symmetric-encryption 3.9.1 → 4.0.0

data/test/config/symmetric-encryption.yml

@@ -1,86 +1,144 @@
-#
-# Test Config with multiple keys
+# This file was auto generated by symmetric-encryption.
+# Recommend using symmetric-encryption to make changes.
+# For more info, run:
+#   symmetric-encryption --help
 #
 ---
 test:
-  # Test Key encryption key, DO NOT use this key, generate a new one using
-  #    SymmetricEncryption::KeyEncryptionKey.generate
-  # Or use the rails generator to create a new config file as described in the readme
-  private_rsa_key: |
-    -----BEGIN RSA PRIVATE KEY-----
-    MIIEpAIBAAKCAQEAxIL9H/jYUGpA38v6PowRSRJEo3aNVXULNM/QNRpx2DTf++KH
-    6DcuFTFcNSSSxG9n4y7tKi755be8N0uwCCuOzvXqfWmXYjbLwK3Ib2vm0btpHyvA
-    qxgqeJOOCxKdW/cUFLWn0tACUcEjVCNfWEGaFyvkOUuR7Ub9KfhbW9cZO3BxZMUf
-    IPGlHl/gWyf484sXygd+S7cpDTRRzo9RjG74DwfE0MFGf9a1fTkxnSgeOJ6asTOy
-    fp9tEToUlbglKaYGpOGHYQ9TV5ZsyJ9jRUyb4SP5wK2eK6dHTxTcHvT03kD90Hv4
-    WeKIXv3WOjkwNEyMdpnJJfSDb5oquQvCNi7ZSQIDAQABAoIBAQCbzR7TUoBugU+e
-    ICLvpC2wOYOh9kRoFLwlyv3QnH7WZFWRZzFJszYeJ1xr5etXQtyjCnmOkGAg+WOI
-    k8GlOKOpAuA/PpB/leJFiYL4lBwU/PmDdTT0cdx6bMKZlNCeMW8CXGQKiFDOcMqJ
-    0uGtH5YD+RChPIEeFsJxnC8SyZ9/t2ra7XnMGiCZvRXIUDSEIIsRx/mOymJ7bL+h
-    Lbp46IfXf6ZuIzwzoIk0JReV/r+wdmkAVDkrrMkCmVS4/X1wN/Tiik9/yvbsh/CL
-    ztC55eSIEjATkWxnXfPASZN6oUfQPEveGH3HzNjdncjH/Ho8FaNMIAfFpBhhLPi9
-    nG5sbH+BAoGBAOdoUyVoAA/QUa3/FkQaa7Ajjehe5MR5k6VtaGtcxrLiBjrNR7x+
-    nqlZlGvWDMiCz49dgj+G1Qk1bbYrZLRX/Hjeqy5dZOGLMfgf9eKUmS1rDwAzBMcj
-    M9jnnJEBx8HIlNzaR6wzp3GMd0rrccs660A8URvzkgo9qNbvMLq9vyUtAoGBANll
-    SY1Iv9uaIz8klTXU9YzYtsfUmgXzw7K8StPdbEbo8F1J3JPJB4D7QHF0ObIaSWuf
-    suZqLsvWlYGuJeyX2ntlBN82ORfvUdOrdrbDlmPyj4PfFVl0AK3U3Ai374DNrjKR
-    hF6YFm4TLDaJhUjeV5C43kbE1N2FAMS9LYtPJ44NAoGAFDGHZ/E+aCLerddfwwun
-    MBS6MnftcLPHTZ1RimTrNfsBXipBw1ItWEvn5s0kCm9X24PmdNK4TnhqHYaF4DL5
-    ZjbQK1idEA2Mi8GGPIKJJ2x7P6I0HYiV4qy7fe/w1ZlCXE90B7PuPbtrQY9wO7Ll
-    ipJ45X6I1PnyfOcckn8yafUCgYACtPAlgjJhWZn2v03cTbqA9nHQKyV/zXkyUIXd
-    /XPLrjrP7ouAi5A8WuSChR/yx8ECRgrEM65Be3qBEtoGCB4AS1G0NcigM6qhKBFi
-    VS0aMXr3+V8argcUIwJaWW/x+p2go48yXlJpLHPweeXe8mXEt4iM+QZte6p2yKQ4
-    h9PGQQKBgQCqSydmXBnXGIVTp2sH/2GnpxLYnDBpcJE0tM8bJ42HEQQgRThIChsn
-    PnGA91G9MVikYapgI0VYBHQOTsz8rTIUzsKwXG+TIaK+W84nxH5y6jUkjqwxZmAz
-    r1URaMAun2PfAB4g2N/kEZTExgeOGqXjFhvvjdzl97ux2cTyZhaTXg==
-    -----END RSA PRIVATE KEY-----
-
   ciphers:
-    # Current / Newest Symmetric Encryption Key
-    -
-      key_filename:      test/config/test_new.key
-      iv_filename:       test/config/test_new.iv
-      cipher_name:       aes-128-cbc
