symmetric-encryption 4.0.1 → 4.1.0

data/lib/symmetric_encryption/keystore/environment.rb

@@ -4,41 +4,20 @@ module SymmetricEncryption
     class Environment < Memory
       attr_accessor :key_env_var, :encoding
 
-      # Returns [Hash] initial configuration for heroku.
-      # Displays the keys that need to be added to the heroku environment.
-      def self.new_config(app_name: 'symmetric-encryption',
-                          environments: %i[development test release production],
-                          cipher_name: 'aes-256-cbc')
-
-        configs = {}
-        environments.each do |environment|
-          environment          = environment.to_sym
-          configs[environment] =
-            if %i[development test].include?(environment)
-              Keystore.dev_config
-            else
-              cfg = new_key_config(cipher_name: cipher_name, app_name: app_name, environment: environment)
-              {
-                ciphers: [cfg]
-              }
-            end
-        end
-        configs
-      end
-
-      # Returns [Hash] a new cipher, and writes its encrypted key file.
+      # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
-      def self.new_key_config(cipher_name:, app_name:, environment:, version: 0, dek: nil)
+      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil)
         version >= 255 ? (version = 1) : (version += 1)
 
-        kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        kek   = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
 
         key_env_var = "#{app_name}_#{environment}_v#{version}".upcase.tr('-', '_')
         new(key_env_var: key_env_var, key_encrypting_key: kek).write(dek.key)
 
         {
+          keystore:           :environment,
           cipher_name:        dek.cipher_name,
           version:            version,
           key_env_var:        key_env_var,
@@ -62,6 +41,7 @@ module SymmetricEncryption
       def read
         encrypted = ENV[key_env_var]
         raise "The Environment Variable #{key_env_var} must be set with the encrypted encryption key." unless encrypted
+
         binary = encoder.decode(encrypted)
         key_encrypting_key.decrypt(binary)
       end
@@ -70,11 +50,8 @@ module SymmetricEncryption
       def write(key)
         encrypted_key = key_encrypting_key.encrypt(key)
         puts "\n\n********************************************************************************"
-        puts "Add the environment key to Heroku:\n\n"
-        puts "  heroku config:add #{key_env_var}=#{encoder.encode(encrypted_key)}"
-        puts
-        puts "Or, if using environment variables on another system set the environment variable as follows:\n\n"
-        puts "  export #{key_env_var}=\"#{encoder.encode(encrypted_key)}\"\n\n"
+        puts 'Set the environment variable as follows:'
+        puts "  export #{key_env_var}=\"#{encoder.encode(encrypted_key)}\""
         puts '********************************************************************************'
       end
 

data/lib/symmetric_encryption/keystore/file.rb

@@ -3,46 +3,24 @@ module SymmetricEncryption
     class File
       attr_accessor :file_name, :key_encrypting_key
 
-      # Returns [Hash] initial configuration.
-      # Generates the encrypted key file for every environment except development and test.
-      def self.new_config(key_path: '/etc/symmetric-encryption',
-                          app_name: 'symmetric-encryption',
-                          environments: %i[development test release production],
-                          cipher_name: 'aes-256-cbc')
-
-        configs = {}
-        environments.each do |environment|
-          environment          = environment.to_sym
-          configs[environment] =
-            if %i[development test].include?(environment)
-              Keystore.dev_config
-            else
-              cfg = new_key_config(key_path: key_path, cipher_name: cipher_name, app_name: app_name, environment: environment)
-              {
-                ciphers: [cfg]
-              }
-            end
-        end
-        configs
-      end
-
-      # Returns [Hash] a new cipher, and writes its encrypted key file.
+      # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
-      def self.new_key_config(key_path:, cipher_name:, app_name:, environment:, version: 0, dek: nil)
+      def self.generate_data_key(key_path:, cipher_name:, app_name:, environment:, version: 0, dek: nil)
         version >= 255 ? (version = 1) : (version += 1)
 
-        dek   ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
         kek   = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         kekek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
 
         dek_file_name = ::File.join(key_path, "#{app_name}_#{environment}_v#{version}.encrypted_key")
-        new(file_name: dek_file_name, key_encrypting_key: kek).write(dek.key)
+        new(key_filename: dek_file_name, key_encrypting_key: kek).write(dek.key)
 
         kekek_file_name = ::File.join(key_path, "#{app_name}_#{environment}_v#{version}.kekek")
-        new(file_name: kekek_file_name).write(kekek.key)
+        new(key_filename: kekek_file_name).write(kekek.key)
 
