symmetric-encryption 3.9.1 → 4.0.0.beta3

data/lib/symmetric_encryption/keystore.rb

@@ -0,0 +1,124 @@
+module SymmetricEncryption
+  module Keystore
+    #@formatter:off
+    autoload :Environment, 'symmetric_encryption/keystore/environment'
+    autoload :File,        'symmetric_encryption/keystore/file'
+    autoload :Memory,      'symmetric_encryption/keystore/memory'
+    #@formatter:on
+
+    # Returns [Hash] a new configuration file after performing key rotation.
+    #
+    # Perform key rotation for each of the environments in the configuration file, by
+    # * generating a new key, and iv with an incremented version number.
+    #
+    # Params:
+    #   config: [Hash]
+    #     The current contents of `symmetric-encryption.yml`.
+    #
+    #   environments: [Array<String>]
+    #     List of environments for which to perform key rotation for.
+    #     Default: All environments found in the current configuration file except development and test.
+    #
+    #   rolling_deploy: [true|false]
+    #     To support a rolling deploy of the new key it must added initially as the second key.
+    #     Then in a subsequent deploy the key can be moved into the first position to activate it.
+    #     In this way during a rolling deploy encrypted values written by updated servers will be readable
+    #     by the servers that have not been updated yet.
+    #     Default: false
+    #
+    # Notes:
+    # * iv_filename is no longer supported and is removed when creating a new random cipher.
+    #     * `iv` does not need to be encrypted and is included in the clear.
+    def self.rotate_keys!(full_config, environments: [], app_name:, rolling_deploy: false)
+      full_config.each_pair do |environment, cfg|
+        # Only rotate keys for specified environments. Default, all
+        next if !environments.empty? && !environments.include?(environment.to_sym)
+
+        # Find the highest version number
+        version = cfg[:ciphers].collect { |c| c[:version] || 0 }.max
+
+        config = cfg[:ciphers].first
+
+        # Only generate new keys for keystore's that have a key encrypting key
+        next unless config[:key_encrypting_key] || config[:private_rsa_key]
+
+        cipher_name    = config[:cipher_name] || 'aes-256-cbc'
+        new_key_config =
+          if config.has_key?(:key_filename)
+            key_path = ::File.dirname(config[:key_filename])
+            Keystore::File.new_key_config(key_path: key_path, cipher_name: cipher_name, app_name: app_name, version: version, environment: environment)
+          elsif config.has_key?(:key_env_var)
+            Keystore::Environment.new_key_config(cipher_name: cipher_name, app_name: app_name, version: version, environment: environment)
+          elsif config.has_key?(:encrypted_key)
+            Keystore::Memory.new_key_config(cipher_name: cipher_name, app_name: app_name, version: version, environment: environment)
+          end
+
+        # Add as second key so that key can be published now and only used in a later deploy.
+        if rolling_deploy
+          cfg[:ciphers].insert(1, new_key_config)
+        else
+          cfg[:ciphers].unshift(new_key_config)
+        end
+      end
+      full_config
+    end
+
+    # Rotates just the key encrypting keys for the current cipher version.
+    # The existing data encryption key is not changed, it is secured using the
+    # new key encrypting keys.
+    def self.rotate_key_encrypting_keys!(full_config, environments: [], app_name:)
+      full_config.each_pair do |environment, cfg|
+        # Only rotate keys for specified environments. Default, all
+        next if !environments.empty? && !environments.include?(environment.to_sym)
+
+        config = cfg[:ciphers].first
+
+        version = config.delete(:version) || 1
+        version -= 1
+        config.delete(:always_add_header)
+        config.delete(:encoding)
+
+        Key.migrate_config!(config)
+
+        # Only generate new keys for keystore's that have a key encrypting key
+        next unless config[:key_encrypting_key]
+
+        # The current data encrypting key without any of the key encrypting keys.
+        key            = Key.from_config(config)
+        cipher_name    = key.cipher_name
+        new_key_config =
+          if config.has_key?(:key_filename)
+            key_path = ::File.dirname(config[:key_filename])
+            Keystore::File.new_key_config(key_path: key_path, cipher_name: cipher_name, app_name: app_name, version: version, environment: environment, dek: key)
+          elsif config.has_key?(:key_env_var)
+            Keystore::Environment.new_key_config(cipher_name: cipher_name, app_name: app_name, version: version, environment: environment, dek: key)
+          elsif config.has_key?(:encrypted_key)
+            Keystore::Memory.new_key_config(cipher_name: cipher_name, app_name: app_name, version: version, environment: environment, dek: key)
+          end
+
+        new_key_config
+
+        # Replace existing config entry
+        cfg[:ciphers].shift
+        cfg[:ciphers].unshift(new_key_config)
+      end
+      full_config
+    end
+
+    # The default development config.
+    def self.dev_config
+      {
+        ciphers:
+          [
+            {
+              key:         '1234567890ABCDEF',
+              iv:          '1234567890ABCDEF',
+              cipher_name: 'aes-128-cbc',
+              version:     1
+            }
+          ]
+      }
+    end
+
+  end
+end