-      # Base64 encode encrypted data without newlines
-      encoding:          base64strict
-      version:           2
-      always_add_header: true
-
-    # For testing a higher version that is not active yet
-    -
-      key:               6BCDEF1234567890ABCDEF1234567890
-      iv:                6BCDEF1234567890
-      cipher_name:       aes-256-cbc
-      version:           6
-      encoding:          :base64strict
-      always_add_header: true
-
-    # Prior Symmetric Encryption Key specified in environment variable
-    -
-      # Encryption Key
-      #
-      # Example:
-      #  # An environment variable:
-      #  encrypted_key:   <%= ENV['KEY'] %>
-      #
-      # NOTE: Do not put the encrypted key directly in this file. It is only here
-      #       for testing purposes
-      encrypted_key:     <%= 'xFAsZ73PThktyo76PoNQGYnjCJUAd4+Yaz71bO5FajshXsbjkfZjjvbK9hxzWLr+C7X67hcrTypVHB1Rw0De8lRDqexlc87sTx1wtlz70lOvTBXt9Lv4sbJNLxacuqk545LIJpgK02Dq7FGzACV3jb3Yk+QQngiscETYM6PyiuFpReFB0qFOgCSLeBJsXAdNdqkEZggl8PL+lGDueDGeKUng+Ic/AFWPhJGYkk3xV++AGwUFXdDQeuHllxmV9WlzriHnDwzbfugkfGaRjWn808VXrv9Jgf2yRy++gOYUvRnjZ1ltOgXUEEmBVF2Uvhu+zs6C/D4cb1mkR7911M5naA==' %>
-      # For testing purposes only, the above key is just:
-      #   key:               ABCDEF1234567890
-      iv:                1234567890ABCDEF
-      cipher_name:       aes-128-cbc
-      # Base64 encode encrypted data without newlines
-      encoding:          base64strict
-      version:           1
-      always_add_header: false
-
-    # First Symmetric Encryption Key
-    -
-      key_filename:      test/config/test_secondary_1.key
-      iv_filename:       test/config/test_secondary_1.iv
-      cipher_name:       aes-128-cbc
-      # Base64 encode encrypted data
-      encoding:          base64
-      version:           0
-      always_add_header: false
+  - key_filename: test/config/test_new.key
+    iv_filename: test/config/test_new.iv
+    cipher_name: aes-128-cbc
+    encoding: base64strict
+    version: 2
+    always_add_header: true
+    key_encrypting_key: |
+      -----BEGIN RSA PRIVATE KEY-----
+      MIIEpAIBAAKCAQEAxIL9H/jYUGpA38v6PowRSRJEo3aNVXULNM/QNRpx2DTf++KH
+      6DcuFTFcNSSSxG9n4y7tKi755be8N0uwCCuOzvXqfWmXYjbLwK3Ib2vm0btpHyvA
+      qxgqeJOOCxKdW/cUFLWn0tACUcEjVCNfWEGaFyvkOUuR7Ub9KfhbW9cZO3BxZMUf
+      IPGlHl/gWyf484sXygd+S7cpDTRRzo9RjG74DwfE0MFGf9a1fTkxnSgeOJ6asTOy
+      fp9tEToUlbglKaYGpOGHYQ9TV5ZsyJ9jRUyb4SP5wK2eK6dHTxTcHvT03kD90Hv4
+      WeKIXv3WOjkwNEyMdpnJJfSDb5oquQvCNi7ZSQIDAQABAoIBAQCbzR7TUoBugU+e
