symmetric-encryption 3.8.3 → 3.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 788a470ed0ed501adc827789838ad6460fa6070b
-  data.tar.gz: ba3c6a6865c5127fa409271e477ab2caee65c1a6
+  metadata.gz: fad0434ee0b203f85088bc62492c16d2365a284c
+  data.tar.gz: c8cd4796787faa48be52155d75e1e312f627b38d
 SHA512:
-  metadata.gz: 525c6df5648bbf5af0432eaab63a235e0ac0fbf3a9a503576e3cf89d11a8d074820aeea9017067afcce950d37f9902f3b39620e81c3239f615488316be57ff19
-  data.tar.gz: ac5ae0631681185ac0c2bbdfdb0fce0b61a803ddaa1410bc19cb77a98be7b1b37a9ef7417b047781c38c69ae6b75369085d654578767143e1d7b7143821ce251
+  metadata.gz: 59fe734623957ac4abed7b6b94786153a793947528d6b857612f418c6fa151947076b8802b5fe901bc2a1d0bad02aa79aa6790951b0671d054e4274ea09a29cc
+  data.tar.gz: 72270dd87fd4e16616b31e7d173facffc2da383c6f0719c0cc76bb9e353d0b33f1179c419af24f36c4ac108e6279b695202163884c01d0d97fe7f770688223b2

data/README.md

@@ -33,8 +33,8 @@ Fully supports Symmetric Encryption to encrypt data in flight and at rest while
 
 Symmetric Encryption works with the following Ruby VMs:
 
-- Ruby 2.1, 2.2, 2.3, and above
-- JRuby 1.7.23, 9.0.5 and above
+- Ruby 2.1 and higher.
+- JRuby 9.1 and higher.
 
 ## Upgrading to SymmetricEncryption V3
 

data/Rakefile

@@ -1,8 +1,9 @@
-require 'rake/clean'
-require 'rake/testtask'
+# Setup bundler to avoid having to run bundle exec all the time.
+require 'rubygems'
+require 'bundler/setup'
 
-$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
-require 'symmetric_encryption/version'
+require 'rake/testtask'
+require_relative 'lib/symmetric_encryption/version'
 
 task :gem do
   system 'gem build symmetric-encryption.gemspec'
@@ -15,17 +16,16 @@ task :publish => :gem do
   system "rm symmetric-encryption-#{SymmetricEncryption::VERSION}.gem"
 end
 
-desc 'Run Test Suite'
-task :test do
-  Rake::TestTask.new(:functional) do |t|
-    t.test_files = FileList['test/*_test.rb']
-    t.verbose    = true
-  end
-
-  # For mongoid
-  ENV['RACK_ENV'] = 'test'
-
-  Rake::Task['functional'].invoke
+Rake::TestTask.new(:test) do |t|
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+  t.warning = false
 end
 
-task :default => :test
+# By default run tests against all appraisals
+if !ENV["APPRAISAL_INITIALIZED"] && !ENV["TRAVIS"]
+  require 'appraisal'
+  task default: :appraisal
+else
+  task default: :test
+end

data/examples/symmetric-encryption.yml

@@ -4,9 +4,9 @@
 ---
 # For the development and test environments the test symmetric encryption keys
 # can be placed directly in the source code.
-# And therefore no RSA private key is required
+# And therefore no key encryption key is required
 development: &development_defaults
-  key:    1234567890ABCDEF1234567890ABCDEF
+  key:    1234567890ABCDEF
   iv:     1234567890ABCDEF
   cipher: aes-128-cbc
 
@@ -14,12 +14,12 @@ test:
   <<: *development_defaults
 
 production:
-  # Since the key to encrypt and decrypt with must NOT be stored along with the
-  # source code, we only hold a RSA key that is used to unlock the file
-  # containing the actual symmetric encryption key
+  # Since the encryption key must NOT be stored along with the
+  # source code, only store the key encryption key here.
   #
-  # Sample RSA Key, DO NOT use this RSA key, generate a new one using
-  #    openssl genrsa 2048
+  # Test Key encryption key, DO NOT use this key, generate a new one using
+  #    SymmetricEncryption::KeyEncryptionKey.generate
+  # Or use the rails generator to create a new config file as described in the readme
   private_rsa_key: |
     -----BEGIN RSA PRIVATE KEY-----
     MIIEpAIBAAKCAQEAxIL9H/jYUGpA38v6PowRSRJEo3aNVXULNM/QNRpx2DTf++KH
@@ -49,11 +49,11 @@ production:
     r1URaMAun2PfAB4g2N/kEZTExgeOGqXjFhvvjdzl97ux2cTyZhaTXg==
     -----END RSA PRIVATE KEY-----
 
