symmetric-encryption 4.1.2 → 4.5.0

data/lib/symmetric_encryption/header.rb

@@ -8,7 +8,7 @@ module SymmetricEncryption
   class Header
     # Encrypted data includes this header prior to encoding when
     # `always_add_header` is true.
-    MAGIC_HEADER      = '@EnC'.force_encoding(SymmetricEncryption::BINARY_ENCODING)
+    MAGIC_HEADER      = "@EnC".force_encoding(SymmetricEncryption::BINARY_ENCODING)
     MAGIC_HEADER_SIZE = MAGIC_HEADER.size
 
     # [true|false] Whether to compress the data before encryption.
@@ -37,7 +37,7 @@ module SymmetricEncryption
     # Returns whether the supplied buffer starts with a symmetric_encryption header
     # Note: The encoding of the supplied buffer is forced to binary if not already binary
     def self.present?(buffer)
-      return false if buffer.nil? || (buffer == '')
+      return false if buffer.nil? || (buffer == "")
 
       buffer.force_encoding(SymmetricEncryption::BINARY_ENCODING)
       buffer.start_with?(MAGIC_HEADER)
@@ -122,7 +122,7 @@ module SymmetricEncryption
     #
     # Returns 0 if no header is present
     def parse(buffer, offset = 0)
-      return 0 if buffer.nil? || (buffer == '') || (buffer.length <= MAGIC_HEADER_SIZE + 2)
+      return 0 if buffer.nil? || (buffer == "") || (buffer.length <= MAGIC_HEADER_SIZE + 2)
 
       # Symmetric Encryption Header
       #
@@ -153,7 +153,7 @@ module SymmetricEncryption
 
       # Remove header and extract flags
       self.version = buffer.getbyte(offset)
-      offset      += 1
+      offset += 1
 
       unless cipher
         raise(
@@ -162,34 +162,34 @@ module SymmetricEncryption
         )
       end
 
-      flags   = buffer.getbyte(offset)
+      flags = buffer.getbyte(offset)
       offset += 1
 
       self.compress = (flags & FLAG_COMPRESSED) != 0
 
-      if (flags & FLAG_IV) != 0
-        self.iv, offset = read_string(buffer, offset)
-      else
+      if (flags & FLAG_IV).zero?
         self.iv = nil
+      else
+        self.iv, offset = read_string(buffer, offset)
       end
 
-      if (flags & FLAG_KEY) != 0
+      if (flags & FLAG_KEY).zero?
+        self.key = nil
+      else
         encrypted_key, offset = read_string(buffer, offset)
         self.key              = cipher.binary_decrypt(encrypted_key)
-      else
-        self.key = nil
       end
 
-      if (flags & FLAG_CIPHER_NAME) != 0
-        self.cipher_name, offset = read_string(buffer, offset)
-      else
+      if (flags & FLAG_CIPHER_NAME).zero?
         self.cipher_name = nil
+      else
+        self.cipher_name, offset = read_string(buffer, offset)
       end
 
-      if (flags & FLAG_AUTH_TAG) != 0
-        self.auth_tag, offset = read_string(buffer, offset)
-      else
+      if (flags & FLAG_AUTH_TAG).zero?
         self.auth_tag = nil
+      else
+        self.auth_tag, offset = read_string(buffer, offset)
       end
 
       offset
@@ -197,7 +197,7 @@ module SymmetricEncryption
 
     # Returns [String] this header as a string
     def to_s
-      flags  = 0
+      flags = 0
       flags |= FLAG_COMPRESSED if compressed?
       flags |= FLAG_IV if iv
       flags |= FLAG_KEY if key
@@ -207,23 +207,23 @@ module SymmetricEncryption
       header = "#{MAGIC_HEADER}#{version.chr(SymmetricEncryption::BINARY_ENCODING)}#{flags.chr(SymmetricEncryption::BINARY_ENCODING)}"
 
       if iv
-        header << [iv.length].pack('v')
+        header << [iv.length].pack("v")
         header << iv
       end
 
       if key
         encrypted = cipher.binary_encrypt(key, header: false)
-        header << [encrypted.length].pack('v')
+        header << [encrypted.length].pack("v")
         header << encrypted
       end
 
       if cipher_name
-        header << [cipher_name.length].pack('v')
+        header << [cipher_name.length].pack("v")
         header << cipher_name
       end
 
       if auth_tag
-        header << [auth_tag.length].pack('v')
+        header << [auth_tag.length].pack("v")
         header << auth_tag
       end
 