+      ICLvpC2wOYOh9kRoFLwlyv3QnH7WZFWRZzFJszYeJ1xr5etXQtyjCnmOkGAg+WOI
+      k8GlOKOpAuA/PpB/leJFiYL4lBwU/PmDdTT0cdx6bMKZlNCeMW8CXGQKiFDOcMqJ
+      0uGtH5YD+RChPIEeFsJxnC8SyZ9/t2ra7XnMGiCZvRXIUDSEIIsRx/mOymJ7bL+h
+      Lbp46IfXf6ZuIzwzoIk0JReV/r+wdmkAVDkrrMkCmVS4/X1wN/Tiik9/yvbsh/CL
+      ztC55eSIEjATkWxnXfPASZN6oUfQPEveGH3HzNjdncjH/Ho8FaNMIAfFpBhhLPi9
+      nG5sbH+BAoGBAOdoUyVoAA/QUa3/FkQaa7Ajjehe5MR5k6VtaGtcxrLiBjrNR7x+
+      nqlZlGvWDMiCz49dgj+G1Qk1bbYrZLRX/Hjeqy5dZOGLMfgf9eKUmS1rDwAzBMcj
+      M9jnnJEBx8HIlNzaR6wzp3GMd0rrccs660A8URvzkgo9qNbvMLq9vyUtAoGBANll
+      SY1Iv9uaIz8klTXU9YzYtsfUmgXzw7K8StPdbEbo8F1J3JPJB4D7QHF0ObIaSWuf
+      suZqLsvWlYGuJeyX2ntlBN82ORfvUdOrdrbDlmPyj4PfFVl0AK3U3Ai374DNrjKR
+      hF6YFm4TLDaJhUjeV5C43kbE1N2FAMS9LYtPJ44NAoGAFDGHZ/E+aCLerddfwwun
+      MBS6MnftcLPHTZ1RimTrNfsBXipBw1ItWEvn5s0kCm9X24PmdNK4TnhqHYaF4DL5
+      ZjbQK1idEA2Mi8GGPIKJJ2x7P6I0HYiV4qy7fe/w1ZlCXE90B7PuPbtrQY9wO7Ll
+      ipJ45X6I1PnyfOcckn8yafUCgYACtPAlgjJhWZn2v03cTbqA9nHQKyV/zXkyUIXd
+      /XPLrjrP7ouAi5A8WuSChR/yx8ECRgrEM65Be3qBEtoGCB4AS1G0NcigM6qhKBFi
+      VS0aMXr3+V8argcUIwJaWW/x+p2go48yXlJpLHPweeXe8mXEt4iM+QZte6p2yKQ4
+      h9PGQQKBgQCqSydmXBnXGIVTp2sH/2GnpxLYnDBpcJE0tM8bJ42HEQQgRThIChsn
+      PnGA91G9MVikYapgI0VYBHQOTsz8rTIUzsKwXG+TIaK+W84nxH5y6jUkjqwxZmAz
+      r1URaMAun2PfAB4g2N/kEZTExgeOGqXjFhvvjdzl97ux2cTyZhaTXg==
+      -----END RSA PRIVATE KEY-----
+  - key: 6BCDEF1234567890ABCDEF1234567890
+    iv: 6BCDEF1234567890
+    cipher_name: aes-256-cbc
+    version: 6
+    encoding: base64strict
+    always_add_header: true
+    key_encrypting_key: |
+      -----BEGIN RSA PRIVATE KEY-----
+      MIIEpAIBAAKCAQEAxIL9H/jYUGpA38v6PowRSRJEo3aNVXULNM/QNRpx2DTf++KH
+      6DcuFTFcNSSSxG9n4y7tKi755be8N0uwCCuOzvXqfWmXYjbLwK3Ib2vm0btpHyvA
+      qxgqeJOOCxKdW/cUFLWn0tACUcEjVCNfWEGaFyvkOUuR7Ub9KfhbW9cZO3BxZMUf
+      IPGlHl/gWyf484sXygd+S7cpDTRRzo9RjG74DwfE0MFGf9a1fTkxnSgeOJ6asTOy
+      fp9tEToUlbglKaYGpOGHYQ9TV5ZsyJ9jRUyb4SP5wK2eK6dHTxTcHvT03kD90Hv4
+      WeKIXv3WOjkwNEyMdpnJJfSDb5oquQvCNi7ZSQIDAQABAoIBAQCbzR7TUoBugU+e
+      ICLvpC2wOYOh9kRoFLwlyv3QnH7WZFWRZzFJszYeJ1xr5etXQtyjCnmOkGAg+WOI
+      k8GlOKOpAuA/PpB/leJFiYL4lBwU/PmDdTT0cdx6bMKZlNCeMW8CXGQKiFDOcMqJ
+      0uGtH5YD+RChPIEeFsJxnC8SyZ9/t2ra7XnMGiCZvRXIUDSEIIsRx/mOymJ7bL+h
+      Lbp46IfXf6ZuIzwzoIk0JReV/r+wdmkAVDkrrMkCmVS4/X1wN/Tiik9/yvbsh/CL
+      ztC55eSIEjATkWxnXfPASZN6oUfQPEveGH3HzNjdncjH/Ho8FaNMIAfFpBhhLPi9
+      nG5sbH+BAoGBAOdoUyVoAA/QUa3/FkQaa7Ajjehe5MR5k6VtaGtcxrLiBjrNR7x+
+      nqlZlGvWDMiCz49dgj+G1Qk1bbYrZLRX/Hjeqy5dZOGLMfgf9eKUmS1rDwAzBMcj
+      M9jnnJEBx8HIlNzaR6wzp3GMd0rrccs660A8URvzkgo9qNbvMLq9vyUtAoGBANll