-  # List Symmetric Key Ciphers in the order of current / latest first
+  # List Symmetric Key Ciphers in the order of current / newest first
   ciphers:
-      # Filename containing Symmetric Encryption Key encrypted using the
-      # RSA public key derived from the private key above
-    - key_filename: /etc/rails/.rails.key
+    -
+      # Name of the file containing the encrypted key and iv.
+      key_filename: /etc/rails/.rails.key
       iv_filename: /etc/rails/.rails.iv
 
       # Encryption cipher
@@ -83,31 +83,26 @@ production:
       # Default: base64
       encoding: base64strict
 
-      # FUTURE ENHANCEMENT:
-      #
-      # By adding a version indicator all encrypted data will include
-      # an additional first Byte that includes this version number to
-      # assist with speeding up decryption when adding new encryption keys
-      # and to support old data decryption using older keys
-      #
-      # By not specifying a version, or setting it to 0 will disable version
-      # identification prior to decrypting data
-      # During decryption these Keys will be tried in the order listed in the
-      # configuration file starting with the first in the list
-      # Slower since a decryption attempt is made for every key until the
-      # correct key is located. However, all encrypted data does not require
-      # the 1 Byte version header prefix
-      #
-      # Default: 0
-      #version: 0
+      # Version of this key so that when a new key is supplied, old encrypted data can be decrypted
+      # using the correct key.
+      # Increment this version with every time a new key is generated.
+      version: 2
+
+      # Highly Recommended to always set this to true.
+      # Add a header to every encrypted message.
+      always_add_header: true
+
+    # OPTIONAL:
+    #
+    # Any previous Symmetric Encryption Keys
+    #
+    # Only used when old data still exists that requires old decryption keys
+    # to be used
+    -
+      key_filename:      /etc/rails/.rails_old.key
+      iv_filename:       /etc/rails/.rails_old.iv
+      cipher:            aes-256-cbc
+      encoding:          base64strict
+      version:           1
+      always_add_header: true
 
-      # OPTIONAL:
-      #
-      # Any previous Symmetric Encryption Keys
-      #
-      # Only used when old data still exists that requires old decryption keys
-      # to be used
-    - key_filename: /etc/rails/.rails_old.key
-      iv_filename:  /etc/rails/.rails_old.iv
-      cipher:       aes-256-cbc
-      encoding:     base64strict

data/lib/rails/generators/symmetric_encryption/config/templates/symmetric-encryption.yml

@@ -4,9 +4,9 @@
 ---
 # For the development and test environments the test symmetric encryption keys
 # can be placed directly in the source code.
-# And therefore no RSA private key is required
+# And therefore no key encryption key is required
 development:         &development_defaults
-  key:               1234567890ABCDEF1234567890ABCDEF
+  key:               1234567890ABCDEF
   iv:                1234567890ABCDEF
   cipher_name:       aes-128-cbc
   encoding:          :base64strict
@@ -16,17 +16,15 @@ test:
   <<: *development_defaults
 
 release:
-  # Since the key to encrypt and decrypt with must NOT be stored along with the
-  # source code, we only hold a RSA key that is used to unlock the file
-  # containing the actual symmetric encryption key
+  # Since the encryption key must NOT be stored along with the
+  # source code, only store the key encryption key here.
   private_rsa_key: |
-<%= OpenSSL::PKey::RSA.generate(2048).to_s.each_line.collect { |line| "    #{line}" }.join('') %>
+<%= SymmetricEncryption::KeyEncryptionKey.generate.each_line.collect { |line| "    #{line}" }.join('') %>
 