@@ -258,9 +258,9 @@ module SymmetricEncryption
       #   Exception when
       #   - offset exceeds length of buffer
       #   byteslice truncates when too long, but returns nil when start is beyond end of buffer
-      len     = buffer.byteslice(offset, 2).unpack('v').first
+      len = buffer.byteslice(offset, 2).unpack("v").first
       offset += 2
-      out     = buffer.byteslice(offset, len)
+      out = buffer.byteslice(offset, len)
       [out, offset + len]
     end
   end

data/lib/symmetric_encryption/key.rb

@@ -3,7 +3,7 @@ module SymmetricEncryption
   class Key
     attr_reader :key, :iv, :cipher_name
 
-    def initialize(key: :random, iv: :random, cipher_name: 'aes-256-cbc')
+    def initialize(key: :random, iv: :random, cipher_name: "aes-256-cbc")
       @key         = key == :random ? ::OpenSSL::Cipher.new(cipher_name).random_key : key
       @iv          = iv == :random ? ::OpenSSL::Cipher.new(cipher_name).random_iv : iv
       @cipher_name = cipher_name

data/lib/symmetric_encryption/keystore/aws.rb

@@ -1,5 +1,4 @@
-require 'base64'
-require 'aws-sdk-kms'
+require "aws-sdk-kms"
 module SymmetricEncryption
   module Keystore
     # Support AWS Key Management Service (KMS)
@@ -51,6 +50,8 @@ module SymmetricEncryption
     #     - Loss of access to AWS accounts.
     #     - Loss of region(s) in which master keys are stored.
     class Aws
+      include Utils::Files
+
       attr_reader :region, :key_files, :master_key_alias
 
       # Returns [Hash] a new keystore configuration after generating the data key.
@@ -69,24 +70,20 @@ module SymmetricEncryption
       #                ],
       #   iv:          'T80pYzD0E6e/bJCdjZ6TiQ=='
       # }
-      def self.generate_data_key(version: 0,
+      def self.generate_data_key(cipher_name:, app_name:, environment:, key_path:, version: 0,
                                  regions: Utils::Aws::AWS_US_REGIONS,
                                  dek: nil,
-                                 cipher_name:,
-                                 app_name:,
-                                 environment:,
-                                 key_path:,
-                                 **args)
+                                 **_args)
 
         # TODO: Also support generating environment variables instead of files.
 
         version >= 255 ? (version = 1) : (version += 1)
-        regions                   = Array(regions).dup
+        regions = Array(regions).dup
 
         master_key_alias = master_key_alias(app_name, environment)
 
         # File per region for holding the encrypted data key
-        key_files   = regions.collect do |region|
+        key_files = regions.collect do |region|
           file_name = "#{app_name}_#{environment}_#{region}_v#{version}.encrypted_key"
           {region: region, file_name: ::File.join(key_path, file_name)}
         end
@@ -115,12 +112,13 @@ module SymmetricEncryption
 
       # Stores the Encryption key in a file.
       # Secures the Encryption key by encrypting it with a key encryption key.
-      def initialize(region: nil, key_files:, master_key_alias:, key_encrypting_key: nil)
+      def initialize(key_files:, master_key_alias:, region: nil, key_encrypting_key: nil)
         @key_files        = key_files
         @master_key_alias = master_key_alias
-        @region           = region || ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION'] || ::Aws.config[:region]
+        @region           = region || ENV["AWS_REGION"] || ENV["AWS_DEFAULT_REGION"] || ::Aws.config[:region]
         if key_encrypting_key
-          raise(SymmetricEncryption::ConfigError, 'AWS KMS keystore encrypts the key itself, so does not support supplying a key_encrypting_key')
+          raise(SymmetricEncryption::ConfigError,
+                "AWS KMS keystore encrypts the key itself, so does not support supplying a key_encrypting_key")
         end
       end
 