data/lib/symmetric_encryption/railtie.rb

@@ -16,10 +16,6 @@ module SymmetricEncryption #:nodoc:
     #   end
     config.symmetric_encryption = ::SymmetricEncryption
 
-    rake_tasks do
-      load 'symmetric_encryption/railties/symmetric_encryption.rake'
-    end
-
     # Initialize Symmetry. This will look for a symmetry.yml in the config
     # directory and configure Symmetry appropriately.
     #
@@ -35,18 +31,20 @@ module SymmetricEncryption #:nodoc:
     config.before_configuration do
       # Check if already configured
       unless ::SymmetricEncryption.cipher?
+        app_name = Rails::Application.subclasses.first.parent.to_s.underscore
         config_file = Rails.root.join('config', 'symmetric-encryption.yml')
         if config_file.file?
           begin
-            ::SymmetricEncryption::Config.load!(config_file, Rails.env)
+            ::SymmetricEncryption::Config.load!(file_name: config_file, env: Rails.env)
           rescue ArgumentError => exc
             puts "\nSymmetric Encryption not able to read keys."
             puts "#{exc.class.name} #{exc.message}"
-            puts "To generate key files: bin/rails generate symmetric_encryption:new_keys #{Rails.env}\n\n"
+            puts "To generate a new config file and key files: symmetric-encryption --generate --key-path /etc/#{app_name} --app_name #{app_name}\n\n"
+            raise(exc)
           end
         else
           puts "\nSymmetric Encryption config not found."
-          puts "To generate one for the first time: bin/rails generate symmetric_encryption:config\n\n"
+          puts "To generate a new config file and key files: symmetric-encryption --generate --key-path /etc/#{app_name} --app_name #{app_name}\n\n"
         end
       end
     end

data/lib/symmetric_encryption/reader.rb

@@ -10,32 +10,15 @@ module SymmetricEncryption
     # Open a file for reading, or use the supplied IO Stream
     #
     # Parameters:
-    #   filename_or_stream:
-    #     The filename to open if a string, otherwise the stream to use
+    #   file_name_or_stream:
+    #     The file_name to open if a string, otherwise the stream to use
     #     The file or stream will be closed on completion, use .initialize to
     #     avoid having the stream closed automatically
     #
-    #   options:
-    #     :mode
-    #          See File.open for open modes
-    #          Default: 'rb'
-    #
-    #     :buffer_size
-    #          Amount of data to read at a time
-    #          Minimum Value 128
-    #          Default: 4096
-    #
-    #   The following options are only used if the stream/file has no header
-    #     :compress [true|false]
-    #          Uses Zlib to decompress the data after it is decrypted
-    #          Note: This option is only used if the file does not have a header
-    #                indicating whether it is compressed
-    #          Default: false
-    #
-    #     :version
-    #          Version of the encryption key to use when decrypting and the
-    #          file/stream does not include a header at the beginning
-    #          Default: Current primary key
+    #   buffer_size:
+    #     Amount of data to read at a time.
+    #     Minimum Value 128
+    #     Default: 16384
     #
     # Note: Decryption occurs before decompression
     #
@@ -76,30 +59,66 @@ module SymmetricEncryption
     # ensure
     #   csv.close if csv
     # end
-    def self.open(filename_or_stream, options={}, &block)
-      raise(ArgumentError, 'options must be a hash') unless options.respond_to?(:each_pair)
-      mode     = options.fetch(:mode, 'rb')
-      compress = options.fetch(:compress, false)
-      ios      = filename_or_stream.is_a?(String) ? ::File.open(filename_or_stream, mode) : filename_or_stream
+    def self.open(file_name_or_stream, buffer_size: 16384, **args, &block)
+      ios = file_name_or_stream.is_a?(String) ? ::File.open(file_name_or_stream, 'rb') : file_name_or_stream
 
       begin
-        file = self.new(ios, options)
-        file = Zlib::GzipReader.new(file) if !file.eof? && (file.compressed? || compress)
+        file = self.new(ios, buffer_size: buffer_size, **args)
+        file = Zlib::GzipReader.new(file) if !file.eof? && file.compressed?
         block ? block.call(file) : file
       ensure
         file.close if block && file && (file.respond_to?(:closed?) && !file.closed?)
       end
     end
 
