symmetric-encryption 4.1.2 → 4.5.0

data/lib/symmetric_encryption/{extensions/mongoid/encrypted.rb → railties/mongoid_encrypted.rb}

@@ -1,4 +1,4 @@
-require 'mongoid'
+require "mongoid"
 # Add :encrypted option for Mongoid models
 #
 # Example:
@@ -95,12 +95,13 @@ Mongoid::Fields.option :encrypted do |model, field, options|
 
     # Support overriding the name of the decrypted attribute
     decrypted_field_name = options.delete(:decrypt_as)
-    if decrypted_field_name.nil? && encrypted_field_name.to_s.start_with?('encrypted_')
-      decrypted_field_name = encrypted_field_name.to_s['encrypted_'.length..-1]
+    if decrypted_field_name.nil? && encrypted_field_name.to_s.start_with?("encrypted_")
+      decrypted_field_name = encrypted_field_name.to_s["encrypted_".length..-1]
     end
 
     if decrypted_field_name.nil?
-      raise(ArgumentError, "SymmetricEncryption for Mongoid. Encryption enabled for field #{encrypted_field_name}. It must either start with 'encrypted_' or the option :decrypt_as must be supplied")
+      raise(ArgumentError,
+            "SymmetricEncryption for Mongoid. Encryption enabled for field #{encrypted_field_name}. It must either start with 'encrypted_' or the option :decrypt_as must be supplied")
     end
 
     SymmetricEncryption::Generator.generate_decrypted_accessors(model, decrypted_field_name, encrypted_field_name, options)

data/lib/symmetric_encryption/railties/symmetric_encryption_validator.rb

@@ -15,6 +15,6 @@ class SymmetricEncryptionValidator < ActiveModel::EachValidator
   def validate_each(record, attribute, value)
     return if value.blank? || SymmetricEncryption.encrypted?(value)
 
-    record.errors.add(attribute, 'must be a value encrypted using SymmetricEncryption.encrypt')
+    record.errors.add(attribute, "must be a value encrypted using SymmetricEncryption.encrypt")
   end
 end

data/lib/symmetric_encryption/reader.rb

@@ -1,4 +1,4 @@
-require 'openssl'
+require "openssl"
 
 module SymmetricEncryption
   # Read from encrypted files and other IO streams
@@ -60,7 +60,7 @@ module SymmetricEncryption
     #   csv.close if csv
     # end
     def self.open(file_name_or_stream, buffer_size: 16_384, **args, &block)
-      ios = file_name_or_stream.is_a?(String) ? ::File.open(file_name_or_stream, 'rb') : file_name_or_stream
+      ios = file_name_or_stream.is_a?(String) ? ::File.open(file_name_or_stream, "rb") : file_name_or_stream
 
       begin
         file = new(ios, buffer_size: buffer_size, **args)
@@ -104,7 +104,7 @@ module SymmetricEncryption
 
     # Returns [true|false] whether the file contains the encryption header
     def self.header_present?(file_name)
-      ::File.open(file_name, 'rb') { |file| new(file).header_present? }
+      ::File.open(file_name, "rb") { |file| new(file).header_present? }
     end
 
     # After opening a file Returns [true|false] whether the file being
@@ -120,9 +120,9 @@ module SymmetricEncryption
       @version        = version
       @header_present = false
       @closed         = false
-      @read_buffer    = ''.b
+      @read_buffer    = "".b
 
-      raise(ArgumentError, 'Buffer size cannot be smaller than 128') unless @buffer_size >= 128
+      raise(ArgumentError, "Buffer size cannot be smaller than 128") unless @buffer_size >= 128
 
       read_header
     end
@@ -185,10 +185,10 @@ module SymmetricEncryption
     # At end of file, it returns nil if no more data is available, or the last
     # remaining bytes
     def read(length = nil, outbuf = nil)
-      data             = outbuf.to_s.clear
+      data             = outbuf.nil? ? "" : outbuf.clear
       remaining_length = length
 