@@ -131,13 +129,8 @@ module SymmetricEncryption
         raise(SymmetricEncryption::ConfigError, "region: #{region} not available in the supplied key_files") unless key_file
 
         file_name = key_file[:file_name]
-        raise(SymmetricEncryption::ConfigError, 'file_name is mandatory for each key_file entry') unless file_name
-
-        raise(SymmetricEncryption::ConfigError, "File #{file_name} could not be found") unless ::File.exist?(file_name)
 
-        # TODO: Validate that file is not globally readable.
-        encoded_dek        = ::File.open(file_name, 'rb', &:read)
-        encrypted_data_key = Base64.strict_decode64(encoded_dek)
+        encrypted_data_key = read_file_and_decode(file_name)
         aws(region).decrypt(encrypted_data_key)
       end
 
@@ -147,27 +140,16 @@ module SymmetricEncryption
           region    = key_file[:region]
           file_name = key_file[:file_name]
 
-          raise(ArgumentError, 'region and file_name are mandatory for each key_file entry') unless region && file_name
+          raise(ArgumentError, "region and file_name are mandatory for each key_file entry") unless region && file_name
 
           encrypted_data_key = aws(region).encrypt(data_key)
-          encoded_dek        = Base64.strict_encode64(encrypted_data_key)
-          write_to_file(file_name, encoded_dek)
+          write_encoded_to_file(file_name, encrypted_data_key)
         end
       end
 
       def aws(region)
         Utils::Aws.new(region: region, master_key_alias: master_key_alias)
       end
-
-      private
-
-      # Write to the supplied file_name, backing up the existing file if present
-      def write_to_file(file_name, data)
-        path = ::File.dirname(file_name)
-        ::FileUtils.mkdir_p(path) unless ::File.directory?(path)
-        ::File.rename(file_name, "#{file_name}.#{Time.now.to_i}") if ::File.exist?(file_name)
-        ::File.open(file_name, 'wb') { |file| file.write(data) }
-      end
     end
   end
 end

data/lib/symmetric_encryption/keystore/environment.rb

@@ -7,13 +7,13 @@ module SymmetricEncryption
       # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
-      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil, **args)
+      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil, **_args)
         version >= 255 ? (version = 1) : (version += 1)
 
-        kek   = SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
 
-        key_env_var = "#{app_name}_#{environment}_v#{version}".upcase.tr('-', '_')
+        key_env_var = "#{app_name}_#{environment}_v#{version}".upcase.tr("-", "_")
         new(key_env_var: key_env_var, key_encrypting_key: kek).write(dek.key)
 
         {
@@ -50,9 +50,9 @@ module SymmetricEncryption
       def write(key)
         encrypted_key = key_encrypting_key.encrypt(key)
         puts "\n\n********************************************************************************"
-        puts 'Set the environment variable as follows:'
+        puts "Set the environment variable as follows:"
         puts "  export #{key_env_var}=\"#{encoder.encode(encrypted_key)}\""
-        puts '********************************************************************************'
+        puts "********************************************************************************"
       end
 
       private

data/lib/symmetric_encryption/keystore/file.rb

@@ -1,16 +1,19 @@
 module SymmetricEncryption
   module Keystore
     class File
+      include Utils::Files
+      ALLOWED_PERMISSIONS = %w[100600 100400].freeze
+
       attr_accessor :file_name, :key_encrypting_key
 
       # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
-      def self.generate_data_key(key_path:, cipher_name:, app_name:, environment:, version: 0, dek: nil, **args)
+      def self.generate_data_key(key_path:, cipher_name:, app_name:, environment:, version: 0, dek: nil, **_args)
         version >= 255 ? (version = 1) : (version += 1)
 
         dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
-        kek   = SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         kekek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
 
         dek_file_name = ::File.join(key_path, "#{app_name}_#{environment}_v#{version}.encrypted_key")
@@ -45,34 +48,48 @@ module SymmetricEncryption
 