+    # Read the entire contents of a file or stream into memory.
+    #
+    # Notes:
+    # * Do not use this method for reading large files.
+    def self.read(file_name_or_stream, **args)
+      open(file_name_or_stream, **args) { |f| f.read }
+    end
+
+    # Decrypt an entire file.
+    #
+    # Returns [Integer] the number of unencrypted bytes written to the target file.
+    #
+    # Params:
+    #   source: [String|IO]
+    #     Source file_name or IOStream
+    #
+    #   target: [String|IO]
+    #     Target file_name or IOStream
+    #
+    #   block_size: [Integer]
+    #     Number of bytes to read into memory for each read.
+    #     For very large files using a larger block size is faster.
+    #     Default: 65535
+    #
+    # Notes:
+    # * The file contents are streamed so that the entire file is _not_ loaded into memory.
+    def self.decrypt(source:, target:, block_size: 65535, **args)
+      target_ios    = target.is_a?(String) ? ::File.open(target, 'wb') : target
+      bytes_written = 0
+      open(source, **args) do |input_ios|
+        while !input_ios.eof?
+          bytes_written += target_ios.write(input_ios.read(block_size))
+        end
+      end
+      bytes_written
+    ensure
+      target_ios.close if target_ios && target_ios.respond_to?(:closed?) && !target_ios.closed?
+    end
+
     # Returns [true|false] whether the file or stream contains any data
     # excluding the header should it have one
-    def self.empty?(filename_or_stream)
-      open(filename_or_stream) { |file| file.eof? }
+    def self.empty?(file_name_or_stream)
+      open(file_name_or_stream) { |file| file.eof? }
     end
 
     # Returns [true|false] whether the file contains the encryption header
-    def self.header_present?(filename)
-      ::File.open(filename, 'rb') { |file| new(file).header_present? }
+    def self.header_present?(file_name)
+      ::File.open(file_name, 'rb') { |file| new(file).header_present? }
     end
 
     # After opening a file Returns [true|false] whether the file being
@@ -109,10 +128,10 @@ module SymmetricEncryption
     end
 
     # Decrypt data before reading from the supplied stream
-    def initialize(ios, options={})
+    def initialize(ios, buffer_size: 4096, version: nil)
       @ios            = ios
-      @buffer_size    = options.fetch(:buffer_size, 4096).to_i
-      @version        = options[:version]
+      @buffer_size    = buffer_size
+      @version        = version
       @header_present = false
       @closed         = false
 
@@ -316,33 +335,33 @@ module SymmetricEncryption
 
     # Read the header from the file if present
     def read_header
-      @pos              = 0
+      @pos = 0
 
       # Read first block and check for the header
-      buf               = @ios.read(@buffer_size)
+      buf = @ios.read(@buffer_size)
 
       # Use cipher specified in header, or global cipher if it has no header
-      iv, key           = nil
-      cipher_name       = nil
-      decryption_cipher = nil
-      if header = SymmetricEncryption::Cipher.parse_header!(buf)
-        @header_present   = true
-        @compressed       = header.compressed
-        decryption_cipher = header.decryption_cipher
-        cipher_name       = header.cipher_name || decryption_cipher.cipher_name
-        key               = header.key
-        iv                = header.iv
+      iv, key, cipher_name, cipher = nil
+      header                       = Header.new
+      if header.parse!(buf)
+        @header_present = true
+        @compressed     = header.compressed?
+        @version        = header.version
+        cipher          = header.cipher
+        cipher_name     = header.cipher_name || cipher.cipher_name
+        key             = header.key
+        iv              = header.iv
       else
-        @header_present   = false
-        @compressed       = nil
-        decryption_cipher = SymmetricEncryption.cipher(@version)
-        cipher_name       = decryption_cipher.cipher_name
+        @header_present = false
+        @compressed     = nil
+        cipher          = SymmetricEncryption.cipher(@version)
+        cipher_name     = cipher.cipher_name
       end
 