   # List Symmetric Key files in the order of current / latest first
   ciphers:
     -
-      # Filename containing Symmetric Encryption Key encrypted using the
-      # RSA public key derived from the private key above
+      # Name of the file containing the encrypted key and iv.
       key_filename:      <%= File.join(key_path, "#{app_name}_release.key") %>
       iv_filename:       <%= File.join(key_path, "#{app_name}_release.iv") %>
       cipher_name:       aes-256-cbc
@@ -35,17 +33,15 @@ release:
       always_add_header: true
 
 production:
-  # Since the key to encrypt and decrypt with must NOT be stored along with the
-  # source code, we only hold a RSA key that is used to unlock the file
-  # containing the actual symmetric encryption key
+  # Since the encryption key must NOT be stored along with the
+  # source code, only store the key encryption key here.
   private_rsa_key: |
-<%= OpenSSL::PKey::RSA.generate(2048).to_s.each_line.collect { |line| "    #{line}" }.join('') %>
+<%= SymmetricEncryption::KeyEncryptionKey.generate.each_line.collect { |line| "    #{line}" }.join('') %>
 
   # List Symmetric Key files in the order of current / latest first
   ciphers:
     -
-      # Filename containing Symmetric Encryption Key encrypted using the
-      # RSA public key derived from the private key above
+      # Name of the file containing the encrypted key and iv.
       key_filename:      <%= File.join(key_path, "#{app_name}_production.key") %>
       iv_filename:       <%= File.join(key_path, "#{app_name}_production.iv") %>
       cipher_name:       aes-256-cbc

data/lib/rails/generators/symmetric_encryption/heroku_config/templates/symmetric-encryption.yml

@@ -4,9 +4,9 @@
 ---
 # For the development and test environments the test symmetric encryption keys
 # can be placed directly in the source code.
-# And therefore no RSA private key is required
+# And therefore no key encryption key is required
 development:   &development_defaults
-  key:         1234567890ABCDEF1234567890ABCDEF
+  key:         1234567890ABCDEF
   iv:          1234567890ABCDEF
   cipher_name: aes-128-cbc
   encoding:    :base64strict
@@ -15,60 +15,63 @@ test:
   <<: *development_defaults
 
 <%
-cipher_name   = 'aes-256-cbc'
-rsa_key       = OpenSSL::PKey::RSA.generate(2048)
-key_pair      = SymmetricEncryption::Cipher.random_key_pair(cipher_name)
-iv            = ::Base64.strict_encode64(key_pair[:iv])
-encrypted_key = ::Base64.strict_encode64(rsa_key.public_encrypt(key_pair[:key]))
+rsa_key       = SymmetricEncryption::KeyEncryptionKey.generate
+cipher_conf   = SymmetricEncryption::Cipher.generate_random_keys(private_rsa_key: rsa_key, encrypted_key: '', encrypted_iv: '')
+cipher_name   = cipher_conf[:cipher_name]
+encrypted_iv  = cipher_conf[:encrypted_iv]
+encrypted_key = cipher_conf[:encrypted_key]
 
 puts "\n\n********************************************************************************"
 puts "Add the release environment key to Heroku: (Optional)\n\n"
 puts "  heroku config:add RELEASE_KEY1=#{encrypted_key}\n\n"
+puts "\n\n********************************************************************************"
+puts "Add the release environment key to Heroku: (Optional)\n\n"
+puts "  heroku config:add RELEASE_IV1=#{encrypted_iv}\n\n"
 -%>
 release:
-  # Since the key to encrypt and decrypt with must NOT be stored along with the
-  # source code, we only hold a RSA key that is used to unlock the file
-  # containing the actual symmetric encryption key
+  # Key encryption key
+  # Key used to secure the encryption key when it is stored in a file or encrypted.
   private_rsa_key: |
-<%= rsa_key.to_s.each_line.collect { |line| "    #{line}" }.join('') %>
+<%= rsa_key.each_line.collect { |line| "    #{line}" }.join('') %>
 
   # List Symmetric Key files in the order of current / latest first
   ciphers:
     -
       # Filename containing Symmetric Encryption Key encrypted using the
-      # RSA public key derived from the private key above
+      # key encryption key above (private_rsa_key).
       encrypted_key:     "<%= '<' + "%= ENV['RELEASE_KEY1'] %" + '>' %>"
-      iv:                "<%=  iv %>"
+      encrypted_iv:      "<%= '<' + "%= ENV['RELEASE_IV1'] %" + '>' %>"
       cipher_name:       <%=  cipher_name %>
       encoding:          :base64strict
       version:           1
       always_add_header: true
 