       # Returns the Encryption key in the clear.
       def read
-        # TODO: Validate that file is not globally readable.
-        raise(SymmetricEncryption::ConfigError, "Symmetric Encryption key file: '#{file_name}' not found") unless ::File.exist?(file_name)
+        unless ::File.exist?(file_name)
+          raise(SymmetricEncryption::ConfigError,
+                "Symmetric Encryption key file: '#{file_name}' not found")
+        end
+        unless correct_permissions?
+          raise(SymmetricEncryption::ConfigError,
+                "Symmetric Encryption key file '#{file_name}' has the wrong "\
+                "permissions: #{::File.stat(file_name).mode.to_s(8)}. Expected 100600 or 100400.")
+        end
+        unless owned?
+          raise(SymmetricEncryption::ConfigError,
+                "Symmetric Encryption key file '#{file_name}' has the wrong "\
+                "owner (#{stat.uid}) or group (#{stat.gid}). "\
+                "Expected it to be owned by current user "\
+                "#{ENV['USER'] || ENV['USERNAME']}.")
+        end
 
-        data = read_from_file
+        data = read_from_file(file_name)
         key_encrypting_key ? key_encrypting_key.decrypt(data) : data
       end
 
       # Encrypt and write the key to file.
       def write(key)
         data = key_encrypting_key ? key_encrypting_key.encrypt(key) : key
-        write_to_file(data)
+        write_to_file(file_name, data)
       end
 
       private
 
-      # Read from the file, raising an exception if it is not found
-      def read_from_file
-        ::File.open(file_name, 'rb', &:read)
-      rescue Errno::ENOENT
-        raise(SymmetricEncryption::ConfigError, "Symmetric Encryption key file: '#{file_name}' not found or readable")
+      # Returns true if the file is owned by the user running this code and it
+      # has the correct mode - readable and writable by its owner and no one
+      # else, much like the keys one has in ~/.ssh
+      def correct_permissions?
+        ALLOWED_PERMISSIONS.include?(stat.mode.to_s(8))
+      end
+
+      def owned?
+        stat.owned?
       end
 
-      # Write to the supplied file_name, backing up the existing file if present
-      def write_to_file(data)
-        key_path = ::File.dirname(file_name)
-        ::FileUtils.mkdir_p(key_path) unless ::File.directory?(key_path)
-        ::File.rename(file_name, "#{file_name}.#{Time.now.to_i}") if ::File.exist?(file_name)
-        ::File.open(file_name, 'wb') { |file| file.write(data) }
+      def stat
+        ::File.stat(file_name)
       end
     end
   end

data/lib/symmetric_encryption/keystore/gcp.rb

@@ -0,0 +1,90 @@
+require "google/cloud/kms/v1"
+
+module SymmetricEncryption
+  module Keystore
+    class Gcp
+      include Utils::Files
+
+      def self.generate_data_key(cipher_name:, app_name:, environment:, key_path:, version: 0)
+        version >= 255 ? (version = 1) : (version += 1)
+
+        dek       = SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        file_name = "#{key_path}/#{app_name}_#{environment}_v#{version}.encrypted_key"
+        keystore  = new(
+          key_file:    file_name,
+          app_name:    app_name,
+          environment: environment
+        )
+        keystore.write(dek.key)
+
+        {
+          keystore:    :gcp,
+          cipher_name: dek.cipher_name,
+          version:     version,
+          key_file:    file_name,
+          iv:          dek.iv,
+          crypto_key:  keystore.crypto_key
+        }
+      end
+
+      def initialize(key_file:, app_name: nil, environment: nil, key_encrypting_key: nil, crypto_key: nil, project_id: nil, credentials: nil, location_id: nil)
+        @crypto_key  = crypto_key
+        @app_name    = app_name
+        @environment = environment
+        @file_name   = key_file
+        @project_id  = project_id
+        @credentials = credentials
+        @location_id = location_id
+      end
+
+      def read
+        decrypt(read_file_and_decode(file_name))
+      end
+
+      def write(data_key)
+        write_encoded_to_file(file_name, encrypt(data_key))
+      end
+
+      def crypto_key
+        @crypto_key ||= self.class::KMS::KeyManagementServiceClient.crypto_key_path(project_id, location_id, app_name,
+                                                                                    environment.to_s)
+      end
+
+      private
+
+      KMS = Google::Cloud::Kms::V1
+
+      attr_reader :app_name, :environment
+
+      def encrypt(plaintext)
+        client.encrypt(crypto_key, plaintext).ciphertext
+      end
+
+      def decrypt(ciphertext)
+        client.decrypt(crypto_key, ciphertext).plaintext
+      end
+
+      def client
+        self.class::KMS::KeyManagementServiceClient.new(timeout: 2, credentials: credentials)
+      end
+
+      def project_id
+        @project_id ||= ENV["GOOGLE_CLOUD_PROJECT"]
+        raise "GOOGLE_CLOUD_PROJECT must be set" if @project_id.nil?
+
+        @project_id
+      end
+
+      def credentials
+        @credentials ||= ENV["GOOGLE_CLOUD_KEYFILE"]
+        raise "GOOGLE_CLOUD_KEYFILE must be set" if @credentials.nil?
+
+        @credentials
+      end
+
+      def location_id
+        @location_id ||= ENV["GOOGLE_CLOUD_LOCATION"] || "global"
+      end
+    end
+  end
+end