-      until remaining_length == 0 || eof?
+      until remaining_length&.zero? || eof?
         read_block(remaining_length) if @read_buffer.empty?
 
         if remaining_length && remaining_length < @read_buffer.length
@@ -209,7 +209,7 @@ module SymmetricEncryption
     # Raises EOFError on eof
     # The stream must be opened for reading or an IOError will be raised.
     def readline(sep_string = "\n")
-      gets(sep_string) || raise(EOFError, 'End of file reached when trying to read a line')
+      gets(sep_string) || raise(EOFError, "End of file reached when trying to read a line")
     end
 
     # Reads a single decrypted line from the file up to and including the optional sep_string.
@@ -226,8 +226,8 @@ module SymmetricEncryption
         read_block
       end
       index ||= -1
-      data    = @read_buffer.slice!(0..index)
-      @pos   += data.length
+      data = @read_buffer.slice!(0..index)
+      @pos += data.length
       return nil if data.empty? && eof?
 
       data
@@ -310,7 +310,7 @@ module SymmetricEncryption
       @pos = 0
 
       # Read first block and check for the header
-      buf = @ios.read(@buffer_size, @output_buffer ||= ''.b)
+      buf = @ios.read(@buffer_size, @output_buffer ||= "".b)
 
       # Use cipher specified in header, or global cipher if it has no header
       iv, key, cipher_name, cipher = nil
@@ -340,7 +340,7 @@ module SymmetricEncryption
 
     # Read a block of data and append the decrypted data in the read buffer
     def read_block(length = nil)
-      buf = @ios.read(length || @buffer_size, @output_buffer ||= ''.b)
+      buf = @ios.read(length || @buffer_size, @output_buffer ||= "".b)
       decrypt(buf)
     end
 
@@ -356,7 +356,7 @@ module SymmetricEncryption
       def decrypt(buf)
         return if buf.nil? || buf.empty?
 
-        @read_buffer << @stream_cipher.update(buf, @cipher_buffer ||= ''.b)
+        @read_buffer << @stream_cipher.update(buf, @cipher_buffer ||= "".b)
         @read_buffer << @stream_cipher.final if @ios.eof?
       end
     end

data/lib/symmetric_encryption/rsa_key.rb

@@ -1,4 +1,4 @@
-require 'openssl'
+require "openssl"
 module SymmetricEncryption
   # DEPRECATED - Internal use only
   class RSAKey

data/lib/symmetric_encryption/symmetric_encryption.rb

@@ -1,18 +1,13 @@
-require 'base64'
-require 'openssl'
-require 'zlib'
-require 'yaml'
-require 'erb'
+require "base64"
+require "openssl"
+require "zlib"
+require "yaml"
+require "erb"
 
 # Encrypt using 256 Bit AES CBC symmetric key and initialization vector
 # The symmetric key is protected using the private key below and must
 # be distributed separately from the application
 module SymmetricEncryption
-  # Defaults
-  @@cipher            = nil
-  @@secondary_ciphers = []
-  @@select_cipher     = nil
-
   # List of types supported when encrypting or decrypting data
   #
   # Each type maps to the built-in Ruby types as follows:
@@ -37,9 +32,11 @@ module SymmetricEncryption
   #     cipher: 'aes-128-cbc'
   #   )
   def self.cipher=(cipher)
-    raise(ArgumentError, 'Cipher must respond to :encrypt and :decrypt') unless cipher.nil? || (cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt))
+    unless cipher.nil? || (cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt))
+      raise(ArgumentError, "Cipher must respond to :encrypt and :decrypt")
+    end
 
-    @@cipher = cipher
+    @cipher = cipher
   end
 
   # Returns the Primary Symmetric Cipher being used
@@ -50,33 +47,46 @@ module SymmetricEncryption
     unless cipher?
       raise(
         SymmetricEncryption::ConfigError,
-        'Call SymmetricEncryption.load! or SymmetricEncryption.cipher= prior to encrypting or decrypting data'
+        "Call SymmetricEncryption.load! or SymmetricEncryption.cipher= prior to encrypting or decrypting data"
       )
     end
 
