symmetric-encryption 4.2.1 → 4.3.3

data/lib/symmetric_encryption/keystore/aws.rb

@@ -1,4 +1,4 @@
-require 'aws-sdk-kms'
+require "aws-sdk-kms"
 module SymmetricEncryption
   module Keystore
     # Support AWS Key Management Service (KMS)
@@ -70,24 +70,20 @@ module SymmetricEncryption
       #                ],
       #   iv:          'T80pYzD0E6e/bJCdjZ6TiQ=='
       # }
-      def self.generate_data_key(version: 0,
+      def self.generate_data_key(cipher_name:, app_name:, environment:, key_path:, version: 0,
                                  regions: Utils::Aws::AWS_US_REGIONS,
                                  dek: nil,
-                                 cipher_name:,
-                                 app_name:,
-                                 environment:,
-                                 key_path:,
-                                 **args)
+                                 **_args)
 
         # TODO: Also support generating environment variables instead of files.
 
         version >= 255 ? (version = 1) : (version += 1)
-        regions                   = Array(regions).dup
+        regions = Array(regions).dup
 
         master_key_alias = master_key_alias(app_name, environment)
 
         # File per region for holding the encrypted data key
-        key_files   = regions.collect do |region|
+        key_files = regions.collect do |region|
           file_name = "#{app_name}_#{environment}_#{region}_v#{version}.encrypted_key"
           {region: region, file_name: ::File.join(key_path, file_name)}
         end
@@ -116,12 +112,13 @@ module SymmetricEncryption
 
       # Stores the Encryption key in a file.
       # Secures the Encryption key by encrypting it with a key encryption key.
-      def initialize(region: nil, key_files:, master_key_alias:, key_encrypting_key: nil)
+      def initialize(key_files:, master_key_alias:, region: nil, key_encrypting_key: nil)
         @key_files        = key_files
         @master_key_alias = master_key_alias
-        @region           = region || ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION'] || ::Aws.config[:region]
+        @region           = region || ENV["AWS_REGION"] || ENV["AWS_DEFAULT_REGION"] || ::Aws.config[:region]
         if key_encrypting_key
-          raise(SymmetricEncryption::ConfigError, 'AWS KMS keystore encrypts the key itself, so does not support supplying a key_encrypting_key')
+          raise(SymmetricEncryption::ConfigError,
+                "AWS KMS keystore encrypts the key itself, so does not support supplying a key_encrypting_key")
         end
       end
 
@@ -143,7 +140,7 @@ module SymmetricEncryption
           region    = key_file[:region]
           file_name = key_file[:file_name]
 
-          raise(ArgumentError, 'region and file_name are mandatory for each key_file entry') unless region && file_name
+          raise(ArgumentError, "region and file_name are mandatory for each key_file entry") unless region && file_name
 
           encrypted_data_key = aws(region).encrypt(data_key)
           write_encoded_to_file(file_name, encrypted_data_key)

data/lib/symmetric_encryption/keystore/environment.rb

@@ -7,13 +7,13 @@ module SymmetricEncryption
       # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
-      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil, **args)
+      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil, **_args)
         version >= 255 ? (version = 1) : (version += 1)
 
-        kek   = SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
 
-        key_env_var = "#{app_name}_#{environment}_v#{version}".upcase.tr('-', '_')
+        key_env_var = "#{app_name}_#{environment}_v#{version}".upcase.tr("-", "_")
         new(key_env_var: key_env_var, key_encrypting_key: kek).write(dek.key)
 
         {
@@ -50,9 +50,9 @@ module SymmetricEncryption
       def write(key)
         encrypted_key = key_encrypting_key.encrypt(key)
         puts "\n\n********************************************************************************"
-        puts 'Set the environment variable as follows:'
+        puts "Set the environment variable as follows:"
         puts "  export #{key_env_var}=\"#{encoder.encode(encrypted_key)}\""
-        puts '********************************************************************************'
+        puts "********************************************************************************"
       end
 
       private

data/lib/symmetric_encryption/keystore/file.rb

@@ -2,17 +2,18 @@ module SymmetricEncryption
   module Keystore
     class File
       include Utils::Files
+      ALLOWED_PERMISSIONS = %w[100600 100400].freeze
 