data/lib/symmetric_encryption/keystore/heroku.rb

@@ -15,7 +15,7 @@ module SymmetricEncryption
         puts "\n\n********************************************************************************"
         puts "Add the environment key to Heroku:\n\n"
         puts "  heroku config:add #{key_env_var}=#{encoder.encode(encrypted_key)}"
-        puts '********************************************************************************'
+        puts "********************************************************************************"
       end
     end
   end

data/lib/symmetric_encryption/keystore/memory.rb

@@ -12,10 +12,10 @@ module SymmetricEncryption
       # Notes:
       # * For development and testing purposes only!!
       # * Never store the encrypted encryption key in the source code / config file.
-      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil, **args)
+      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil, **_args)
         version >= 255 ? (version = 1) : (version += 1)
 
-        kek   = SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
 
         encrypted_key = new(key_encrypting_key: kek).write(dek.key)
@@ -35,7 +35,7 @@ module SymmetricEncryption
 
       # Stores the Encryption key in a string.
       # Secures the Encryption key by encrypting it with a key encryption key.
-      def initialize(encrypted_key: nil, key_encrypting_key:)
+      def initialize(key_encrypting_key:, encrypted_key: nil)
         @encrypted_key      = encrypted_key
         @key_encrypting_key = key_encrypting_key
       end

data/lib/symmetric_encryption/keystore.rb

@@ -2,11 +2,12 @@ module SymmetricEncryption
   # Encryption keys are secured in Keystores
   module Keystore
     # @formatter:off
-    autoload :Aws,         'symmetric_encryption/keystore/aws'
-    autoload :Environment, 'symmetric_encryption/keystore/environment'
-    autoload :File,        'symmetric_encryption/keystore/file'
-    autoload :Heroku,      'symmetric_encryption/keystore/heroku'
-    autoload :Memory,      'symmetric_encryption/keystore/memory'
+    autoload :Aws,         "symmetric_encryption/keystore/aws"
+    autoload :Environment, "symmetric_encryption/keystore/environment"
+    autoload :Gcp,         "symmetric_encryption/keystore/gcp"
+    autoload :File,        "symmetric_encryption/keystore/file"
+    autoload :Heroku,      "symmetric_encryption/keystore/heroku"
+    autoload :Memory,      "symmetric_encryption/keystore/memory"
     # @formatter:on
 
     # Returns [Hash] a new keystore configuration after generating data keys for each environment.
@@ -55,7 +56,7 @@ module SymmetricEncryption
     # Notes:
     # * iv_filename is no longer supported and is removed when creating a new random cipher.
     #     * `iv` does not need to be encrypted and is included in the clear.
-    def self.rotate_keys!(full_config, environments: [], app_name:, rolling_deploy: false, keystore: nil)
+    def self.rotate_keys!(full_config, app_name:, environments: [], rolling_deploy: false, keystore: nil)
       full_config.each_pair do |environment, cfg|
         # Only rotate keys for specified environments. Default, all
         next if !environments.empty? && !environments.include?(environment.to_sym)
@@ -68,7 +69,7 @@ module SymmetricEncryption
         # Only generate new keys for keystore's that have a key encrypting key
         next unless config[:key_encrypting_key] || config[:private_rsa_key]
 