+      SY1Iv9uaIz8klTXU9YzYtsfUmgXzw7K8StPdbEbo8F1J3JPJB4D7QHF0ObIaSWuf
+      suZqLsvWlYGuJeyX2ntlBN82ORfvUdOrdrbDlmPyj4PfFVl0AK3U3Ai374DNrjKR
+      hF6YFm4TLDaJhUjeV5C43kbE1N2FAMS9LYtPJ44NAoGAFDGHZ/E+aCLerddfwwun
+      MBS6MnftcLPHTZ1RimTrNfsBXipBw1ItWEvn5s0kCm9X24PmdNK4TnhqHYaF4DL5
+      ZjbQK1idEA2Mi8GGPIKJJ2x7P6I0HYiV4qy7fe/w1ZlCXE90B7PuPbtrQY9wO7Ll
+      ipJ45X6I1PnyfOcckn8yafUCgYACtPAlgjJhWZn2v03cTbqA9nHQKyV/zXkyUIXd
+      /XPLrjrP7ouAi5A8WuSChR/yx8ECRgrEM65Be3qBEtoGCB4AS1G0NcigM6qhKBFi
+      VS0aMXr3+V8argcUIwJaWW/x+p2go48yXlJpLHPweeXe8mXEt4iM+QZte6p2yKQ4
+      h9PGQQKBgQCqSydmXBnXGIVTp2sH/2GnpxLYnDBpcJE0tM8bJ42HEQQgRThIChsn
+      PnGA91G9MVikYapgI0VYBHQOTsz8rTIUzsKwXG+TIaK+W84nxH5y6jUkjqwxZmAz
+      r1URaMAun2PfAB4g2N/kEZTExgeOGqXjFhvvjdzl97ux2cTyZhaTXg==
+      -----END RSA PRIVATE KEY-----
+  - encrypted_key: xFAsZ73PThktyo76PoNQGYnjCJUAd4+Yaz71bO5FajshXsbjkfZjjvbK9hxzWLr+C7X67hcrTypVHB1Rw0De8lRDqexlc87sTx1wtlz70lOvTBXt9Lv4sbJNLxacuqk545LIJpgK02Dq7FGzACV3jb3Yk+QQngiscETYM6PyiuFpReFB0qFOgCSLeBJsXAdNdqkEZggl8PL+lGDueDGeKUng+Ic/AFWPhJGYkk3xV++AGwUFXdDQeuHllxmV9WlzriHnDwzbfugkfGaRjWn808VXrv9Jgf2yRy++gOYUvRnjZ1ltOgXUEEmBVF2Uvhu+zs6C/D4cb1mkR7911M5naA==
+    iv: 1234567890ABCDEF
+    cipher_name: aes-128-cbc
+    encoding: base64strict
+    version: 1
+    always_add_header: false
+    key_encrypting_key: |
+      -----BEGIN RSA PRIVATE KEY-----
+      MIIEpAIBAAKCAQEAxIL9H/jYUGpA38v6PowRSRJEo3aNVXULNM/QNRpx2DTf++KH
+      6DcuFTFcNSSSxG9n4y7tKi755be8N0uwCCuOzvXqfWmXYjbLwK3Ib2vm0btpHyvA
+      qxgqeJOOCxKdW/cUFLWn0tACUcEjVCNfWEGaFyvkOUuR7Ub9KfhbW9cZO3BxZMUf
+      IPGlHl/gWyf484sXygd+S7cpDTRRzo9RjG74DwfE0MFGf9a1fTkxnSgeOJ6asTOy
+      fp9tEToUlbglKaYGpOGHYQ9TV5ZsyJ9jRUyb4SP5wK2eK6dHTxTcHvT03kD90Hv4
+      WeKIXv3WOjkwNEyMdpnJJfSDb5oquQvCNi7ZSQIDAQABAoIBAQCbzR7TUoBugU+e
+      ICLvpC2wOYOh9kRoFLwlyv3QnH7WZFWRZzFJszYeJ1xr5etXQtyjCnmOkGAg+WOI
+      k8GlOKOpAuA/PpB/leJFiYL4lBwU/PmDdTT0cdx6bMKZlNCeMW8CXGQKiFDOcMqJ
+      0uGtH5YD+RChPIEeFsJxnC8SyZ9/t2ra7XnMGiCZvRXIUDSEIIsRx/mOymJ7bL+h
+      Lbp46IfXf6ZuIzwzoIk0JReV/r+wdmkAVDkrrMkCmVS4/X1wN/Tiik9/yvbsh/CL
+      ztC55eSIEjATkWxnXfPASZN6oUfQPEveGH3HzNjdncjH/Ho8FaNMIAfFpBhhLPi9
+      nG5sbH+BAoGBAOdoUyVoAA/QUa3/FkQaa7Ajjehe5MR5k6VtaGtcxrLiBjrNR7x+
+      nqlZlGvWDMiCz49dgj+G1Qk1bbYrZLRX/Hjeqy5dZOGLMfgf9eKUmS1rDwAzBMcj
+      M9jnnJEBx8HIlNzaR6wzp3GMd0rrccs660A8URvzkgo9qNbvMLq9vyUtAoGBANll
+      SY1Iv9uaIz8klTXU9YzYtsfUmgXzw7K8StPdbEbo8F1J3JPJB4D7QHF0ObIaSWuf
+      suZqLsvWlYGuJeyX2ntlBN82ORfvUdOrdrbDlmPyj4PfFVl0AK3U3Ai374DNrjKR