 <%
-cipher_name   = 'aes-256-cbc'
-rsa_key       = OpenSSL::PKey::RSA.generate(2048)
-key_pair      = SymmetricEncryption::Cipher.random_key_pair(cipher_name)
-iv            = ::Base64.strict_encode64(key_pair[:iv])
-encrypted_key = ::Base64.strict_encode64(rsa_key.public_encrypt(key_pair[:key]))
+rsa_key       = SymmetricEncryption::KeyEncryptionKey.generate
+cipher_conf   = SymmetricEncryption::Cipher.generate_random_keys(private_rsa_key: rsa_key, encrypted_key: '', encrypted_iv: '')
+cipher_name   = cipher_conf[:cipher_name]
+encrypted_iv  = cipher_conf[:encrypted_iv]
+encrypted_key = cipher_conf[:encrypted_key]
 
 puts "Add the production key to Heroku:\n\n"
 puts "  heroku config:add PRODUCTION_KEY1=#{encrypted_key}\n\n"
 puts "********************************************************************************\n\n\n"
+puts "Add the production key to Heroku:\n\n"
+puts "  heroku config:add PRODUCTION_IV1=#{encrypted_iv}\n\n"
+puts "********************************************************************************\n\n\n"
 -%>
 production:
-  # Since the key to encrypt and decrypt with must NOT be stored along with the
-  # source code, we only hold a RSA key that is used to unlock the file
-  # containing the actual symmetric encryption key
+  # Since the encryption key must NOT be stored along with the
+  # source code, only store the key encryption key here.
   private_rsa_key: |
-<%= rsa_key.to_s.each_line.collect { |line| "    #{line}" }.join('') %>
+<%= rsa_key.each_line.collect { |line| "    #{line}" }.join('') %>
 
   # List Symmetric Key files in the order of current / latest first
   ciphers:
     -
-      # Filename containing Symmetric Encryption Key encrypted using the
-      # RSA public key derived from the private key above
+      # Encrypted key is supplied via an environment variable.
       encrypted_key:     "<%= '<' + "%= ENV['PRODUCTION_KEY1'] %" + '>' %>"
-      iv:                "<%=  iv %>"
+      encrypted_iv:      "<%= '<' + "%= ENV['PRODUCTION_IV1'] %" + '>' %>"
       cipher_name:       <%=  cipher_name %>
       encoding:          :base64strict
       version:           1

data/lib/symmetric_encryption.rb

@@ -10,11 +10,16 @@ require 'symmetric_encryption/exception'
 
 #@formatter:off
 module SymmetricEncryption
-  autoload :Coerce,    'symmetric_encryption/coerce'
-  autoload :Config,    'symmetric_encryption/config'
-  autoload :Reader,    'symmetric_encryption/reader'
-  autoload :Writer,    'symmetric_encryption/writer'
-  autoload :Generator, 'symmetric_encryption/generator'
+  autoload :Coerce,                 'symmetric_encryption/coerce'
+  autoload :Config,                 'symmetric_encryption/config'
+  autoload :Encoder,                'symmetric_encryption/encoder'
+  autoload :KeyEncryptionKey,       'symmetric_encryption/key_encryption_key'
+  autoload :Reader,                 'symmetric_encryption/reader'
+  autoload :Writer,                 'symmetric_encryption/writer'
+  autoload :Generator,              'symmetric_encryption/generator'
+  module Utils
+    autoload :ReEncryptConfigFiles, 'symmetric_encryption/re_encrypt_config_files'
+  end
 end
 #@formatter:on
 