-        cipher_name = config[:cipher_name] || 'aes-256-cbc'
+        cipher_name = config[:cipher_name] || "aes-256-cbc"
 
         keystore_class = keystore ? constantize_symbol(keystore) : keystore_for(config)
 
@@ -79,7 +80,7 @@ module SymmetricEncryption
           environment: environment
         }
         args[:key_path] = ::File.dirname(config[:key_filename]) if config.key?(:key_filename)
-        new_data_key    = keystore_class.generate_data_key(args)
+        new_data_key    = keystore_class.generate_data_key(**args)
 
         # Add as second key so that key can be published now and only used in a later deploy.
         if rolling_deploy
@@ -94,7 +95,7 @@ module SymmetricEncryption
     # Rotates just the key encrypting keys for the current cipher version.
     # The existing data encryption key is not changed, it is secured using the
     # new key encrypting keys.
-    def self.rotate_key_encrypting_keys!(full_config, environments: [], app_name:)
+    def self.rotate_key_encrypting_keys!(full_config, app_name:, environments: [])
       full_config.each_pair do |environment, cfg|
         # Only rotate keys for specified environments. Default, all
         next if !environments.empty? && !environments.include?(environment.to_sym)
@@ -104,7 +105,7 @@ module SymmetricEncryption
         # Only generate new keys for keystore's that have a key encrypting key
         next unless config[:key_encrypting_key]
 
-        version  = config.delete(:version) || 1
+        version = config.delete(:version) || 1
         version -= 1
 
         always_add_header = config.delete(:always_add_header)
@@ -143,9 +144,9 @@ module SymmetricEncryption
         ciphers:
                  [
                    {
-                     key:         '1234567890ABCDEF',
-                     iv:          '1234567890ABCDEF',
-                     cipher_name: 'aes-128-cbc',
+                     key:         "1234567890ABCDEF",
+                     iv:          "1234567890ABCDEF",
+                     cipher_name: "aes-128-cbc",
                      version:     1
                    }
                  ]
@@ -155,7 +156,7 @@ module SymmetricEncryption
     # Returns [Key] by recursively navigating the config tree.
     #
     # Supports N level deep key encrypting keys.
-    def self.read_key(key: nil, iv:, key_encrypting_key: nil, cipher_name: 'aes-256-cbc', keystore: nil, version: 0, **args)
+    def self.read_key(iv:, key: nil, key_encrypting_key: nil, cipher_name: "aes-256-cbc", keystore: nil, version: 0, **args)
       if key_encrypting_key.is_a?(Hash)
         # Recurse up the chain returning the parent key_encrypting_key
         key_encrypting_key = read_key(cipher_name: cipher_name, **key_encrypting_key)
@@ -184,11 +185,11 @@ module SymmetricEncryption
       elsif config[:key_env_var]
         Keystore::Environment
       else
-        raise(ArgumentError, 'Unknown keystore supplied in config')
+        raise(ArgumentError, "Unknown keystore supplied in config")
       end
     end
 
-    def self.constantize_symbol(symbol, namespace = 'SymmetricEncryption::Keystore')
+    def self.constantize_symbol(symbol, namespace = "SymmetricEncryption::Keystore")
       klass = "#{namespace}::#{camelize(symbol.to_s)}"
       begin
         Object.const_get(klass)
@@ -201,8 +202,8 @@ module SymmetricEncryption
     def self.camelize(term)
       string = term.to_s
       string = string.sub(/^[a-z\d]*/, &:capitalize)
-      string.gsub!(/(?:_|(\/))([a-z\d]*)/i) { "#{Regexp.last_match(1)}#{Regexp.last_match(2).capitalize}" }
-      string.gsub!('/'.freeze, '::'.freeze)
+      string.gsub!(%r{(?:_|(/))([a-z\d]*)}i) { "#{Regexp.last_match(1)}#{Regexp.last_match(2).capitalize}" }
+      string.gsub!("/".freeze, "::".freeze)
       string
     end
 