       @stream_cipher = ::OpenSSL::Cipher.new(cipher_name)
       @stream_cipher.decrypt
-      @stream_cipher.key = key || decryption_cipher.send(:key)
-      @stream_cipher.iv  = iv || decryption_cipher.iv
+      @stream_cipher.key = key || cipher.send(:key)
+      @stream_cipher.iv  = iv || cipher.iv
 
       # First call to #update should return an empty string anyway
       if buf && buf.length > 0

data/lib/symmetric_encryption/rsa_key.rb

@@ -0,0 +1,24 @@
+require 'openssl'
+module SymmetricEncryption
+  # DEPRECATED - Internal use only
+  class RSAKey
+    # DEPRECATED - Internal use only
+    def initialize(private_rsa_key)
+      @rsa = OpenSSL::PKey::RSA.new(private_rsa_key)
+    end
+
+    # DEPRECATED - Internal use only
+    def encrypt(key)
+      rsa.public_encrypt(key)
+    end
+
+    # DEPRECATED - Internal use only
+    def decrypt(encrypted_key)
+      rsa.private_decrypt(encrypted_key)
+    end
+
+    private
+
+    attr_reader :rsa
+  end
+end

data/lib/symmetric_encryption/symmetric_encryption.rb

@@ -26,7 +26,7 @@ module SymmetricEncryption
   #   :date      => Date
   #   :json      => Uses JSON serialization, useful for hashes and arrays
   #   :yaml      => Uses YAML serialization, useful for hashes and arrays
-  COERCION_TYPES      = [:string, :integer, :float, :decimal, :datetime, :time, :date, :boolean, :json, :yaml]
+  COERCION_TYPES = [:string, :integer, :float, :decimal, :datetime, :time, :date, :boolean, :json, :yaml]
 
   # Set the Primary Symmetric Cipher to be used
   #
@@ -39,6 +39,7 @@ module SymmetricEncryption
   #   )
   def self.cipher=(cipher)
     raise(ArgumentError, 'Cipher must respond to :encrypt and :decrypt') unless cipher.nil? || (cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt))
+
     @@cipher = cipher
   end
 
@@ -47,7 +48,8 @@ module SymmetricEncryption
   #   Returns the primary cipher if no match was found and version == 0
   #   Returns nil if no match was found and version != 0
   def self.cipher(version = nil)
-    raise(SymmetricEncryption::ConfigError, 'Call SymmetricEncryption.load! or SymmetricEncryption.cipher= prior to encrypting or decrypting data') unless @@cipher
+    raise(SymmetricEncryption::ConfigError, 'Call SymmetricEncryption.load! or SymmetricEncryption.cipher= prior to encrypting or decrypting data') unless cipher?
+
     return @@cipher if version.nil? || (@@cipher.version == version)
     secondary_ciphers.find { |c| c.version == version } || (@@cipher if version == 0)
   end
@@ -60,6 +62,7 @@ module SymmetricEncryption
   # Set the Secondary Symmetric Ciphers Array to be used
   def self.secondary_ciphers=(secondary_ciphers)
     raise(ArgumentError, 'secondary_ciphers must be a collection') unless secondary_ciphers.respond_to? :each
+
     secondary_ciphers.each do |cipher|
       raise(ArgumentError, 'secondary_ciphers can only consist of SymmetricEncryption::Ciphers') unless cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt)
     end
@@ -71,17 +74,18 @@ module SymmetricEncryption
     @@secondary_ciphers
   end
 
-  # AES Symmetric Decryption of supplied string
-  #  Returns decrypted value
-  #  Returns nil if the supplied value is nil
-  #  Returns "" if it is a string and it is empty
+  # Decrypt supplied string.
+  #
+  #  Returns [String] the decrypted string.
+  #  Returns [nil] if the supplied value is nil.
+  #  Returns [''] if it is a string and it is empty.
   #
   #  Parameters
-  #    str
-  #      Encrypted string to decrypt
-  #    version
+  #    string [String]
+  #      Encrypted string to decrypt.
+  #    version [Integer]
   #      Specify which cipher version to use if no header is present on the
-  #      encrypted string
+  #      encrypted string.
   #    type [:string|:integer|:float|:decimal|:datetime|:time|:date|:boolean]
   #      If value is set to something other than :string, then the coercible gem
   #      will be use to coerce the unencrypted string value into the specified
@@ -105,23 +109,32 @@ module SymmetricEncryption
   #       yet significant number of cases it is possible to decrypt data using
   #       the incorrect key. Clearly the data returned is garbage, but it still
   #       successfully returns a string of data
-  def self.decrypt(encrypted_and_encoded_string, version=nil, type=:string)
-    raise(SymmetricEncryption::ConfigError, 'Call SymmetricEncryption.load! or SymmetricEncryption.cipher= prior to encrypting or decrypting data') unless @@cipher
+  def self.decrypt(encrypted_and_encoded_string, version: nil, type: :string)
     return encrypted_and_encoded_string if encrypted_and_encoded_string.nil? || (encrypted_and_encoded_string == '')
 