       attr_accessor :file_name, :key_encrypting_key
 
       # Returns [Hash] a new keystore configuration after generating the data key.
       #
       # Increments the supplied version number by 1.
-      def self.generate_data_key(key_path:, cipher_name:, app_name:, environment:, version: 0, dek: nil, **args)
+      def self.generate_data_key(key_path:, cipher_name:, app_name:, environment:, version: 0, dek: nil, **_args)
         version >= 255 ? (version = 1) : (version += 1)
 
         dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
-        kek   = SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         kekek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
 
         dek_file_name = ::File.join(key_path, "#{app_name}_#{environment}_v#{version}.encrypted_key")
@@ -47,11 +48,22 @@ module SymmetricEncryption
 
       # Returns the Encryption key in the clear.
       def read
-        raise(SymmetricEncryption::ConfigError,
-              "Symmetric Encryption key file: '#{file_name}' not found") unless ::File.exists?(file_name)
-        raise(SymmetricEncryption::ConfigError,
-              "Symmetric Encryption key file '#{file_name}' has the wrong "\
-              "permissions: #{::File.stat(file_name).mode.to_s(8)}. Expected 100600 or 100400.") unless correct_permissions?
+        unless ::File.exist?(file_name)
+          raise(SymmetricEncryption::ConfigError,
+                "Symmetric Encryption key file: '#{file_name}' not found")
+        end
+        unless correct_permissions?
+          raise(SymmetricEncryption::ConfigError,
+                "Symmetric Encryption key file '#{file_name}' has the wrong "\
+                "permissions: #{::File.stat(file_name).mode.to_s(8)}. Expected 100600 or 100400.")
+        end
+        unless owned?
+          raise(SymmetricEncryption::ConfigError,
+                "Symmetric Encryption key file '#{file_name}' has the wrong "\
+                "owner (#{stat.uid}) or group (#{stat.gid}). "\
+                "Expected it to be owned by current user "\
+                "#{ENV['USER'] || ENV['USERNAME']}.")
+        end
 
         data = read_from_file(file_name)
         key_encrypting_key ? key_encrypting_key.decrypt(data) : data
@@ -69,9 +81,15 @@ module SymmetricEncryption
       # has the correct mode - readable and writable by its owner and no one
       # else, much like the keys one has in ~/.ssh
       def correct_permissions?
-        stat = ::File.stat(file_name)
+        ALLOWED_PERMISSIONS.include?(stat.mode.to_s(8))
+      end
+
+      def owned?
+        stat.owned?
+      end
 
-        stat.owned? && %w(100600 100400).include?(stat.mode.to_s(8))
+      def stat
+        ::File.stat(file_name)
       end
     end
   end

data/lib/symmetric_encryption/keystore/gcp.rb

@@ -5,12 +5,12 @@ module SymmetricEncryption
     class Gcp
       include Utils::Files
 
-      def self.generate_data_key(version: 0, cipher_name:, app_name:, environment:, key_path:)
+      def self.generate_data_key(cipher_name:, app_name:, environment:, key_path:, version: 0)
         version >= 255 ? (version = 1) : (version += 1)
 
-        dek      = SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        dek       = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         file_name = "#{key_path}/#{app_name}_#{environment}_v#{version}.encrypted_key"
-        keystore = new(
+        keystore  = new(
           key_file:    file_name,
           app_name:    app_name,
           environment: environment
@@ -18,21 +18,21 @@ module SymmetricEncryption
         keystore.write(dek.key)
 
         {
-          keystore:         :gcp,
-          cipher_name:      dek.cipher_name,
-          version:          version,
-          key_file:         file_name,
-          iv:               dek.iv,
-          crypto_key:       keystore.crypto_key
+          keystore:    :gcp,
+          cipher_name: dek.cipher_name,
+          version:     version,
+          key_file:    file_name,
+          iv:          dek.iv,
+          crypto_key:  keystore.crypto_key
         }
       end
 
       def initialize(key_file:, app_name: nil, environment: nil, key_encrypting_key: nil, crypto_key: nil, project_id: nil, credentials: nil, location_id: nil)
-        @crypto_key = crypto_key
-        @app_name = app_name
+        @crypto_key  = crypto_key
+        @app_name    = app_name
         @environment = environment
-        @file_name = key_file
-        @project_id = project_id
+        @file_name   = key_file
+        @project_id  = project_id
         @credentials = credentials
         @location_id = location_id
       end
@@ -46,7 +46,8 @@ module SymmetricEncryption
       end
 
