puts 'Generated new Initialization Vector for encryption'
+      if params.has_key?(:iv)
+        puts 'Put this value in your configuration file for :iv'
+        p iv
+      elsif file_name = config.delete(:iv_filename)
+        write_to_file(file_name, iv, rsa)
+        puts("Please copy #{file_name} to the other servers in #{environment}.")
+      elsif params.has_key?(:encrypted_iv)
+        encrypted_iv = encrypt_key(iv, rsa)
+        puts 'If running in Heroku, add the environment specific key:'
+        puts "heroku config:add #{environment.upcase}_KEY1=#{encrypted_iv}"
+        puts
+        puts 'Otherwise, set the :encrypted_iv value to:'
+        puts encrypted_iv
+      end
+    end
+
     # Create a Symmetric::Key for encryption and decryption purposes
     #
     # Parameters:
     #   :key [String]
     #     The Symmetric Key to use for encryption and decryption
+    #  Or,
+    #   :key_filename
+    #     Name of file containing symmetric key encrypted using the public
+    #     key from the private_rsa_key
+    #  Or,
+    #   :encrypted_key
+    #     Symmetric key encrypted using the public key from the private_rsa_key
+    #     and then Base64 encoded
     #
     #   :iv [String]
     #     Optional. The Initialization Vector to use with Symmetric Key
     #     Highly Recommended as it is the input into the CBC algorithm
+    #  Or,
+    #   Note: The following 2 options are deprecated since it is _not_ necessary
+    #         to encrypt the initialization vector (IV)
+    #   :iv_filename
+    #     Name of file containing symmetric key initialization vector
+    #     encrypted using the public key from the private_rsa_key
+    #  Or,
+    #   :encrypted_iv
+    #     Initialization vector encrypted using the public key from the private_rsa_key
+    #     and then Base64 encoded
     #
     #   :cipher_name [String]
     #     Optional. Encryption Cipher to use
@@ -84,16 +156,37 @@ module SymmetricEncryption
     #     Default: false
     #     Recommended: true
     #
+    #   private_rsa_key [String]
+    #     RSA Key used to decrypt key and iv as applicable
+    #     Mandatory if :key_filename, :encrypted_key, :iv_filename, or :encrypted_iv is supplied
     def initialize(params={})
       params             = params.dup
-      @key               = params.delete(:key)
-      @iv                = params.delete(:iv)
       @cipher_name       = params.delete(:cipher_name) || params.delete(:cipher) || 'aes-256-cbc'
       @version           = params.delete(:version)
       @always_add_header = params.delete(:always_add_header) || false
       @encoding          = (params.delete(:encoding) || :base64).to_sym
 
-      raise(ArgumentError, "Missing mandatory parameter :key") unless @key
+      # To decrypt encrypted key or iv files
+      private_rsa_key    = params.delete(:private_rsa_key)
+      rsa                = OpenSSL::PKey::RSA.new(private_rsa_key) if private_rsa_key
+
+      if key = params.delete(:key)
+        @key = key
+      elsif file_name = params.delete(:key_filename)
+        @key = read_from_file(file_name, rsa)
+      elsif encrypted_key = params.delete(:encrypted_key)
+        @key = decrypt_key(encrypted_key, rsa)
+      end
+
+      if iv = params.delete(:iv)
+        @iv = iv
+      elsif file_name = params.delete(:iv_filename)
+        @iv = read_from_file(file_name, rsa)
+      elsif encrypted_iv = params.delete(:encrypted_iv)
+        @iv = decrypt_key(encrypted_iv, rsa)
+      end
+
+      raise(ArgumentError, 'Missing mandatory parameter :key, :key_filename, or :encrypted_key') unless @key
       raise(ArgumentError, "Invalid Encoding: #{@encoding}") unless ENCODINGS.include?(@encoding)
       raise(ArgumentError, "Cipher version has a valid range of 0 to 255. #{@version} is too high, or negative") if (@version.to_i > 255) || (@version.to_i < 0)
       raise(ArgumentError, "SymmetricEncryption::Cipher Invalid options #{params.inspect}") if params.size > 0
@@ -189,16 +282,13 @@ module SymmetricEncryption
       case encoding
       when :base64
         encoded_string = ::Base64.encode64(binary_string)
-        # Support Ruby 1.9 encoding
-        defined?(Encoding) ? encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING) : encoded_string
+        encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
       when :base64strict
         encoded_string = ::Base64.encode64(binary_string).gsub(/\n/, '')
-        # Support Ruby 1.9 encoding
-        defined?(Encoding) ? encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING) : encoded_string
+        encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
       when :base16
         encoded_string = binary_string.to_s.unpack('H*').first
-        # Support Ruby 1.9 encoding
-        defined?(Encoding) ? encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING) : encoded_string
+        encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
       else
         binary_string
       end
@@ -214,12 +304,10 @@ module SymmetricEncryption
       case encoding
       when :base64, :base64strict
         decoded_string = ::Base64.decode64(encoded_string)
-        # Support Ruby 1.9 encoding
-        defined?(Encoding) ? decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING) : decoded_string
+        decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
       when :base16
         decoded_string = [encoded_string].pack('H*')
-        # Support Ruby 1.9 encoding
-        defined?(Encoding) ? decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING) : decoded_string
+        decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
       else
         encoded_string
       end
@@ -277,17 +365,17 @@ module SymmetricEncryption
       #    Cipher name it UTF8 text
 