+      hF6YFm4TLDaJhUjeV5C43kbE1N2FAMS9LYtPJ44NAoGAFDGHZ/E+aCLerddfwwun
+      MBS6MnftcLPHTZ1RimTrNfsBXipBw1ItWEvn5s0kCm9X24PmdNK4TnhqHYaF4DL5
+      ZjbQK1idEA2Mi8GGPIKJJ2x7P6I0HYiV4qy7fe/w1ZlCXE90B7PuPbtrQY9wO7Ll
+      ipJ45X6I1PnyfOcckn8yafUCgYACtPAlgjJhWZn2v03cTbqA9nHQKyV/zXkyUIXd
+      /XPLrjrP7ouAi5A8WuSChR/yx8ECRgrEM65Be3qBEtoGCB4AS1G0NcigM6qhKBFi
+      VS0aMXr3+V8argcUIwJaWW/x+p2go48yXlJpLHPweeXe8mXEt4iM+QZte6p2yKQ4
+      h9PGQQKBgQCqSydmXBnXGIVTp2sH/2GnpxLYnDBpcJE0tM8bJ42HEQQgRThIChsn
+      PnGA91G9MVikYapgI0VYBHQOTsz8rTIUzsKwXG+TIaK+W84nxH5y6jUkjqwxZmAz
+      r1URaMAun2PfAB4g2N/kEZTExgeOGqXjFhvvjdzl97ux2cTyZhaTXg==
+      -----END RSA PRIVATE KEY-----
+  - key_filename: test/config/test_secondary_1.key
+    iv_filename: test/config/test_secondary_1.iv
+    cipher_name: aes-128-cbc
+    encoding: base64
+    version: 0
+    always_add_header: false
+    key_encrypting_key: |
+      -----BEGIN RSA PRIVATE KEY-----
+      MIIEpAIBAAKCAQEAxIL9H/jYUGpA38v6PowRSRJEo3aNVXULNM/QNRpx2DTf++KH
+      6DcuFTFcNSSSxG9n4y7tKi755be8N0uwCCuOzvXqfWmXYjbLwK3Ib2vm0btpHyvA
+      qxgqeJOOCxKdW/cUFLWn0tACUcEjVCNfWEGaFyvkOUuR7Ub9KfhbW9cZO3BxZMUf
+      IPGlHl/gWyf484sXygd+S7cpDTRRzo9RjG74DwfE0MFGf9a1fTkxnSgeOJ6asTOy
+      fp9tEToUlbglKaYGpOGHYQ9TV5ZsyJ9jRUyb4SP5wK2eK6dHTxTcHvT03kD90Hv4
+      WeKIXv3WOjkwNEyMdpnJJfSDb5oquQvCNi7ZSQIDAQABAoIBAQCbzR7TUoBugU+e
+      ICLvpC2wOYOh9kRoFLwlyv3QnH7WZFWRZzFJszYeJ1xr5etXQtyjCnmOkGAg+WOI
+      k8GlOKOpAuA/PpB/leJFiYL4lBwU/PmDdTT0cdx6bMKZlNCeMW8CXGQKiFDOcMqJ
+      0uGtH5YD+RChPIEeFsJxnC8SyZ9/t2ra7XnMGiCZvRXIUDSEIIsRx/mOymJ7bL+h
+      Lbp46IfXf6ZuIzwzoIk0JReV/r+wdmkAVDkrrMkCmVS4/X1wN/Tiik9/yvbsh/CL
+      ztC55eSIEjATkWxnXfPASZN6oUfQPEveGH3HzNjdncjH/Ho8FaNMIAfFpBhhLPi9
+      nG5sbH+BAoGBAOdoUyVoAA/QUa3/FkQaa7Ajjehe5MR5k6VtaGtcxrLiBjrNR7x+
+      nqlZlGvWDMiCz49dgj+G1Qk1bbYrZLRX/Hjeqy5dZOGLMfgf9eKUmS1rDwAzBMcj
+      M9jnnJEBx8HIlNzaR6wzp3GMd0rrccs660A8URvzkgo9qNbvMLq9vyUtAoGBANll
+      SY1Iv9uaIz8klTXU9YzYtsfUmgXzw7K8StPdbEbo8F1J3JPJB4D7QHF0ObIaSWuf
+      suZqLsvWlYGuJeyX2ntlBN82ORfvUdOrdrbDlmPyj4PfFVl0AK3U3Ai374DNrjKR
+      hF6YFm4TLDaJhUjeV5C43kbE1N2FAMS9LYtPJ44NAoGAFDGHZ/E+aCLerddfwwun
+      MBS6MnftcLPHTZ1RimTrNfsBXipBw1ItWEvn5s0kCm9X24PmdNK4TnhqHYaF4DL5
+      ZjbQK1idEA2Mi8GGPIKJJ2x7P6I0HYiV4qy7fe/w1ZlCXE90B7PuPbtrQY9wO7Ll
+      ipJ45X6I1PnyfOcckn8yafUCgYACtPAlgjJhWZn2v03cTbqA9nHQKyV/zXkyUIXd
+      /XPLrjrP7ouAi5A8WuSChR/yx8ECRgrEM65Be3qBEtoGCB4AS1G0NcigM6qhKBFi
+      VS0aMXr3+V8argcUIwJaWW/x+p2go48yXlJpLHPweeXe8mXEt4iM+QZte6p2yKQ4
+      h9PGQQKBgQCqSydmXBnXGIVTp2sH/2GnpxLYnDBpcJE0tM8bJ42HEQQgRThIChsn