         {
+          keystore:           :file,
           cipher_name:        dek.cipher_name,
           version:            version,
           key_filename:       dek_file_name,
@@ -60,8 +38,8 @@ module SymmetricEncryption
 
       # Stores the Encryption key in a file.
       # Secures the Encryption key by encrypting it with a key encryption key.
-      def initialize(file_name:, key_encrypting_key: nil)
-        @file_name          = file_name
+      def initialize(key_filename:, key_encrypting_key: nil)
+        @file_name          = key_filename
         @key_encrypting_key = key_encrypting_key
       end
 

data/lib/symmetric_encryption/keystore/heroku.rb

@@ -0,0 +1,22 @@
+module SymmetricEncryption
+  module Keystore
+    # Heroku uses environment variables too.
+    class Heroku < Environment
+      # Returns [Hash] a new keystore configuration after generating the data key.
+      def self.generate_data_key(**args)
+        config            = super(**args)
+        config[:keystore] = :heroku
+        config
+      end
+
+      # Write the encrypted Encryption key to `encrypted_key` attribute.
+      def write(key)
+        encrypted_key = key_encrypting_key.encrypt(key)
+        puts "\n\n********************************************************************************"
+        puts "Add the environment key to Heroku:\n\n"
+        puts "  heroku config:add #{key_env_var}=#{encoder.encode(encrypted_key)}"
+        puts '********************************************************************************'
+      end
+    end
+  end
+end

data/lib/symmetric_encryption/keystore/memory.rb

@@ -5,22 +5,23 @@ module SymmetricEncryption
       attr_accessor :key_encrypting_key
       attr_reader :encrypted_key
 
-      # Returns [Hash] a new cipher, and writes its encrypted key file.
+      # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
       #
       # Notes:
       # * For development and testing purposes only!!
       # * Never store the encrypted encryption key in the source code / config file.
-      def self.new_key_config(cipher_name:, app_name:, environment:, version: 0, dek: nil)
+      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil)
         version >= 255 ? (version = 1) : (version += 1)
 
-        kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        kek   = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
 
         encrypted_key = new(key_encrypting_key: kek).write(dek.key)
 
         {
+          keystore:           :memory,
           cipher_name:        cipher_name,
           version:            version,
           encrypted_key:      encrypted_key,

data/lib/symmetric_encryption/keystore.rb

@@ -2,11 +2,33 @@ module SymmetricEncryption
   # Encryption keys are secured in Keystores
   module Keystore
     # @formatter:off
+    autoload :Aws,         'symmetric_encryption/keystore/aws'
     autoload :Environment, 'symmetric_encryption/keystore/environment'
     autoload :File,        'symmetric_encryption/keystore/file'
+    autoload :Heroku,      'symmetric_encryption/keystore/heroku'
     autoload :Memory,      'symmetric_encryption/keystore/memory'
     # @formatter:on
 
+    # Returns [Hash] a new keystore configuration after generating data keys for each environment.
+    def self.generate_data_keys(keystore:, environments: %i[development test release production], **args)
+      keystore_class = keystore.is_a?(Symbol) || keystore.is_a?(String) ? constantize_symbol(keystore) : keystore
+
+      configs = {}
+      environments.each do |environment|
+        environment          = environment.to_sym
+        configs[environment] =
+          if %i[development test].include?(environment)
+            dev_config
+          else
+            cfg = keystore_class.generate_data_key(environment: environment, **args)
+            {
+              ciphers: [cfg]
+            }
+          end
+      end
+      configs
+    end
+
     # Returns [Hash] a new configuration file after performing key rotation.
     #
     # Perform key rotation for each of the environments in the configuration file, by
@@ -27,10 +49,13 @@ module SymmetricEncryption
     #     by the servers that have not been updated yet.
     #     Default: false
     #
+    #   keystore: [Symbol]
+    #     If supplied, changes the keystore during key rotation.
+    #
     # Notes:
     # * iv_filename is no longer supported and is removed when creating a new random cipher.
     #     * `iv` does not need to be encrypted and is included in the clear.
-    def self.rotate_keys!(full_config, environments: [], app_name:, rolling_deploy: false)
+    def self.rotate_keys!(full_config, environments: [], app_name:, rolling_deploy: false, keystore: nil)
       full_config.each_pair do |environment, cfg|
         # Only rotate keys for specified environments. Default, all
         next if !environments.empty? && !environments.include?(environment.to_sym)
@@ -43,22 +68,24 @@ module SymmetricEncryption
         # Only generate new keys for keystore's that have a key encrypting key
         next unless config[:key_encrypting_key] || config[:private_rsa_key]
 