@@ -219,12 +220,12 @@ module SymmetricEncryption
 
       # Migrate old encrypted_iv
       if (encrypted_iv = config.delete(:encrypted_iv)) && private_rsa_key
-        encrypted_iv   = RSAKey.new(private_rsa_key).decrypt(encrypted_iv)
-        config[:iv]    = ::Base64.decode64(encrypted_iv)
+        encrypted_iv = RSAKey.new(private_rsa_key).decrypt(encrypted_iv)
+        config[:iv]  = ::Base64.decode64(encrypted_iv)
       end
 
       # Migrate old iv_filename
-      if (file_name  = config.delete(:iv_filename)) && private_rsa_key
+      if (file_name = config.delete(:iv_filename)) && private_rsa_key
         encrypted_iv = ::File.read(file_name)
         config[:iv]  = RSAKey.new(private_rsa_key).decrypt(encrypted_iv)
       end
@@ -233,7 +234,7 @@ module SymmetricEncryption
       config[:key_encrypting_key] = RSAKey.new(private_rsa_key) if private_rsa_key
 
       # Migrate old encrypted_key to new binary format
-      if (encrypted_key        = config[:encrypted_key]) && private_rsa_key
+      if (encrypted_key = config[:encrypted_key]) && private_rsa_key
         config[:encrypted_key] = ::Base64.decode64(encrypted_key)
       end
     end

data/lib/symmetric_encryption/railtie.rb

@@ -14,8 +14,8 @@ module SymmetricEncryption #:nodoc:
     #   end
     config.symmetric_encryption = ::SymmetricEncryption
 
-    # Initialize Symmetry. This will look for a symmetry.yml in the config
-    # directory and configure Symmetry appropriately.
+    # Initialize Symmetric Encryption. This will look for a symmetric-encryption.yml in the config
+    # directory and configure Symmetric Encryption appropriately.
     #
     # @example symmetric-encryption.yml
     #
@@ -29,26 +29,27 @@ module SymmetricEncryption #:nodoc:
     config.before_configuration do
       # Check if already configured
       unless ::SymmetricEncryption.cipher?
-        app_name      = Rails::Application.subclasses.first.parent.to_s.underscore
+        parent_method = Module.method_defined?(:module_parent) ? "module_parent" : "parent"
+        app_name      = Rails::Application.subclasses.first.send(parent_method).to_s.underscore
+        env_var       = ENV["SYMMETRIC_ENCRYPTION_CONFIG"]
         config_file   =
-          if (env_var = ENV['SYMMETRIC_ENCRYPTION_CONFIG'])
-            Pathname.new File.expand_path(env_var)
+          if env_var
+            Pathname.new(File.expand_path(env_var))
           else
-            Rails.root.join('config', 'symmetric-encryption.yml')
+            Rails.root.join("config", "symmetric-encryption.yml")
           end
+
         if config_file.file?
           begin
-            ::SymmetricEncryption::Config.load!(file_name: config_file, env: ENV['SYMMETRIC_ENCRYPTION_ENV'] || Rails.env)
-          rescue ArgumentError => exc
+            ::SymmetricEncryption::Config.load!(file_name: config_file, env: ENV["SYMMETRIC_ENCRYPTION_ENV"] || Rails.env)
+          rescue ArgumentError => e
             puts "\nSymmetric Encryption not able to read keys."
-            puts "#{exc.class.name} #{exc.message}"
+            puts "#{e.class.name} #{e.message}"
             puts "To generate a new config file and key files: symmetric-encryption --generate --app-name #{app_name}\n\n"
-            raise(exc)
+            raise(e)
           end
-        else
-          puts "\nSymmetric Encryption config not found."
-          puts "To generate a new config file and key files: symmetric-encryption --generate --app-name #{app_name}\n\n"
         end
+
       end
     end
   end