+      PnGA91G9MVikYapgI0VYBHQOTsz8rTIUzsKwXG+TIaK+W84nxH5y6jUkjqwxZmAz
+      r1URaMAun2PfAB4g2N/kEZTExgeOGqXjFhvvjdzl97ux2cTyZhaTXg==
+      -----END RSA PRIVATE KEY-----

data/test/header_test.rb

@@ -0,0 +1,218 @@
+require_relative 'test_helper'
+
+class CipherTest < Minitest::Test
+  describe SymmetricEncryption::Header do
+    let :clear_value do
+      'Hello World'
+    end
+
+    let :random_iv do
+      false
+    end
+
+    let :compress do
+      false
+    end
+
+    let :binary_encrypted_value do
+      SymmetricEncryption.cipher.binary_encrypt(clear_value, random_iv: random_iv, compress: compress)
+    end
+
+    let :header do
+      header = SymmetricEncryption::Header.new
+      header.parse(binary_encrypted_value)
+      header
+    end
+
+    describe '#new' do
+      it 'sets defaults' do
+        header = SymmetricEncryption::Header.new
+        assert_equal SymmetricEncryption.cipher.version, header.version
+        refute header.compressed?
+        refute header.iv
+        refute header.key
+        refute header.cipher_name
+        refute header.auth_tag
+      end
+    end
+
+    describe '.present?' do
+      it 'has a header' do
+        assert SymmetricEncryption::Header.present?(binary_encrypted_value)
+      end
+
+      it 'does not have a header' do
+        refute SymmetricEncryption::Header.present?(clear_value)
+      end
+
+      it 'does not have a header when nil' do
+        refute SymmetricEncryption::Header.present?(nil)
+      end
+
+      it 'does not have a header when empty string' do
+        refute SymmetricEncryption::Header.present?('')
+      end
+    end
+
+    describe '#cipher' do
+      it 'returns the global cipher used to encrypt the value' do
+        assert_equal SymmetricEncryption.cipher, header.cipher
+      end
+    end
+
+    describe '#version' do
+      it 'returns the global cipher used to encrypt the value' do
+        assert_equal SymmetricEncryption.cipher.version, header.version
+      end
+    end
+
+    describe '#cipher_name' do
+      it 'returns nil when cipher name was not overridden' do
+        assert_nil header.cipher_name
+      end
+    end
+
+    describe '#key' do
+      it 'returns nil when key was not overridden' do
+        assert_nil header.key
+      end
+    end
+
+    describe '#compress' do
+      it 'encrypted string' do
+        refute header.compressed?
+      end
+
+      describe 'with compression' do
+        let :compress do
+          true
+        end
+
+        it 'encrypted string' do
+          assert header.compressed?