@@ -25,4 +30,7 @@ if defined?(ActiveRecord::Base) && !defined?(AttrEncrypted::Version)
 end
 require 'symmetric_encryption/railties/symmetric_encryption_validator' if defined?(ActiveModel)
 require 'symmetric_encryption/extensions/mongoid/encrypted' if defined?(Mongoid)
-require 'symmetric_encryption/extensions/mongo_mapper/plugins/encrypted_key' if defined?(MongoMapper)
+if defined?(MongoMapper)
+  warn 'MongoMapper support is deprecated. Consider upgrading to Mongoid.'
+  require 'symmetric_encryption/extensions/mongo_mapper/plugins/encrypted_key'
+end

data/lib/symmetric_encryption/cipher.rb

@@ -1,5 +1,5 @@
+require 'openssl'
 module SymmetricEncryption
-
   # Hold all information related to encryption keys
   # as well as encrypt and decrypt data using those keys
   #
@@ -7,11 +7,9 @@ module SymmetricEncryption
   # threads at the same time without needing an instance of Cipher per thread
   class Cipher
     # Cipher to use for encryption and decryption
-    attr_reader :cipher_name, :version, :iv
-    attr_accessor :encoding, :always_add_header
-
-    # Available encodings
-    ENCODINGS = [:none, :base64, :base64strict, :base16]
+    attr_accessor :cipher_name, :version, :iv, :always_add_header
+    attr_reader :encoder, :encoding
+    attr_writer :key
 
     # Backward compatibility
     alias_method :cipher, :cipher_name
@@ -52,48 +50,104 @@ module SymmetricEncryption
       }
     end
 
-    # Generate new randomized keys and generate key and iv files if supplied
-    # Overwrites key files for the current environment
-    # See: #initialize for parameters
-    def self.generate_random_keys(params)
-      environment     = params[:environment]
-      private_rsa_key = params[:private_rsa_key]
-      rsa             = OpenSSL::PKey::RSA.new(private_rsa_key) if private_rsa_key
-      key_pair        = SymmetricEncryption::Cipher.random_key_pair(params[:cipher_name] || 'aes-256-cbc')
-      key             = key_pair[:key]
-      iv              = key_pair[:iv]
-
-      puts 'Generated new Symmetric Key for encryption'
-      if params.has_key?(:key)
-        puts 'Put this value in your configuration file for :key'
-        p key
-      elsif file_name = params.delete(:key_filename)
-        write_to_file(file_name, key, rsa)
-        puts("Please copy #{file_name} to the other servers in #{environment}.")
-      elsif params.has_key?(:encrypted_key)
-        encrypted_key = encrypt_key(key, rsa)
-        puts 'If running in Heroku, add the environment specific key:'
-        puts "heroku config:add #{environment.upcase}_KEY1=#{encrypted_key}"
-        puts
-        puts 'Otherwise, set the :encrypted_key value to:'
-        puts encrypted_key
+    # Generate new randomized keys and generate key and iv files if supplied.
+    # Overwrites key files for the current environment.
+    #
+    # Parameters
+    #   :key_filename
+    #     Name of file that will contain the symmetric key encrypted using the public
+    #     key from the private_rsa_key.
+    #  Or,
+    #   :encrypted_key
+    #     Symmetric key encrypted using the public key from the private_rsa_key
+    #     and then Base64 encoded
+    #
+    #  Note:
+    #    If :key_filename and :encrypted_key are not supplied then a new :key will be returned.
+    #    :key is the Symmetric Key to use for encryption and decryption.
+    #
+    #
+    #   :iv_filename
+    #     Name of file containing symmetric key initialization vector
+    #     encrypted using the public key from the private_rsa_key
+    #     Deprecated: It is _not_ necessary to encrypt the initialization vector (IV)
+    #  Or,
+    #   :encrypted_iv
+    #     Initialization vector encrypted using the public key from the private_rsa_key
+    #     and then Base64 encoded
+    #     Deprecated: It is _not_ necessary to encrypt the initialization vector (IV)
+    #
+    #  Note:
+    #    If :iv_filename and :encrypted_iv are not supplied then a new :iv will be returned.
+    #    :key is the Initialization Vector to use with Symmetric Key.
+    #
+    #
+    #   private_rsa_key [String]
+    #     Key encryption key.
+    #     To generate a new one: SymmetricEncryption::KeyEncryptionKey.generate
+    #     Required if :key_filename, :encrypted_key, :iv_filename, or :encrypted_iv is supplied
+    #
+    #   :cipher_name [String]
+    #     Encryption Cipher to use.
+    #     Default: aes-256-cbc
+    #
+    #   :encoding [Symbol]
+    #     :base64strict
+    #       Return as a base64 encoded string that does not include additional newlines
+    #       This is the recommended format since newlines in the values to
+    #       SQL queries are cumbersome. Also the newline reformatting is unnecessary
+    #       It is not the default for backward compatibility
+    #     :base64
+    #       Return as a base64 encoded string
+    #     :base16
+    #       Return as a Hex encoded string
+    #     :none
+    #       Return as raw binary data string. Note: String can contain embedded nulls
+    #     Default: :base64strict
+    def self.generate_random_keys(params = {})
+      params          = params.dup
+      private_rsa_key = params.delete(:private_rsa_key)
+      cipher_name     = params.delete(:cipher_name) || 'aes-256-cbc'
+      encoding        = params.delete(:encoding) || :base64strict
+      unless private_rsa_key
+        [:key_filename, :encrypted_key, :iv_filename, :encrypted_iv].each do |key|
+          raise(SymmetricEncryption::ConfigError, "When :#{key} is supplied, :private_rsa_key is required.") if params.include?(key)
+        end
+      end
+
+      key_encryption_key = KeyEncryptionKey.new(private_rsa_key) if private_rsa_key
+      cipher_conf        = {cipher_name: cipher_name, encoding: encoding}
+
+      key_pair = SymmetricEncryption::Cipher.random_key_pair(cipher_name)
+      key      = key_pair[:key]
+      iv       = key_pair[:iv]
+
+      if file_name = params.delete(:key_filename)
+        cipher_conf[:key_filename] = file_name
+        encrypted_key              = key_encryption_key.encrypt(key)
+        write_to_file(file_name, encrypted_key)
+      elsif params.delete(:encrypted_key)
+        encrypted_key               = key_encryption_key.encrypt(key)
+        cipher_conf[:encrypted_key] = SymmetricEncryption::Encoder[encoding].encode(encrypted_key)
+      else
+        params.delete(:key)
+        cipher_conf[:key] = SymmetricEncryption::Encoder[encoding].encode(key.to_s)
       end
 