-        cipher_name    = config[:cipher_name] || 'aes-256-cbc'
-        new_key_config =
-          if config.key?(:key_filename)
-            key_path = ::File.dirname(config[:key_filename])
-            Keystore::File.new_key_config(key_path: key_path, cipher_name: cipher_name, app_name: app_name, version: version, environment: environment)
-          elsif config.key?(:key_env_var)
-            Keystore::Environment.new_key_config(cipher_name: cipher_name, app_name: app_name, version: version, environment: environment)
-          elsif config.key?(:encrypted_key)
-            Keystore::Memory.new_key_config(cipher_name: cipher_name, app_name: app_name, version: version, environment: environment)
-          end
+        cipher_name = config[:cipher_name] || 'aes-256-cbc'
+
+        keystore_class = keystore ? constantize_symbol(keystore) : keystore_for(config)
+
+        args = {
+          cipher_name: cipher_name,
+          app_name:    app_name,
+          version:     version,
+          environment: environment
+        }
+        args[:key_path] = ::File.dirname(config[:key_filename]) if config.key?(:key_filename)
+        new_data_key    = keystore_class.generate_data_key(args)
 
         # Add as second key so that key can be published now and only used in a later deploy.
         if rolling_deploy
-          cfg[:ciphers].insert(1, new_key_config)
+          cfg[:ciphers].insert(1, new_data_key)
         else
-          cfg[:ciphers].unshift(new_key_config)
+          cfg[:ciphers].unshift(new_data_key)
         end
       end
       full_config
@@ -77,33 +104,35 @@ module SymmetricEncryption
         # Only generate new keys for keystore's that have a key encrypting key
         next unless config[:key_encrypting_key]
 
-        version = config.delete(:version) || 1
+        version  = config.delete(:version) || 1
         version -= 1
 
         always_add_header = config.delete(:always_add_header)
         encoding          = config.delete(:encoding)
 
-        Key.migrate_config!(config)
+        migrate_config!(config)
 
         # The current data encrypting key without any of the key encrypting keys.
-        key            = Key.from_config(config)
+        key            = Keystore.read_key(config)
         cipher_name    = key.cipher_name
-        new_key_config =
-          if config.key?(:key_filename)
-            key_path = ::File.dirname(config[:key_filename])
-            Keystore::File.new_key_config(key_path: key_path, cipher_name: cipher_name, app_name: app_name, version: version, environment: environment, dek: key)
-          elsif config.key?(:key_env_var)
-            Keystore::Environment.new_key_config(cipher_name: cipher_name, app_name: app_name, version: version, environment: environment, dek: key)
-          elsif config.key?(:encrypted_key)
-            Keystore::Memory.new_key_config(cipher_name: cipher_name, app_name: app_name, version: version, environment: environment, dek: key)
-          end
+        keystore_class = keystore_for(config)
 
-        new_key_config[:always_add_header] = always_add_header
-        new_key_config[:encoding]          = encoding
+        args = {
+          cipher_name: cipher_name,
+          app_name:    app_name,
+          version:     version,
+          environment: environment,
+          dek:         key
+        }
+        args[:key_path] = ::File.dirname(config[:key_filename]) if config.key?(:key_filename)
+
+        new_config                     = keystore_class.generate_data_key(args)
+        new_config[:always_add_header] = always_add_header
+        new_config[:encoding]          = encoding
 