       # Remove header and extract flags
-      _, flags      = buffer.slice!(0..MAGIC_HEADER_SIZE+1).unpack(MAGIC_HEADER_UNPACK)
-      compressed    = (flags & 0b1000_0000_0000_0000) != 0
-      include_iv    = (flags & 0b0100_0000_0000_0000) != 0
-      include_key   = (flags & 0b0010_0000_0000_0000) != 0
-      include_cipher= (flags & 0b0001_0000_0000_0000) != 0
+      _, flags          = buffer.slice!(0..MAGIC_HEADER_SIZE+1).unpack(MAGIC_HEADER_UNPACK)
+      compressed        = (flags & 0b1000_0000_0000_0000) != 0
+      include_iv        = (flags & 0b0100_0000_0000_0000) != 0
+      include_key       = (flags & 0b0010_0000_0000_0000) != 0
+      include_cipher    = (flags & 0b0001_0000_0000_0000) != 0
       # Version of the key to use to decrypt the key if present,
       # otherwise to decrypt the data following the header
-      version       = flags & 0b0000_0000_1111_1111
+      version           = flags & 0b0000_0000_1111_1111
       decryption_cipher = SymmetricEncryption.cipher(version)
       raise(SymmetricEncryption::CipherError, "Cipher with version:#{version.inspect} not found in any of the configured SymmetricEncryption ciphers") unless decryption_cipher
-      iv, key, cipher_name   = nil
+      iv, key, cipher_name = nil
 
       if include_iv
         len = buffer.slice!(0..1).unpack('v').first
@@ -298,7 +386,7 @@ module SymmetricEncryption
         key = decryption_cipher.binary_decrypt(buffer.slice!(0..len-1), header=false)
       end
       if include_cipher
-        len    = buffer.slice!(0..1).unpack('v').first
+        len         = buffer.slice!(0..1).unpack('v').first
         cipher_name = buffer.slice!(0..len-1)
       end
 
@@ -330,14 +418,14 @@ module SymmetricEncryption
       # Ruby V2 named parameters would be perfect here
 
       # Version number of supplied encryption key, or use the global cipher version if none was supplied
-      flags = iv || key ? (SymmetricEncryption.cipher.version || 0) : (version || 0) # Same as 0b0000_0000_0000_0000
+      flags  = iv || key ? (SymmetricEncryption.cipher.version || 0) : (version || 0) # Same as 0b0000_0000_0000_0000
 
       # If the data is to be compressed before being encrypted, set the
       # compressed bit in the flags word
-      flags |= 0b1000_0000_0000_0000 if compressed
-      flags |= 0b0100_0000_0000_0000 if iv
-      flags |= 0b0010_0000_0000_0000 if key
-      flags |= 0b0001_0000_0000_0000 if cipher_name
+      flags  |= 0b1000_0000_0000_0000 if compressed
+      flags  |= 0b0100_0000_0000_0000 if iv
+      flags  |= 0b0010_0000_0000_0000 if key
+      flags  |= 0b0001_0000_0000_0000 if cipher_name
       header = "#{MAGIC_HEADER}#{[flags].pack('v')}".force_encoding(SymmetricEncryption::BINARY_ENCODING)
       if iv
         header << [iv.length].pack('v')
@@ -378,18 +466,19 @@ module SymmetricEncryption
       openssl_cipher = ::OpenSSL::Cipher.new(self.cipher_name)
       openssl_cipher.encrypt
       openssl_cipher.key = @key
-      add_header = always_add_header || random_iv || compress if add_header.nil?
-      result = if add_header
-        # Random iv and compress both add the magic header
-        iv = random_iv ? openssl_cipher.random_iv : @iv
-        openssl_cipher.iv = iv if iv
-        # Set the binary indicator on the header if string is Binary Encoded
-        self.class.build_header(version, compress, random_iv ? iv : nil, nil, nil) +
-          openssl_cipher.update(compress ? Zlib::Deflate.deflate(string) : string)
-      else
-        openssl_cipher.iv = @iv if @iv
-        openssl_cipher.update(string)
-      end
+      add_header         = always_add_header || random_iv || compress if add_header.nil?
+      result             =
+        if add_header
+          # Random iv and compress both add the magic header
+          iv                = random_iv ? openssl_cipher.random_iv : @iv
+          openssl_cipher.iv = iv if iv
+          # Set the binary indicator on the header if string is Binary Encoded
+          self.class.build_header(version, compress, random_iv ? iv : nil, nil, nil) +
+            openssl_cipher.update(compress ? Zlib::Deflate.deflate(string) : string)
+        else
+          openssl_cipher.iv = @iv if @iv
+          openssl_cipher.update(string)
+        end
       result << openssl_cipher.final
     end
 