-      puts 'Generated new Initialization Vector for encryption'
-      if params.has_key?(:iv)
-        puts 'Put this value in your configuration file for :iv'
-        p iv
-      elsif file_name = params.delete(:iv_filename)
-        write_to_file(file_name, iv, rsa)
-        puts("Please copy #{file_name} to the other servers in #{environment}.")
-      elsif params.has_key?(:encrypted_iv)
-        encrypted_iv = encrypt_key(iv, rsa)
-        puts 'If running in Heroku, add the environment specific key:'
-        puts "heroku config:add #{environment.upcase}_KEY1=#{encrypted_iv}"
-        puts
-        puts 'Otherwise, set the :encrypted_iv value to:'
-        puts encrypted_iv
+      if file_name = params.delete(:iv_filename)
+        cipher_conf[:iv_filename] = file_name
+        encrypted_iv              = key_encryption_key.encrypt(iv)
+        write_to_file(file_name, encrypted_iv)
+      elsif params.delete(:encrypted_iv)
+        encrypted_iv               = key_encryption_key.encrypt(iv)
+        cipher_conf[:encrypted_iv] = SymmetricEncryption::Encoder[encoding].encode(encrypted_iv)
+      else
+        params.delete(:iv)
+        cipher_conf[:iv] = SymmetricEncryption::Encoder[encoding].encode(iv.to_s)
       end
+
+      raise(ArgumentError, "SymmetricEncryption::Cipher Invalid options #{params.inspect}") if params.size > 0
+      cipher_conf
     end
 