-    str     = encrypted_and_encoded_string.to_s
+    str = encrypted_and_encoded_string.to_s
 
     # Decode before decrypting supplied string
-    decoded = @@cipher.decode(str)
+    decoded = cipher.decode(str)
     return unless decoded
     return decoded if decoded.empty?
 
+    header    = Header.new
     decrypted =
-      if header = Cipher.parse_header!(decoded)
-        header.decryption_cipher.binary_decrypt(decoded, header)
+      if header.parse!(decoded)
+        header.cipher.binary_decrypt(decoded, header: header)
       else
-        # Use cipher_selector if present to decide which cipher to use
-        c = @@select_cipher.nil? ? cipher(version) : @@select_cipher.call(str, decoded)
+        c =
+          if version
+            # Supplied version takes preference
+            cipher(version)
+          elsif @@select_cipher
+            # Use cipher_selector if present to decide which cipher to use
+            @@select_cipher.call(str, decoded)
+          else
+            # Global cipher
+            cipher
+          end
         c.binary_decrypt(decoded)
       end
 
@@ -132,6 +145,19 @@ module SymmetricEncryption
     Coerce.coerce_from_string(decrypted, type)
   end
 
+  # Returns the header for the encrypted string
+  # Returns [nil] if no header is present
+  def self.header(encrypted_and_encoded_string)
+    return if encrypted_and_encoded_string.nil? || (encrypted_and_encoded_string == '')
+
+    # Decode before decrypting supplied string
+    decoded = cipher.encoder.decode(encrypted_and_encoded_string.to_s)
+    return if decoded.nil? || decoded.empty?
+
+    h = Header.new
+    h.parse(decoded) == 0 ? nil : h
+  end
+
   # AES Symmetric Encryption of supplied string
   #  Returns result as a Base64 encoded string
   #  Returns nil if the supplied str is nil
@@ -174,11 +200,11 @@ module SymmetricEncryption
   #     Note: If type is set to something other than :string, it's expected that
   #       the coercible gem is available in the path.
   #     Default: :string
-  def self.encrypt(str, random_iv=false, compress=false, type=:string)
-    raise(SymmetricEncryption::ConfigError, 'Call SymmetricEncryption.load! or SymmetricEncryption.cipher= prior to encrypting or decrypting data') unless @@cipher
+  def self.encrypt(str, random_iv: false, compress: false, type: :string, header: cipher.always_add_header)
+    return str if str.nil? || (str == '')
 
     # Encrypt and then encode the supplied string
-    @@cipher.encrypt(Coerce.coerce_to_string(str, type), random_iv, compress)
+    cipher.encrypt(Coerce.coerce_to_string(str, type), random_iv: random_iv, compress: compress, header: header)
   end
 
   # Invokes decrypt
@@ -193,27 +219,21 @@ module SymmetricEncryption
   # WARNING: It is possible to decrypt data using the wrong key, so the value
   #          returned should not be relied upon
   def self.try_decrypt(str)
-    raise(SymmetricEncryption::ConfigError, 'Call SymmetricEncryption.load! or SymmetricEncryption.cipher= prior to encrypting or decrypting data') unless @@cipher
-    begin
-      decrypt(str)
-    rescue OpenSSL::Cipher::CipherError, SymmetricEncryption::CipherError
-      nil
-    end
+    decrypt(str)
+  rescue OpenSSL::Cipher::CipherError, SymmetricEncryption::CipherError
+    nil
   end
 