@@ -429,23 +518,23 @@ module SymmetricEncryption
       return str if str.empty?
 
       if header || self.class.has_header?(str)
-        str = str.dup
+        str    = str.dup
         header ||= self.class.parse_header!(str)
 
         openssl_cipher = ::OpenSSL::Cipher.new(header.cipher_name || self.cipher_name)
         openssl_cipher.decrypt
         openssl_cipher.key = header.key || @key
-        iv = header.iv || @iv
-        openssl_cipher.iv = iv if iv
-        result = openssl_cipher.update(str)
+        iv                 = header.iv || @iv
+        openssl_cipher.iv  = iv if iv
+        result             = openssl_cipher.update(str)
         result << openssl_cipher.final
         header.compressed ? Zlib::Inflate.inflate(result) : result
       else
         openssl_cipher = ::OpenSSL::Cipher.new(self.cipher_name)
         openssl_cipher.decrypt
         openssl_cipher.key = @key
-        openssl_cipher.iv = @iv if @iv
-        result = openssl_cipher.update(str)
+        openssl_cipher.iv  = @iv if @iv
+        result             = openssl_cipher.update(str)
         result << openssl_cipher.final
       end
     end
@@ -458,5 +547,46 @@ module SymmetricEncryption
     private
 
     attr_reader :key
+
+    # Read the encrypted key from file
+    def read_from_file(file_name, rsa)
+      raise(SymmetricEncryption::ConfigError, 'Missing mandatory config parameter :private_rsa_key when filename key is used') unless rsa
+      begin
+        encrypted_key = File.open(file_name, 'rb') { |f| f.read }
+        rsa.private_decrypt(encrypted_key)
+      rescue Errno::ENOENT
+        puts "\nSymmetric Encryption key file: '#{file_name}' not found or readable."
+        puts "To generate the keys for the first time run: rails generate symmetric_encryption:new_keys\n\n"
+      end
+    end
+
+    # Save symmetric key after encrypting it with the private RSA key
+    # Backing up existing files if present
+    def write_to_file(file_name, key, rsa)
+      raise(SymmetricEncryption::ConfigError, 'Missing mandatory config parameter :private_rsa_key when filename key is used') unless rsa
+      File.rename(file_name, "#{file_name}.#{Time.now.to_i}") if File.exist?(file_name)
+      File.open(file_name, 'wb') { |file| file.write(rsa.public_encrypt(key)) }
+    end
+
+    # Read the encrypted key from file
+    def decrypt_key(encrypted_key, rsa)
+      raise(SymmetricEncryption::ConfigError, 'Missing mandatory config parameter :private_rsa_key when encrypted key is supplied') unless rsa
+
+      # Decode value first using encoding specified
+      encrypted_key = ::Base64.decode64(encrypted_key)
+      if !encrypted_key || encrypted_key.empty?
+        puts "\nSymmetric Encryption encrypted_key not found."
+        puts "To generate the keys for the first time run: rails generate symmetric_encryption:new_keys\n\n"
+      else
+        rsa.private_decrypt(encrypted_key)
+      end
+    end
+
+    # Returns [String] encrypted form of supplied key
+    def encrypt_key(key, rsa)
+      raise(SymmetricEncryption::ConfigError, 'Missing mandatory config parameter :private_rsa_key when encrypted key is supplied') unless rsa
+      ::Base64.encode64(rsa.public_encrypt(key))
+    end
+
   end
 end