       def crypto_key
-        @crypto_key ||= self.class::KMS::KeyManagementServiceClient.crypto_key_path(project_id, location_id, app_name, environment.to_s)
+        @crypto_key ||= self.class::KMS::KeyManagementServiceClient.crypto_key_path(project_id, location_id, app_name,
+                                                                                    environment.to_s)
       end
 
       private
@@ -69,18 +70,20 @@ module SymmetricEncryption
 
       def project_id
         @project_id ||= ENV["GOOGLE_CLOUD_PROJECT"]
-        raise 'GOOGLE_CLOUD_PROJECT must be set' if @project_id.nil?
+        raise "GOOGLE_CLOUD_PROJECT must be set" if @project_id.nil?
+
         @project_id
       end
 
       def credentials
-        @credentials ||= ENV['GOOGLE_CLOUD_KEYFILE']
-        raise 'GOOGLE_CLOUD_KEYFILE must be set' if @credentials.nil?
+        @credentials ||= ENV["GOOGLE_CLOUD_KEYFILE"]
+        raise "GOOGLE_CLOUD_KEYFILE must be set" if @credentials.nil?
+
         @credentials
       end
 
       def location_id
-        @location_id ||= ENV["GOOGLE_CLOUD_LOCATION"] || 'global'
+        @location_id ||= ENV["GOOGLE_CLOUD_LOCATION"] || "global"
       end
     end
   end

data/lib/symmetric_encryption/keystore/heroku.rb

@@ -15,7 +15,7 @@ module SymmetricEncryption
         puts "\n\n********************************************************************************"
         puts "Add the environment key to Heroku:\n\n"
         puts "  heroku config:add #{key_env_var}=#{encoder.encode(encrypted_key)}"
-        puts '********************************************************************************'
+        puts "********************************************************************************"
       end
     end
   end

data/lib/symmetric_encryption/keystore/memory.rb

@@ -12,10 +12,10 @@ module SymmetricEncryption
       # Notes:
       # * For development and testing purposes only!!
       # * Never store the encrypted encryption key in the source code / config file.
-      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil, **args)
+      def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil, **_args)
         version >= 255 ? (version = 1) : (version += 1)
 
-        kek   = SymmetricEncryption::Key.new(cipher_name: cipher_name)
+        kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
         dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
 
         encrypted_key = new(key_encrypting_key: kek).write(dek.key)
@@ -35,7 +35,7 @@ module SymmetricEncryption
 
       # Stores the Encryption key in a string.
       # Secures the Encryption key by encrypting it with a key encryption key.
-      def initialize(encrypted_key: nil, key_encrypting_key:)
+      def initialize(key_encrypting_key:, encrypted_key: nil)
         @encrypted_key      = encrypted_key
         @key_encrypting_key = key_encrypting_key
       end

data/lib/symmetric_encryption/railtie.rb

@@ -29,26 +29,27 @@ module SymmetricEncryption #:nodoc:
     config.before_configuration do
       # Check if already configured
       unless ::SymmetricEncryption.cipher?
-        app_name      = Rails::Application.subclasses.first.parent.to_s.underscore
+        parent_method = Module.method_defined?(:module_parent) ? "module_parent" : "parent"
+        app_name      = Rails::Application.subclasses.first.send(parent_method).to_s.underscore
+        env_var       = ENV["SYMMETRIC_ENCRYPTION_CONFIG"]
         config_file   =
-          if (env_var = ENV['SYMMETRIC_ENCRYPTION_CONFIG'])
-            Pathname.new File.expand_path(env_var)
+          if env_var
+            Pathname.new(File.expand_path(env_var))
           else
-            Rails.root.join('config', 'symmetric-encryption.yml')
+            Rails.root.join("config", "symmetric-encryption.yml")
           end
+
         if config_file.file?
           begin
-            ::SymmetricEncryption::Config.load!(file_name: config_file, env: ENV['SYMMETRIC_ENCRYPTION_ENV'] || Rails.env)
-          rescue ArgumentError => exc
+            ::SymmetricEncryption::Config.load!(file_name: config_file, env: ENV["SYMMETRIC_ENCRYPTION_ENV"] || Rails.env)
+          rescue ArgumentError => e
             puts "\nSymmetric Encryption not able to read keys."
-            puts "#{exc.class.name} #{exc.message}"
+            puts "#{e.class.name} #{e.message}"
             puts "To generate a new config file and key files: symmetric-encryption --generate --app-name #{app_name}\n\n"
-            raise(exc)
+            raise(e)
           end
-        else
-          puts "\nSymmetric Encryption config not found."
-          puts "To generate a new config file and key files: symmetric-encryption --generate --app-name #{app_name}\n\n"
         end
+
       end
     end
   end