         # Replace existing config entry
         cfg[:ciphers].shift
-        cfg[:ciphers].unshift(new_key_config)
+        cfg[:ciphers].unshift(new_config)
       end
       full_config
     end
@@ -112,15 +141,101 @@ module SymmetricEncryption
     def self.dev_config
       {
         ciphers:
-          [
-            {
-              key:         '1234567890ABCDEF',
-              iv:          '1234567890ABCDEF',
-              cipher_name: 'aes-128-cbc',
-              version:     1
-            }
-          ]
+                 [
+                   {
+                     key:         '1234567890ABCDEF',
+                     iv:          '1234567890ABCDEF',
+                     cipher_name: 'aes-128-cbc',
+                     version:     1
+                   }
+                 ]
       }
     end
+
+    # Returns [Key] by recursively navigating the config tree.
+    #
+    # Supports N level deep key encrypting keys.
+    def self.read_key(key: nil, iv:, key_encrypting_key: nil, cipher_name: 'aes-256-cbc', keystore: nil, version: 0, **args)
+      if key_encrypting_key.is_a?(Hash)
+        # Recurse up the chain returning the parent key_encrypting_key
+        key_encrypting_key = read_key(cipher_name: cipher_name, **key_encrypting_key)
+      end
+
+      unless key
+        keystore_class = keystore ? constantize_symbol(keystore) : keystore_for(args)
+        store          = keystore_class.new(key_encrypting_key: key_encrypting_key, **args)
+        key            = store.read
+      end
+
+      Key.new(key: key, iv: iv, cipher_name: cipher_name)
+    end
+
+    #
+    # Internal use only methods
+    #
+
+    def self.keystore_for(config)
+      if config[:keystore]
+        constantize_symbol(config[:keystore])
+      elsif config[:encrypted_key]
+        Keystore::Memory
+      elsif config[:key_filename]
+        Keystore::File
+      elsif config[:key_env_var]
+        Keystore::Environment
+      else
+        raise(ArgumentError, 'Unknown keystore supplied in config')
+      end
+    end
+
+    def self.constantize_symbol(symbol, namespace = 'SymmetricEncryption::Keystore')
+      klass = "#{namespace}::#{camelize(symbol.to_s)}"
+      begin
+        Object.const_get(klass)
+      rescue NameError
+        raise(ArgumentError, "Keystore: #{symbol.inspect} not found. Looking for: #{klass}")
+      end
+    end
+
+    # Borrow from Rails, when not running Rails
+    def self.camelize(term)
+      string = term.to_s
+      string = string.sub(/^[a-z\d]*/, &:capitalize)
+      string.gsub!(/(?:_|(\/))([a-z\d]*)/i) { "#{Regexp.last_match(1)}#{Regexp.last_match(2).capitalize}" }
+      string.gsub!('/'.freeze, '::'.freeze)
+      string
+    end
+
+    # Migrate a prior config.
+    #
+    # Note:
+    # * The config cannot be saved back to the config file once
+    #   migrated, without generating new Key Encrypting Keys.
+    # * Only run this migration in the target environment so that the
+    #   current key encrypting files are present.
+    def self.migrate_config!(config)
+      # Backward compatibility - Deprecated
+      private_rsa_key = config.delete(:private_rsa_key)
+
+      # Migrate old encrypted_iv
+      if (encrypted_iv = config.delete(:encrypted_iv)) && private_rsa_key
+        encrypted_iv   = RSAKey.new(private_rsa_key).decrypt(encrypted_iv)
+        config[:iv]    = ::Base64.decode64(encrypted_iv)
+      end
+
+      # Migrate old iv_filename
+      if (file_name  = config.delete(:iv_filename)) && private_rsa_key
+        encrypted_iv = ::File.read(file_name)
+        config[:iv]  = RSAKey.new(private_rsa_key).decrypt(encrypted_iv)
+      end
+
+      # Backward compatibility - Deprecated
+      config[:key_encrypting_key] = RSAKey.new(private_rsa_key) if private_rsa_key
+
+      # Migrate old encrypted_key to new binary format
+      if (encrypted_key        = config[:encrypted_key]) && private_rsa_key
+        config[:encrypted_key] = ::Base64.decode64(encrypted_key)
+      end
+    end
   end
 end