     # Create a Symmetric::Key for encryption and decryption purposes
@@ -114,15 +168,15 @@ module SymmetricEncryption
     #     Optional. The Initialization Vector to use with Symmetric Key
     #     Highly Recommended as it is the input into the CBC algorithm
     #  Or,
-    #   Note: The following 2 options are deprecated since it is _not_ necessary
-    #         to encrypt the initialization vector (IV)
     #   :iv_filename
     #     Name of file containing symmetric key initialization vector
     #     encrypted using the public key from the private_rsa_key
+    #     Deprecated: It is _not_ necessary to encrypt the initialization vector (IV)
     #  Or,
     #   :encrypted_iv
     #     Initialization vector encrypted using the public key from the private_rsa_key
     #     and then Base64 encoded
+    #     Deprecated: It is _not_ necessary to encrypt the initialization vector (IV)
     #
     #   :cipher_name [String]
     #     Optional. Encryption Cipher to use
@@ -157,41 +211,57 @@ module SymmetricEncryption
     #     Recommended: true
     #
     #   private_rsa_key [String]
-    #     RSA Key used to decrypt key and iv as applicable
-    #     Mandatory if :key_filename, :encrypted_key, :iv_filename, or :encrypted_iv is supplied
+    #     Key encryption key.
+    #     To generate a new one: SymmetricEncryption::KeyEncryptionKey.generate
+    #     Required if :key_filename, :encrypted_key, :iv_filename, or :encrypted_iv is supplied
     def initialize(params={})
       params             = params.dup
       @cipher_name       = params.delete(:cipher_name) || params.delete(:cipher) || 'aes-256-cbc'
       @version           = params.delete(:version)
       @always_add_header = params.delete(:always_add_header) || false
-      @encoding          = (params.delete(:encoding) || :base64).to_sym
-
-      # To decrypt encrypted key or iv files
+      self.encoding      = (params.delete(:encoding) || :base64).to_sym
       private_rsa_key    = params.delete(:private_rsa_key)
-      rsa                = OpenSSL::PKey::RSA.new(private_rsa_key) if private_rsa_key
-
-      if key = params.delete(:key)
-        @key = key
-      elsif file_name = params.delete(:key_filename)
-        @key = read_from_file(file_name, rsa)
-      elsif encrypted_key = params.delete(:encrypted_key)
-        @key = decrypt_key(encrypted_key, rsa)
+      unless private_rsa_key
+        [:key_filename, :encrypted_key, :iv_filename, :encrypted_iv].each do |key|
+          raise(SymmetricEncryption::ConfigError, "When :#{key} is supplied, :private_rsa_key is required.") if params.include?(key)
+        end
       end
 
-      if iv = params.delete(:iv)
-        @iv = iv
-      elsif file_name = params.delete(:iv_filename)
-        @iv = read_from_file(file_name, rsa)
-      elsif encrypted_iv = params.delete(:encrypted_iv)
-        @iv = decrypt_key(encrypted_iv, rsa)
-      end
+      key_encryption_key = KeyEncryptionKey.new(private_rsa_key) if private_rsa_key
+      @key               =
+        if key = params.delete(:key)
+          key
+        elsif file_name = params.delete(:key_filename)
+          encrypted_key = self.class.read_from_file(file_name)
+          key_encryption_key.decrypt(encrypted_key)
+        elsif encrypted_key = params.delete(:encrypted_key)
+          binary = self.encoder.decode(encrypted_key)
+          key_encryption_key.decrypt(binary)
+        else
+          raise(ArgumentError, 'Missing mandatory parameter :key, :key_filename, or :encrypted_key')
+        end
+
+      @iv =
+        if iv = params.delete(:iv)
+          iv
+        elsif file_name = params.delete(:iv_filename)
+          encrypted_iv = self.class.read_from_file(file_name)
+          key_encryption_key.decrypt(encrypted_iv)
+        elsif encrypted_iv = params.delete(:encrypted_iv)
+          binary = self.encoder.decode(encrypted_iv)
+          key_encryption_key.decrypt(binary)
+        end
 
-      raise(ArgumentError, 'Missing mandatory parameter :key, :key_filename, or :encrypted_key') unless @key
-      raise(ArgumentError, "Invalid Encoding: #{@encoding}") unless ENCODINGS.include?(@encoding)
       raise(ArgumentError, "Cipher version has a valid range of 0 to 255. #{@version} is too high, or negative") if (@version.to_i > 255) || (@version.to_i < 0)
       raise(ArgumentError, "SymmetricEncryption::Cipher Invalid options #{params.inspect}") if params.size > 0
     end
 