-  # Returns [true|false] as to whether the data could be decrypted
-  #   Parameters:
-  #     encrypted_data: Encrypted string
+  # Returns [true|false] whether the string is encrypted.
   #
-  # WARNING: This method can only be relied upon if the encrypted data includes the
-  #          symmetric encryption header. In some cases data decrypted using the
-  #          wrong key will decrypt and return garbage
+  # Notes:
+  # * This method only works reliably when the encrypted data includes the symmetric encryption header.
+  # * nil and '' are considered "encrypted" so that validations do not blow up on empty values.
   def self.encrypted?(encrypted_data)
-    raise(SymmetricEncryption::ConfigError, 'Call SymmetricEncryption.load! or SymmetricEncryption.cipher= prior to encrypting or decrypting data') unless @@cipher
+    return false if encrypted_data.nil? || (encrypted_data == '')
 
-    # For now have to decrypt it fully
-    result = try_decrypt(encrypted_data)
-    !(result.nil? || result == '')
+    @header ||= SymmetricEncryption.cipher.encoded_magic_header
+    encrypted_data.to_s.start_with?(@header)
   end
 
   # When no header is present in the encrypted data, this custom Block/Proc is
@@ -246,79 +266,21 @@ module SymmetricEncryption
   end
 
   # Load the Encryption Configuration from a YAML file
-  #  filename:
+  #  file_name:
   #    Name of file to read.
   #        Mandatory for non-Rails apps
   #        Default: Rails.root/config/symmetric-encryption.yml
   #  environment:
   #    Which environments config to load. Usually: production, development, etc.
   #    Default: Rails.env
-  def self.load!(filename = nil, environment = nil)
-    Config.load!(filename, environment)
-  end
-
-  # Generate new random symmetric keys for use with this Encryption library
-  #
-  # Note: Only the current Encryption key settings are used
-  #
-  # Creates Symmetric Key .key and initialization vector .iv
-  # which is encrypted with the key encryption key.
-  #
-  # Existing key files will be renamed if present
-  def self.generate_symmetric_key_files(filename = nil, environment = nil)
-    config        = Config.read_config(filename, environment)
-
-    # Only regenerating the first configured cipher
-    cipher_config = config[:ciphers].first
-
-    # Delete unused config keys to generate new random keys
-    [:version, :always_add_header].each do |key|
-      cipher_config.delete(key)
-    end
-
-    key_config    = {private_rsa_key: config[:private_rsa_key]}
-    cipher_cfg    = Cipher.generate_random_keys(key_config.merge(cipher_config))
-
-    puts
-    if encoded_encrypted_key = cipher_cfg[:encrypted_key]
-      puts 'If running in Heroku, add the environment specific key:'
-      puts "heroku config:add #{environment.upcase}_KEY1=#{encoded_encrypted_key}\n"
-    end
-
-    if encoded_encrypted_iv = cipher_cfg[:encrypted_iv]
-      puts 'If running in Heroku, add the environment specific key:'
-      puts "heroku config:add #{environment.upcase}_IV1=#{encoded_encrypted_iv}"
-    end
-
-    if key = cipher_cfg[:key]
-      puts "Please add the key: #{key} to your config file"
-    end
-
-    if iv = cipher_cfg[:iv]
-      puts "Please add the iv: #{iv} to your config file"
-    end
-
-    if file_name = cipher_cfg[:key_filename]
-      puts("Please copy #{file_name} to the other servers in #{environment}.")
-    end
-
-    if file_name = cipher_cfg[:iv_filename]
-      puts("Please copy #{file_name} to the other servers in #{environment}.")
-    end
-    cipher_cfg
-  end
-
-  # Generate a 22 character random password
-  def self.random_password
-    Base64.encode64(OpenSSL::Cipher.new('aes-128-cbc').random_key)[0..-4].strip
+  def self.load!(file_name = nil, env = nil)
+    Config.load!(file_name: file_name, env: env)
   end
 
-  # Binary encrypted data includes this magic header so that we can quickly
-  # identify binary data versus base64 encoded data that does not have this header
-  unless defined? MAGIC_HEADER
-    MAGIC_HEADER        = '@EnC'
-    MAGIC_HEADER_SIZE   = MAGIC_HEADER.size
-    MAGIC_HEADER_UNPACK = "a#{MAGIC_HEADER_SIZE}v"
+  # Generate a Random password
+  def self.random_password(size = 22)
+    require 'securerandom' unless defined?(SecureRandom)
+    SecureRandom.urlsafe_base64(size)
   end
 
   BINARY_ENCODING = Encoding.find('binary')