-    return @@cipher if version.nil? || (@@cipher.version == version)
+    return @cipher if version.nil? || (@cipher.version == version)
 
-    secondary_ciphers.find { |c| c.version == version } || (@@cipher if version.zero?)
+    secondary_ciphers.find { |c| c.version == version } || (@cipher if version.zero?)
   end
 
   # Returns whether a primary cipher has been set
   def self.cipher?
-    !@@cipher.nil?
+    !@cipher.nil?
   end
 
   # Set the Secondary Symmetric Ciphers Array to be used
   def self.secondary_ciphers=(secondary_ciphers)
-    raise(ArgumentError, 'secondary_ciphers must be a collection') unless secondary_ciphers.respond_to? :each
+    raise(ArgumentError, "secondary_ciphers must be a collection") unless secondary_ciphers.respond_to? :each
 
     secondary_ciphers.each do |cipher|
-      raise(ArgumentError, 'secondary_ciphers can only consist of SymmetricEncryption::Ciphers') unless cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt)
+      unless cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt)
+        raise(ArgumentError, "secondary_ciphers can only consist of SymmetricEncryption::Ciphers")
+      end
     end
-    @@secondary_ciphers = secondary_ciphers
+    @secondary_ciphers = secondary_ciphers
   end
 
   # Returns the Primary Symmetric Cipher being used
   def self.secondary_ciphers
-    @@secondary_ciphers
+    @secondary_ciphers
+  end
+
+  # Whether to randomize the iv by default.
+  # true: Generate a new random IV by default. [HIGHLY RECOMMENDED]
+  # false: Do not generate a new random IV by default.
+  def self.randomize_iv?
+    @randomize_iv
+  end
+
+  def self.randomize_iv=(randomize_iv)
+    @randomize_iv = randomize_iv
   end
 
   # Decrypt supplied string.
@@ -115,7 +125,7 @@ module SymmetricEncryption
   #       the incorrect key. Clearly the data returned is garbage, but it still
   #       successfully returns a string of data
   def self.decrypt(encrypted_and_encoded_string, version: nil, type: :string)
-    return encrypted_and_encoded_string if encrypted_and_encoded_string.nil? || (encrypted_and_encoded_string == '')
+    return encrypted_and_encoded_string if encrypted_and_encoded_string.nil? || (encrypted_and_encoded_string == "")
 
     str = encrypted_and_encoded_string.to_s
 
@@ -133,9 +143,9 @@ module SymmetricEncryption
           if version
             # Supplied version takes preference
             cipher(version)
-          elsif @@select_cipher
+          elsif @select_cipher
             # Use cipher_selector if present to decide which cipher to use
-            @@select_cipher.call(str, decoded)
+            @select_cipher.call(str, decoded)
           else
             # Global cipher
             cipher
@@ -144,14 +154,16 @@ module SymmetricEncryption
       end
 
     # Try to force result to UTF-8 encoding, but if it is not valid, force it back to Binary
-    decrypted.force_encoding(SymmetricEncryption::BINARY_ENCODING) unless decrypted.force_encoding(SymmetricEncryption::UTF8_ENCODING).valid_encoding?
+    unless decrypted.force_encoding(SymmetricEncryption::UTF8_ENCODING).valid_encoding?
+      decrypted.force_encoding(SymmetricEncryption::BINARY_ENCODING)
+    end
     Coerce.coerce_from_string(decrypted, type)
   end
 
   # Returns the header for the encrypted string
   # Returns [nil] if no header is present
   def self.header(encrypted_and_encoded_string)
-    return if encrypted_and_encoded_string.nil? || (encrypted_and_encoded_string == '')
+    return if encrypted_and_encoded_string.nil? || (encrypted_and_encoded_string == "")
 