data/lib/symmetric_encryption/railtie.rb

@@ -29,20 +29,25 @@ module SymmetricEncryption #:nodoc:
     config.before_configuration do
       # Check if already configured
       unless ::SymmetricEncryption.cipher?
-        app_name    = Rails::Application.subclasses.first.parent.to_s.underscore
-        config_file = Rails.root.join('config', 'symmetric-encryption.yml')
+        app_name      = Rails::Application.subclasses.first.parent.to_s.underscore
+        config_file   =
+          if (env_var = ENV['SYMMETRIC_ENCRYPTION_CONFIG'])
+            Pathname.new File.expand_path(env_var)
+          else
+            Rails.root.join('config', 'symmetric-encryption.yml')
+          end
         if config_file.file?
           begin
             ::SymmetricEncryption::Config.load!(file_name: config_file, env: ENV['SYMMETRIC_ENCRYPTION_ENV'] || Rails.env)
           rescue ArgumentError => exc
             puts "\nSymmetric Encryption not able to read keys."
             puts "#{exc.class.name} #{exc.message}"
-            puts "To generate a new config file and key files: symmetric-encryption --generate --key-path /etc/#{app_name} --app-name #{app_name}\n\n"
+            puts "To generate a new config file and key files: symmetric-encryption --generate --app-name #{app_name}\n\n"
             raise(exc)
           end
         else
           puts "\nSymmetric Encryption config not found."
-          puts "To generate a new config file and key files: symmetric-encryption --generate --key-path /etc/#{app_name} --app-name #{app_name}\n\n"
+          puts "To generate a new config file and key files: symmetric-encryption --generate --app-name #{app_name}\n\n"
         end
       end
     end

data/lib/symmetric_encryption/railties/symmetric_encryption_validator.rb

@@ -14,6 +14,7 @@
 class SymmetricEncryptionValidator < ActiveModel::EachValidator
   def validate_each(record, attribute, value)
     return if value.blank? || SymmetricEncryption.encrypted?(value)
+
     record.errors.add(attribute, 'must be a value encrypted using SymmetricEncryption.encrypt')
   end
 end

data/lib/symmetric_encryption/reader.rb

@@ -76,7 +76,7 @@ module SymmetricEncryption
     # Notes:
     # * Do not use this method for reading large files.
     def self.read(file_name_or_stream, **args)
-      self.open(file_name_or_stream, **args, &:read)
+      Reader.open(file_name_or_stream, **args, &:read)
     end
 
     # Decrypt an entire file.
@@ -90,22 +90,10 @@ module SymmetricEncryption
     #   target: [String|IO]
     #     Target file_name or IOStream
     #
-    #   block_size: [Integer]
-    #     Number of bytes to read into memory for each read.
-    #     For very large files using a larger block size is faster.
-    #     Default: 65535
-    #
     # Notes:
     # * The file contents are streamed so that the entire file is _not_ loaded into memory.
-    def self.decrypt(source:, target:, block_size: 65_535, **args)
-      target_ios    = target.is_a?(String) ? ::File.open(target, 'wb') : target
-      bytes_written = 0
-      self.open(source, **args) do |input_ios|
-        bytes_written += target_ios.write(input_ios.read(block_size)) until input_ios.eof?
-      end
-      bytes_written
-    ensure
-      target_ios.close if target_ios&.respond_to?(:closed?) && !target_ios.closed?
+    def self.decrypt(source:, target:, **args)
+      Reader.open(source, **args) { |input_file| IO.copy_stream(input_file, target) }
     end
 
     # Returns [true|false] whether the file or stream contains any data
@@ -132,6 +120,7 @@ module SymmetricEncryption
       @version        = version
       @header_present = false
       @closed         = false
+      @read_buffer    = ''.b
 
       raise(ArgumentError, 'Buffer size cannot be smaller than 128') unless @buffer_size >= 128
 
@@ -170,6 +159,7 @@ module SymmetricEncryption
     # ensure that the encrypted stream is closed before the stream itself is closed
     def close(close_child_stream = true)
       return if closed?
+
       @ios.close if close_child_stream
       @closed = true
     end
@@ -194,35 +184,25 @@ module SymmetricEncryption
     #
     # At end of file, it returns nil if no more data is available, or the last
     # remaining bytes
-    def read(length = nil)
-      data = nil
-      if length
-        return '' if length.zero?
-        return nil if eof?
-        # Read length bytes
-        read_block while (@read_buffer.length < length) && !@ios.eof?
-        if @read_buffer.empty?
-          data = nil
-        elsif @read_buffer.length > length
-          data = @read_buffer.slice!(0..length - 1)
+    def read(length = nil, outbuf = nil)
+      data             = outbuf.to_s.clear
+      remaining_length = length
+
+      until remaining_length == 0 || eof?
+        read_block(remaining_length) if @read_buffer.empty?
+
+        if remaining_length && remaining_length < @read_buffer.length
+          data << @read_buffer.slice!(0, remaining_length)
         else
-          data         = @read_buffer
-          @read_buffer = ''
-        end
-      else
-        # Capture anything already in the buffer
-        data         = @read_buffer
-        @read_buffer = ''
-
-        unless @ios.eof?
-          # Read entire file
-          buf = @ios.read || ''
-          data << @stream_cipher.update(buf) if buf && !buf.empty?
-          data << @stream_cipher.final
+          data << @read_buffer
+          @read_buffer.clear
         end
+
+        remaining_length = length - data.length if length
       end
+
       @pos += data.length
-      data
+      data unless data.empty? && length && length.positive?
     end
 