+        end
+      end
+
+    end
+
+    describe '#to_s' do
+    end
+
+    describe '#parse' do
+      it 'nil string' do
+        header = SymmetricEncryption::Header.new
+        assert_equal 0, header.parse(nil)
+      end
+
+      it 'empty string' do
+        header = SymmetricEncryption::Header.new
+        assert_equal 0, header.parse('')
+      end
+
+      it 'unencrypted string' do
+        header = SymmetricEncryption::Header.new
+        assert_equal 0, header.parse('hello there')
+      end
+
+      it 'encrypted string' do
+        header = SymmetricEncryption::Header.new
+        assert_equal 6, header.parse(binary_encrypted_value)
+      end
+
+      describe 'with random_iv' do
+        let :random_iv do
+          true
+        end
+
+        it 'encrypted string' do
+          header = SymmetricEncryption::Header.new
+          assert_equal 24, header.parse(binary_encrypted_value)
+        end
+
+        describe 'with compression' do
+          let :compress do
+            true
+          end
+
+          it 'encrypted string' do
+            assert header.compressed?
+          end
+        end
+
+      end
+    end
+
+    describe '#parse!' do
+      it 'nil string' do
+        header = SymmetricEncryption::Header.new
+        assert_nil header.parse!(nil)
+      end
+
+      it 'empty string' do
+        header = SymmetricEncryption::Header.new
+        assert_nil header.parse!('')
+      end
+
+      it 'unencrypted string' do
+        header = SymmetricEncryption::Header.new
+        assert_nil header.parse!('hello there')
+      end
+
+      it 'encrypted string' do
+        header    = SymmetricEncryption::Header.new
+        remainder = header.parse!(binary_encrypted_value.dup)
+        assert_equal SymmetricEncryption.cipher.version, header.version
+        refute header.compressed?
+        refute header.iv
+        refute header.key
+        refute header.cipher_name
+        refute header.auth_tag
+
+        # Decrypt with this new header
+        encrypted_without_header = SymmetricEncryption.cipher.binary_encrypt(clear_value, header: false)
+        assert_equal encrypted_without_header, remainder
+
+        assert_equal clear_value, SymmetricEncryption.cipher.binary_decrypt(remainder, header: header)
+      end
+
+      describe 'with random_iv' do
+        let :random_iv do
+          true
+        end
+
+        it 'encrypted string' do
+          header = SymmetricEncryption::Header.new
+          assert remainder = header.parse!(binary_encrypted_value)
+          assert_equal SymmetricEncryption.cipher.version, header.version
+          refute header.compressed?
+          assert header.iv
+          refute header.key
+          refute header.cipher_name
+          refute header.auth_tag
+          assert_equal clear_value, SymmetricEncryption.cipher.binary_decrypt(remainder, header: header)
+        end
+      end
+    end
+
+    describe '#iv' do
+      it 'encrypted string' do
+        header = SymmetricEncryption::Header.new
+        header.parse(binary_encrypted_value)
+        assert_nil header.iv
+      end
+
+      describe 'with random_iv' do
+        let :random_iv do
+          true
+        end
+
+        it 'encrypted string' do
+          assert header.iv
+          refute_equal SymmetricEncryption.cipher.iv, header.iv
+        end
+      end
+    end
+
+  end
+end
+

data/test/key_test.rb

@@ -0,0 +1,240 @@
+require_relative 'test_helper'
+
+class KeyTest < Minitest::Test
+  describe SymmetricEncryption::Key do
+    before do
+      Dir.mkdir('tmp') unless Dir.exist?('tmp')
+    end
+
+    after do
+      # Cleanup generated encryption key files.