     # Decode before decrypting supplied string
     decoded = cipher.encoder.decode(encrypted_and_encoded_string.to_s)
@@ -172,10 +184,12 @@ module SymmetricEncryption
   #     to convert it to a string
   #
   #   random_iv [true|false]
-  #     Whether the encypted value should use a random IV every time the
-  #     field is encrypted.
-  #     It is recommended to set this to true where feasible. If the encrypted
-  #     value could be used as part of a SQL where clause, or as part
+  #     Mandatory unless `SymmetricEncryption.randomize_iv = true` has been called.
+  #
+  #     Whether the encrypted value should use a random IV every time the field is encrypted.
+  #     It is recommended to set this to true where possible.
+  #
+  #     If the encrypted value could be used as part of a SQL where clause, or as part
   #     of any lookup, then it must be false.
   #     Setting random_iv to true will result in a different encrypted output for
   #     the same input string.
@@ -203,8 +217,8 @@ module SymmetricEncryption
   #     Note: If type is set to something other than :string, it's expected that
   #       the coercible gem is available in the path.
   #     Default: :string
-  def self.encrypt(str, random_iv: false, compress: false, type: :string, header: cipher.always_add_header)
-    return str if str.nil? || (str == '')
+  def self.encrypt(str, random_iv: SymmetricEncryption.randomize_iv?, compress: false, type: :string, header: cipher.always_add_header)
+    return str if str.nil? || (str == "")
 
     # Encrypt and then encode the supplied string
     cipher.encrypt(Coerce.coerce_to_string(str, type), random_iv: random_iv, compress: compress, header: header)
@@ -233,7 +247,7 @@ module SymmetricEncryption
   # * This method only works reliably when the encrypted data includes the symmetric encryption header.
   # * nil and '' are considered "encrypted" so that validations do not blow up on empty values.
   def self.encrypted?(encrypted_data)
-    return false if encrypted_data.nil? || (encrypted_data == '')
+    return false if encrypted_data.nil? || (encrypted_data == "")
 
     @header ||= SymmetricEncryption.cipher.encoded_magic_header
     encrypted_data.to_s.start_with?(@header)
@@ -265,7 +279,7 @@ module SymmetricEncryption
   #     encoded_str.end_with?("\n") ? SymmetricEncryption.cipher(0) : SymmetricEncryption.cipher
   #   end
   def self.select_cipher(&block)
-    @@select_cipher = block || nil
+    @select_cipher = block || nil
   end
 
   # Load the Encryption Configuration from a YAML file
@@ -282,10 +296,16 @@ module SymmetricEncryption
 
   # Generate a Random password
   def self.random_password(size = 22)
-    require 'securerandom' unless defined?(SecureRandom)
+    require "securerandom" unless defined?(SecureRandom)
     SecureRandom.urlsafe_base64(size)
   end
 
-  BINARY_ENCODING = Encoding.find('binary')
-  UTF8_ENCODING   = Encoding.find('UTF-8')
+  BINARY_ENCODING = Encoding.find("binary")
+  UTF8_ENCODING   = Encoding.find("UTF-8")
+
+  # Defaults
+  @cipher            = nil
+  @secondary_ciphers = []
+  @select_cipher     = nil
+  @randomize_iv      = false
 end

data/lib/symmetric_encryption/utils/aws.rb

@@ -1,5 +1,5 @@
-require 'base64'
-require 'aws-sdk-kms'
+require "base64"
+require "aws-sdk-kms"
 module SymmetricEncryption
   module Utils
     # Wrap the AWS KMS client so that it automatically creates the Customer Master Key,
@@ -13,8 +13,8 @@ module SymmetricEncryption
 
       # TODO: Map to OpenSSL ciphers
       AWS_KEY_SPEC_MAP = {
-        'aes-256-cbc' => 'AES_256',
-        'aes-128-cbc' => 'AES_128'
+        "aes-256-cbc" => "AES_256",
+        "aes-128-cbc" => "AES_128"
       }.freeze
 