data/lib/symmetric_encryption/railties/mongoid_encrypted.rb

@@ -1,4 +1,4 @@
-require 'mongoid'
+require "mongoid"
 # Add :encrypted option for Mongoid models
 #
 # Example:
@@ -95,12 +95,13 @@ Mongoid::Fields.option :encrypted do |model, field, options|
 
     # Support overriding the name of the decrypted attribute
     decrypted_field_name = options.delete(:decrypt_as)
-    if decrypted_field_name.nil? && encrypted_field_name.to_s.start_with?('encrypted_')
-      decrypted_field_name = encrypted_field_name.to_s['encrypted_'.length..-1]
+    if decrypted_field_name.nil? && encrypted_field_name.to_s.start_with?("encrypted_")
+      decrypted_field_name = encrypted_field_name.to_s["encrypted_".length..-1]
     end
 
     if decrypted_field_name.nil?
-      raise(ArgumentError, "SymmetricEncryption for Mongoid. Encryption enabled for field #{encrypted_field_name}. It must either start with 'encrypted_' or the option :decrypt_as must be supplied")
+      raise(ArgumentError,
+            "SymmetricEncryption for Mongoid. Encryption enabled for field #{encrypted_field_name}. It must either start with 'encrypted_' or the option :decrypt_as must be supplied")
     end
 
     SymmetricEncryption::Generator.generate_decrypted_accessors(model, decrypted_field_name, encrypted_field_name, options)

data/lib/symmetric_encryption/railties/symmetric_encryption_validator.rb

@@ -15,6 +15,6 @@ class SymmetricEncryptionValidator < ActiveModel::EachValidator
   def validate_each(record, attribute, value)
     return if value.blank? || SymmetricEncryption.encrypted?(value)
 
-    record.errors.add(attribute, 'must be a value encrypted using SymmetricEncryption.encrypt')
+    record.errors.add(attribute, "must be a value encrypted using SymmetricEncryption.encrypt")
   end
 end

data/lib/symmetric_encryption/reader.rb

@@ -1,4 +1,4 @@
-require 'openssl'
+require "openssl"
 
 module SymmetricEncryption
   # Read from encrypted files and other IO streams
@@ -60,7 +60,7 @@ module SymmetricEncryption
     #   csv.close if csv
     # end
     def self.open(file_name_or_stream, buffer_size: 16_384, **args, &block)
-      ios = file_name_or_stream.is_a?(String) ? ::File.open(file_name_or_stream, 'rb') : file_name_or_stream
+      ios = file_name_or_stream.is_a?(String) ? ::File.open(file_name_or_stream, "rb") : file_name_or_stream
 
       begin
         file = new(ios, buffer_size: buffer_size, **args)
@@ -104,7 +104,7 @@ module SymmetricEncryption
 
     # Returns [true|false] whether the file contains the encryption header
     def self.header_present?(file_name)
-      ::File.open(file_name, 'rb') { |file| new(file).header_present? }
+      ::File.open(file_name, "rb") { |file| new(file).header_present? }
     end
 
     # After opening a file Returns [true|false] whether the file being
@@ -120,9 +120,9 @@ module SymmetricEncryption
       @version        = version
       @header_present = false
       @closed         = false
-      @read_buffer    = ''.b
+      @read_buffer    = "".b
 
-      raise(ArgumentError, 'Buffer size cannot be smaller than 128') unless @buffer_size >= 128
+      raise(ArgumentError, "Buffer size cannot be smaller than 128") unless @buffer_size >= 128
 
       read_header
     end
@@ -185,10 +185,10 @@ module SymmetricEncryption
     # At end of file, it returns nil if no more data is available, or the last
     # remaining bytes
     def read(length = nil, outbuf = nil)
-      data             = outbuf.to_s.clear
+      data             = outbuf.nil? ? "" : outbuf.clear
       remaining_length = length
 