+      `rm tmp/dek_tester* 2> /dev/null`
+    end
+
+    let :random_key do
+      SymmetricEncryption::Key.new
+    end
+
+    let :stored_key do
+      '1234567890ABCDEF1234567890ABCDEF'
+    end
+
+    let :stored_iv do
+      'ABCDEF1234567890'
+    end
+
+    let :key do
+      SymmetricEncryption::Key.new(key: stored_key, iv: stored_iv)
+    end
+
+    let :stored_key2 do
+      'ABCDEF1234567890ABCDEF1234567890'
+    end
+
+    let :stored_iv2 do
+      '1234567890ABCDEF'
+    end
+
+    let :key2 do
+      SymmetricEncryption::Key.new(key: stored_key2, iv: stored_iv2)
+    end
+
+    let :stored_key3 do
+      'ABCDEF0123456789ABCDEF0123456789'
+    end
+
+    let :stored_iv3 do
+      '0123456789ABCDEF'
+    end
+
+    let :key3 do
+      SymmetricEncryption::Key.new(key: stored_key3, iv: stored_iv3)
+    end
+
+    let :ssn do
+      '987654321'
+    end
+
+    let :encrypted_ssn do
+      essn = "cR\x9C,\x91\xA4{\b`\x9Fls\xA4\f\xD1\xBF"
+      essn.force_encoding('binary')
+      essn
+    end
+
+    describe 'encrypt' do
+      it 'empty string' do
+        assert_equal '', key.encrypt('')
+      end
+
+      it 'nil' do
+        assert_nil key.encrypt(nil)
+      end
+
+      it 'string' do
+        assert_equal encrypted_ssn, key.encrypt(ssn)
+      end
+    end
+
+    describe 'decrypt' do
+      it 'empty string' do
+        assert_equal '', key.decrypt('')
+      end
+
+      it 'nil' do
+        assert_nil key.decrypt(nil)
+      end
+
+      it 'string' do
+        assert_equal ssn, key.decrypt(encrypted_ssn)
+      end
+    end
+
+    describe 'key' do
+      it 'creates random key by default' do
+        assert key = random_key.key
+        refute_equal key, SymmetricEncryption::Key.new.key
+      end
+
+      it 'stores' do
+        assert_equal stored_key, key.key
+      end
+    end
+
+    describe 'iv' do
+      it 'creates random iv by default' do
+        assert iv = random_key.iv
+        refute_equal iv, SymmetricEncryption::Key.new.iv
+      end
+
+      it 'stores' do
+        assert_equal stored_iv, key.iv
+      end
+    end
+
+    describe '.from_config' do
+      let :config do
+        {key: stored_key, iv: stored_iv}
+      end
+
+      let :config_key do
+        SymmetricEncryption::Key.from_config(config)
+      end
+
+      let :dek_file_name do
+        'tmp/dek_tester_dek.encrypted_key'
+      end
+
+      describe 'key' do
+        it 'key' do
+          assert_equal stored_key, config_key.key
+        end
+
+        it 'iv' do
+          assert_equal stored_iv, config_key.iv
+        end
+
+        it 'cipher_name' do
+          assert_equal 'aes-256-cbc', config_key.cipher_name
+        end
+      end
+
+      describe 'encrypted_key' do
+        let :config do
+          {encrypted_key: key2.encrypt(stored_key), iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
+        end
+
+        it 'key' do
+          assert_equal stored_key, config_key.key
+        end
+
+        it 'iv' do
+          assert_equal stored_iv, config_key.iv
+        end
+
+        it 'cipher_name' do
+          assert_equal 'aes-256-cbc', config_key.cipher_name
+        end
+      end
+
+      describe 'key_filename' do
+        let :config do
+          File.open(dek_file_name, 'wb') { |f| f.write(key2.encrypt(stored_key)) }
+          {key_filename: dek_file_name, iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
+        end
+
+        it 'key' do
+          assert_equal stored_key, config_key.key
+        end
+
+        it 'iv' do
+          assert_equal stored_iv, config_key.iv
+        end
+
+        it 'cipher_name' do
+          assert_equal 'aes-256-cbc', config_key.cipher_name
+        end
+      end
+
+      describe 'key_env_var' do
+        let :env_var do
+          'TEST_KEY'
+        end
+
+        let :config do
+          ENV[env_var] = ::Base64.encode64(key2.encrypt(stored_key))
+          {key_env_var: env_var, iv: stored_iv, key_encrypting_key: {key: stored_key2, iv: stored_iv2}}
+        end
+
+        it 'key' do
+          assert_equal stored_key, config_key.key
+        end
+
+        it 'iv' do
+          assert_equal stored_iv, config_key.iv
+        end
+
+        it 'cipher_name' do
+          assert_equal 'aes-256-cbc', config_key.cipher_name
+        end
+      end
+
+      describe 'file store with kekek' do
+        let :kekek_file_name do
+          'tmp/tester_kekek.key'
+        end
+
+        let :config do
+          File.open(dek_file_name, 'wb') { |f| f.write(key2.encrypt(stored_key)) }
+          encrypted_key = key3.encrypt(stored_key2)
+          File.open(kekek_file_name, 'wb') { |f| f.write(stored_key3) }
+          {
+            key_filename:       dek_file_name,
+            iv:                 stored_iv,
+            key_encrypting_key: {
+              encrypted_key:      encrypted_key,
+              iv:                 stored_iv2,
+              key_encrypting_key: {
+                key_filename: kekek_file_name,
+                iv:           stored_iv3
+              }
+            }
+          }
+        end
+
+        it 'key' do
+          assert_equal stored_key, config_key.key
+        end
+
+        it 'iv' do
+          assert_equal stored_iv, config_key.iv
+        end
+
+        it 'cipher_name' do
+          assert_equal 'aes-256-cbc', config_key.cipher_name
+        end
+      end
+
+    end
+
+  end
+end