     # Reads a single decrypted line from the file up to and including the optional sep_string.
@@ -242,12 +222,14 @@ module SymmetricEncryption
       # Read more data until we get the sep_string
       while (index = @read_buffer.index(sep_string)).nil? && !@ios.eof?
         break if length && @read_buffer.length >= length
+
         read_block
       end
       index ||= -1
-      data  = @read_buffer.slice!(0..index)
-      @pos  += data.length
+      data    = @read_buffer.slice!(0..index)
+      @pos   += data.length
       return nil if data.empty? && eof?
+
       data
     end
 
@@ -272,7 +254,7 @@ module SymmetricEncryption
 
     # Rewind back to the beginning of the file
     def rewind
-      @read_buffer = ''
+      @read_buffer.clear
       @ios.rewind
       read_header
     end
@@ -307,10 +289,10 @@ module SymmetricEncryption
         # Read and decrypt entire file a block at a time to get its total
         # unencrypted size
         size = 0
-        until eof
+        until eof?
           read_block
-          size         += @read_buffer.size
-          @read_buffer = ''
+          size += @read_buffer.size
+          @read_buffer.clear
         end
         rewind
         offset = size + amount
@@ -328,7 +310,7 @@ module SymmetricEncryption
       @pos = 0
 
       # Read first block and check for the header
-      buf = @ios.read(@buffer_size)
+      buf = @ios.read(@buffer_size, @output_buffer ||= ''.b)
 
       # Use cipher specified in header, or global cipher if it has no header
       iv, key, cipher_name, cipher = nil
@@ -353,20 +335,30 @@ module SymmetricEncryption
       @stream_cipher.key = key || cipher.send(:key)
       @stream_cipher.iv  = iv || cipher.iv
 
-      # First call to #update should return an empty string anyway
-      if buf && !buf.empty?
-        @read_buffer = @stream_cipher.update(buf)
-        @read_buffer << @stream_cipher.final if @ios.eof?
-      else
-        @read_buffer = ''
-      end
+      decrypt(buf)
     end
 
     # Read a block of data and append the decrypted data in the read buffer
-    def read_block
-      buf = @ios.read(@buffer_size)
-      @read_buffer << @stream_cipher.update(buf) if buf && !buf.empty?
-      @read_buffer << @stream_cipher.final if @ios.eof?
+    def read_block(length = nil)
+      buf = @ios.read(length || @buffer_size, @output_buffer ||= ''.b)
+      decrypt(buf)
+    end
+
+    # Decrypts the given chunk of data and returns the result
+    if defined?(JRuby)
+      def decrypt(buf)
+        return if buf.nil? || buf.empty?
+
+        @read_buffer << @stream_cipher.update(buf)
+        @read_buffer << @stream_cipher.final if @ios.eof?
+      end
+    else
+      def decrypt(buf)
+        return if buf.nil? || buf.empty?
+
+        @read_buffer << @stream_cipher.update(buf, @cipher_buffer ||= ''.b)
+        @read_buffer << @stream_cipher.final if @ios.eof?
+      end
     end
 
     def closed?

data/lib/symmetric_encryption/symmetric_encryption.rb

@@ -55,6 +55,7 @@ module SymmetricEncryption
     end
 
     return @@cipher if version.nil? || (@@cipher.version == version)
+
     secondary_ciphers.find { |c| c.version == version } || (@@cipher if version.zero?)
   end
 
@@ -264,7 +265,7 @@ module SymmetricEncryption
   #     encoded_str.end_with?("\n") ? SymmetricEncryption.cipher(0) : SymmetricEncryption.cipher
   #   end
   def self.select_cipher(&block)
-    @@select_cipher = block ? block : nil
+    @@select_cipher = block || nil
   end
 
   # Load the Encryption Configuration from a YAML file