+    # Change the encoding
+    def encoding=(encoding)
+      @encoder  = SymmetricEncryption::Encoder[encoding]
+      @encoding = encoding
+    end
+
     # Encrypt and then encode a string
     #
     # Returns data encrypted and then encoded according to the encoding setting
@@ -277,21 +347,7 @@ module SymmetricEncryption
     # Returned string is UTF8 encoded except for encoding :none
     def encode(binary_string)
       return binary_string if binary_string.nil? || (binary_string == '')
-
-      # Now encode data based on encoding setting
-      case encoding
-      when :base64
-        encoded_string = ::Base64.encode64(binary_string)
-        encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
-      when :base64strict
-        encoded_string = ::Base64.encode64(binary_string).gsub(/\n/, '')
-        encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
-      when :base16
-        encoded_string = binary_string.to_s.unpack('H*').first
-        encoded_string.force_encoding(SymmetricEncryption::UTF8_ENCODING)
-      else
-        binary_string
-      end
+      encoder.encode(binary_string)
     end
 
     # Decode the supplied string using the encoding in this cipher instance
@@ -300,17 +356,7 @@ module SymmetricEncryption
     # Returned string is Binary encoded
     def decode(encoded_string)
       return encoded_string if encoded_string.nil? || (encoded_string == '')
-
-      case encoding
-      when :base64, :base64strict
-        decoded_string = ::Base64.decode64(encoded_string)
-        decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
-      when :base16
-        decoded_string = [encoded_string].pack('H*')
-        decoded_string.force_encoding(SymmetricEncryption::BINARY_ENCODING)
-      else
-        encoded_string
-      end
+      encoder.decode(encoded_string)
     end
 
     # Return a new random key using the configured cipher_name
@@ -548,44 +594,19 @@ module SymmetricEncryption
 
     attr_reader :key
 
-    # Read the encrypted key from file
-    def read_from_file(file_name, rsa)
-      raise(SymmetricEncryption::ConfigError, 'Missing mandatory config parameter :private_rsa_key when filename key is used') unless rsa
-      begin
-        encrypted_key = File.open(file_name, 'rb') { |f| f.read }
-        rsa.private_decrypt(encrypted_key)
-      rescue Errno::ENOENT
-        puts "\nSymmetric Encryption key file: '#{file_name}' not found or readable."
-        puts "To generate the keys for the first time run: bin/rails generate symmetric_encryption:new_keys production\n\n"
-      end
+    # Read from the file, raising an exception if it is not found
+    def self.read_from_file(file_name)
+      File.open(file_name, 'rb') { |f| f.read }
+    rescue Errno::ENOENT => exc
+      puts "\nSymmetric Encryption key file: '#{file_name}' not found or readable."
+      puts "To generate the keys for the first time run: bin/rails generate symmetric_encryption:new_keys production\n\n"
+      raise(exc)
     end
 
-    # Save symmetric key after encrypting it with the private RSA key
-    # Backing up existing files if present
-    def self.write_to_file(file_name, key, rsa)
-      raise(SymmetricEncryption::ConfigError, 'Missing mandatory config parameter :private_rsa_key when filename key is used') unless rsa
+    # Write to the supplied filename, backing up the existing file if present
+    def self.write_to_file(file_name, data)
       File.rename(file_name, "#{file_name}.#{Time.now.to_i}") if File.exist?(file_name)
-      File.open(file_name, 'wb') { |file| file.write(rsa.public_encrypt(key)) }
-    end
-
-    # Read the encrypted key from file
-    def decrypt_key(encrypted_key, rsa)
-      raise(SymmetricEncryption::ConfigError, 'Missing mandatory config parameter :private_rsa_key when encrypted key is supplied') unless rsa
-
-      # Decode value first using encoding specified
-      encrypted_key = ::Base64.decode64(encrypted_key)
-      if !encrypted_key || encrypted_key.empty?
-        puts "\nSymmetric Encryption encrypted_key not found."
-        puts "To generate the keys for the first time run: rails generate symmetric_encryption:new_keys\n\n"
-      else
-        rsa.private_decrypt(encrypted_key)
-      end
-    end
-
-    # Returns [String] encrypted form of supplied key
-    def encrypt_key(key, rsa)
-      raise(SymmetricEncryption::ConfigError, 'Missing mandatory config parameter :private_rsa_key when encrypted key is supplied') unless rsa
-      ::Base64.encode64(rsa.public_encrypt(key))
+      File.open(file_name, 'wb') { |file| file.write(data) }
     end
 
   end