       # TODO: Move to Keystore::Aws
@@ -98,12 +98,10 @@ module SymmetricEncryption
 
       private
 
-      attr_reader :client
-
       def whoami
         @whoami ||= `whoami`.strip
       rescue StandardError
-        @whoami = 'unknown'
+        @whoami = "unknown"
       end
 
       # Creates a new Customer Master Key for Symmetric Encryption use.
@@ -111,10 +109,10 @@ module SymmetricEncryption
         # TODO: Add error handling and retry
 
         resp = client.create_key(
-          description: 'Symmetric Encryption for Ruby Customer Masker Key',
+          description: "Symmetric Encryption for Ruby Customer Masker Key",
           tags:        [
-            {tag_key: 'CreatedAt', tag_value: Time.now.to_s},
-            {tag_key: 'CreatedBy', tag_value: whoami}
+            {tag_key: "CreatedAt", tag_value: Time.now.to_s},
+            {tag_key: "CreatedBy", tag_value: whoami}
           ]
         )
         resp.key_metadata.key_id

data/lib/symmetric_encryption/utils/files.rb

@@ -0,0 +1,45 @@
+module SymmetricEncryption
+  module Utils
+    module Files
+      private
+
+      attr_reader :file_name
+
+      def read_file_and_decode(file_name)
+        raise(SymmetricEncryption::ConfigError, "file_name is mandatory for each key_file entry") unless file_name
+
+        raise(SymmetricEncryption::ConfigError, "File #{file_name} could not be found") unless ::File.exist?(file_name)
+
+        # TODO: Validate that file is not globally readable.
+        decode64(read_from_file(file_name))
+      end
+
+      def write_encoded_to_file(file_name, encrypted_data_key)
+        write_to_file(file_name, encode64(encrypted_data_key))
+      end
+
+      def encode64(data)
+        Base64.strict_encode64(data)
+      end
+
+      def decode64(data)
+        Base64.strict_decode64(data)
+      end
+
+      # Write to the supplied file_name, backing up the existing file if present
+      def write_to_file(file_name, data)
+        key_path = ::File.dirname(file_name)
+        ::FileUtils.mkdir_p(key_path) unless ::File.directory?(key_path)
+        ::File.rename(file_name, "#{file_name}.#{Time.now.to_i}") if ::File.exist?(file_name)
+        ::File.open(file_name, "wb", 0o600) { |file| file.write(data) }
+      end
+
+      # Read from the file, raising an exception if it is not found
+      def read_from_file(file_name)
+        ::File.open(file_name, "rb", &:read)
+      rescue Errno::ENOENT
+        raise(SymmetricEncryption::ConfigError, "Symmetric Encryption key file: '#{file_name}' not found or readable")
+      end
+    end
+  end
+end

data/lib/symmetric_encryption/utils/re_encrypt_files.rb

@@ -55,26 +55,26 @@ module SymmetricEncryption
         lines              = File.read(file_name)
         hits, output_lines = re_encrypt_lines(lines)
 
-        File.open(file_name, 'wb') { |file| file.write(output_lines) } if hits.positive?
+        File.open(file_name, "wb") { |file| file.write(output_lines) } if hits.positive?
         hits
       end
 
       # Replaces instances of encrypted data within lines of text with re-encrypted values
       def re_encrypt_lines(lines)
         hits         = 0
-        output_lines = ''
+        output_lines = ""
         r            = regexp
         lines.each_line do |line|
           line.force_encoding(SymmetricEncryption::UTF8_ENCODING)
           output_lines <<
             if line.valid_encoding? && (result = line.match(r))
-              encrypted                        = result[0]
-              new_value                        = re_encrypt(encrypted)
-              if new_value != encrypted
+              encrypted = result[0]
+              new_value = re_encrypt(encrypted)
+              if new_value == encrypted
+                line
+              else
                 hits += 1
                 line.gsub(encrypted, new_value)
-              else
-                line
               end
             else
               line
@@ -117,8 +117,8 @@ module SymmetricEncryption
             begin
               count = re_encrypt_contents(file_name)
               puts "Re-encrypted #{count} encrypted value(s) in: #{file_name}" if count.positive?
-            rescue StandardError => exc
-              puts "Failed re-encrypting the file contents of: #{file_name}. #{exc.class.name}: #{exc.message}"
+            rescue StandardError => e
+              puts "Failed re-encrypting the file contents of: #{file_name}. #{e.class.name}: #{e.message}"
             end
           end
         end
@@ -127,13 +127,13 @@ module SymmetricEncryption
       private
 
       def regexp
-        @regexp ||= /#{SymmetricEncryption.cipher.encoded_magic_header}([A-Za-z0-9+\/]+[=\\n]*)/
+        @regexp ||= %r{#{SymmetricEncryption.cipher.encoded_magic_header}([A-Za-z0-9+/]+[=\\n]*)}
       end
 
       # Returns [Integer] encrypted file key version.
       # Returns [nil] if the file is not encrypted or does not have a header.
       def encrypted_file_version(file_name)
-        ::File.open(file_name, 'rb') do |file|
+        ::File.open(file_name, "rb") do |file|
           reader = SymmetricEncryption::Reader.new(file)
           reader.version if reader.header_present?
         end

data/lib/symmetric_encryption/version.rb

@@ -1,3 +1,3 @@
 module SymmetricEncryption
-  VERSION = '4.1.2'.freeze
+  VERSION = "4.5.0".freeze
 end

data/lib/symmetric_encryption/writer.rb

@@ -1,4 +1,4 @@
-require 'openssl'
+require "openssl"
 
 module SymmetricEncryption
   # Write to encrypted files and other IO streams.
@@ -49,10 +49,10 @@ module SymmetricEncryption
     #  end
     def self.open(file_name_or_stream, compress: nil, **args)
       if file_name_or_stream.is_a?(String)
-        file_name_or_stream = ::File.open(file_name_or_stream, 'wb')
+        file_name_or_stream = ::File.open(file_name_or_stream, "wb")
         compress            = !(/\.(zip|gz|gzip|xls.|)\z/i === file_name_or_stream) if compress.nil?
-      else
-        compress = true if compress.nil?
+      elsif compress.nil?
+        compress = true
       end
 
       begin
@@ -97,15 +97,22 @@ module SymmetricEncryption
     def initialize(ios, version: nil, cipher_name: nil, header: true, random_key: true, random_iv: true, compress: false)
       # Compress is only used at this point for setting the flag in the header
       @ios = ios
-      raise(ArgumentError, 'When :random_key is true, :random_iv must also be true') if random_key && !random_iv
-      raise(ArgumentError, 'Cannot supply a :cipher_name unless both :random_key and :random_iv are true') if cipher_name && !random_key && !random_iv
+      raise(ArgumentError, "When :random_key is true, :random_iv must also be true") if random_key && !random_iv
+      if cipher_name && !random_key && !random_iv
+        raise(ArgumentError, "Cannot supply a :cipher_name unless both :random_key and :random_iv are true")
+      end
 
       # Cipher to encrypt the random_key, or the entire file
       cipher = SymmetricEncryption.cipher(version)
-      raise(SymmetricEncryption::CipherError, "Cipher with version:#{version} not found in any of the configured SymmetricEncryption ciphers") unless cipher
+      unless cipher
+        raise(SymmetricEncryption::CipherError,
+              "Cipher with version:#{version} not found in any of the configured SymmetricEncryption ciphers")
+      end
 
       # Force header if compressed or using random iv, key
-      header = Header.new(version: cipher.version, compress: compress, cipher_name: cipher_name) if (header == true) || compress || random_key || random_iv
+      if (header == true) || compress || random_key || random_iv
+        header = Header.new(version: cipher.version, compress: compress, cipher_name: cipher_name)
+      end
 
       @stream_cipher = ::OpenSSL::Cipher.new(cipher_name || cipher.cipher_name)
       @stream_cipher.encrypt
@@ -158,8 +165,8 @@ module SymmetricEncryption
       def write(data)
         return unless data
 
-        bytes   = data.to_s
-        @size  += bytes.size
+        bytes = data.to_s
+        @size += bytes.size
         partial = @stream_cipher.update(bytes)
         @ios.write(partial) unless partial.empty?
         data.length
@@ -168,9 +175,9 @@ module SymmetricEncryption
       def write(data)
         return unless data
 
-        bytes   = data.to_s
-        @size  += bytes.size
-        partial = @stream_cipher.update(bytes, @cipher_buffer ||= ''.b)
+        bytes = data.to_s
+        @size += bytes.size
+        partial = @stream_cipher.update(bytes, @cipher_buffer ||= "".b)
         @ios.write(partial) unless partial.empty?
         data.length
       end

data/lib/symmetric_encryption.rb

@@ -1,61 +1,31 @@
-# Used for compression
-require 'zlib'
-# Used to coerce data types between string and their actual types
-require 'coercible'
-
-require 'symmetric_encryption/version'
-require 'symmetric_encryption/cipher'
-require 'symmetric_encryption/symmetric_encryption'
-require 'symmetric_encryption/exception'
-
-# @formatter:off
-module SymmetricEncryption
-  autoload :Coerce,                 'symmetric_encryption/coerce'
-  autoload :Config,                 'symmetric_encryption/config'
-  autoload :Encoder,                'symmetric_encryption/encoder'
-  autoload :Generator,              'symmetric_encryption/generator'
-  autoload :Header,                 'symmetric_encryption/header'
-  autoload :Key,                    'symmetric_encryption/key'
-  autoload :Reader,                 'symmetric_encryption/reader'
-  autoload :RSAKey,                 'symmetric_encryption/rsa_key'
-  autoload :Writer,                 'symmetric_encryption/writer'
-  autoload :CLI,                    'symmetric_encryption/cli'
-  autoload :Keystore,               'symmetric_encryption/keystore'
-  module Utils
-    autoload :Aws,                  'symmetric_encryption/utils/aws'
-    autoload :ReEncryptFiles,       'symmetric_encryption/utils/re_encrypt_files'
-  end
-end
-# @formatter:on
+require "symmetric_encryption/core"
 
 # Add extensions. Gems are no longer order dependent.
 begin
-  require 'rails'
-  require 'symmetric_encryption/railtie'
+  require "rails"
+  require "symmetric_encryption/railtie"
 rescue LoadError
 end
 
 begin
-  require 'active_record'
-  require 'symmetric_encryption/extensions/active_record/base'
-rescue LoadError
-end
+  require "active_support"
+  ActiveSupport.on_load(:active_record) do
+    require "symmetric_encryption/active_record/attr_encrypted"
+    require "symmetric_encryption/railties/symmetric_encryption_validator"
 
-begin
-  require 'active_model'
-  require 'symmetric_encryption/railties/symmetric_encryption_validator'
-rescue LoadError
-end
+    if ActiveRecord.version >= Gem::Version.new("5.0.0")
+      ActiveRecord::Type.register(:encrypted, SymmetricEncryption::ActiveRecord::EncryptedAttribute)
+    end
 
-begin
-  require 'mongoid'
-  require 'symmetric_encryption/extensions/mongoid/encrypted'
-rescue LoadError
-end
+    # Remove old way of defining attributes with Rails 7 since it conflicts with the method names.
+    if ActiveRecord.version <= Gem::Version.new("7.0.0")
+      ActiveRecord::Base.include(SymmetricEncryption::ActiveRecord::AttrEncrypted)
+    end
+  end
 
-begin
-  require 'mongo_mapper'
-  warn 'MongoMapper support is deprecated. Please upgrade to Mongoid.'
-  require 'symmetric_encryption/extensions/mongo_mapper/plugins/encrypted_key'
+  ActiveSupport.on_load(:mongoid) do
+    require "symmetric_encryption/railties/mongoid_encrypted"
+    require "symmetric_encryption/railties/symmetric_encryption_validator"
+  end
 rescue LoadError
 end