-      until remaining_length == 0 || eof?
+      until remaining_length&.zero? || eof?
         read_block(remaining_length) if @read_buffer.empty?
 
         if remaining_length && remaining_length < @read_buffer.length
@@ -209,7 +209,7 @@ module SymmetricEncryption
     # Raises EOFError on eof
     # The stream must be opened for reading or an IOError will be raised.
     def readline(sep_string = "\n")
-      gets(sep_string) || raise(EOFError, 'End of file reached when trying to read a line')
+      gets(sep_string) || raise(EOFError, "End of file reached when trying to read a line")
     end
 
     # Reads a single decrypted line from the file up to and including the optional sep_string.
@@ -226,8 +226,8 @@ module SymmetricEncryption
         read_block
       end
       index ||= -1
-      data    = @read_buffer.slice!(0..index)
-      @pos   += data.length
+      data = @read_buffer.slice!(0..index)
+      @pos += data.length
       return nil if data.empty? && eof?
 
       data
@@ -310,7 +310,7 @@ module SymmetricEncryption
       @pos = 0
 
       # Read first block and check for the header
-      buf = @ios.read(@buffer_size, @output_buffer ||= ''.b)
+      buf = @ios.read(@buffer_size, @output_buffer ||= "".b)
 
       # Use cipher specified in header, or global cipher if it has no header
       iv, key, cipher_name, cipher = nil
@@ -340,7 +340,7 @@ module SymmetricEncryption
 
     # Read a block of data and append the decrypted data in the read buffer
     def read_block(length = nil)
-      buf = @ios.read(length || @buffer_size, @output_buffer ||= ''.b)
+      buf = @ios.read(length || @buffer_size, @output_buffer ||= "".b)
       decrypt(buf)
     end
 
@@ -356,7 +356,7 @@ module SymmetricEncryption
       def decrypt(buf)
         return if buf.nil? || buf.empty?
 
-        @read_buffer << @stream_cipher.update(buf, @cipher_buffer ||= ''.b)
+        @read_buffer << @stream_cipher.update(buf, @cipher_buffer ||= "".b)
         @read_buffer << @stream_cipher.final if @ios.eof?
       end
     end

data/lib/symmetric_encryption/rsa_key.rb

@@ -1,4 +1,4 @@
-require 'openssl'
+require "openssl"
 module SymmetricEncryption
   # DEPRECATED - Internal use only
   class RSAKey

data/lib/symmetric_encryption/symmetric_encryption.rb

@@ -1,18 +1,13 @@
-require 'base64'
-require 'openssl'
-require 'zlib'
-require 'yaml'
-require 'erb'
+require "base64"
+require "openssl"
+require "zlib"
+require "yaml"
+require "erb"
 
 # Encrypt using 256 Bit AES CBC symmetric key and initialization vector
 # The symmetric key is protected using the private key below and must
 # be distributed separately from the application
 module SymmetricEncryption
-  # Defaults
-  @@cipher            = nil
-  @@secondary_ciphers = []
-  @@select_cipher     = nil
-
   # List of types supported when encrypting or decrypting data
   #
   # Each type maps to the built-in Ruby types as follows:
@@ -37,9 +32,11 @@ module SymmetricEncryption
   #     cipher: 'aes-128-cbc'
   #   )
   def self.cipher=(cipher)
-    raise(ArgumentError, 'Cipher must respond to :encrypt and :decrypt') unless cipher.nil? || (cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt))
+    unless cipher.nil? || (cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt))
+      raise(ArgumentError, "Cipher must respond to :encrypt and :decrypt")
+    end
 
-    @@cipher = cipher
+    @cipher = cipher
   end
 
   # Returns the Primary Symmetric Cipher being used
@@ -50,33 +47,46 @@ module SymmetricEncryption
     unless cipher?
       raise(
         SymmetricEncryption::ConfigError,
-        'Call SymmetricEncryption.load! or SymmetricEncryption.cipher= prior to encrypting or decrypting data'
+        "Call SymmetricEncryption.load! or SymmetricEncryption.cipher= prior to encrypting or decrypting data"
       )
     end
 
-    return @@cipher if version.nil? || (@@cipher.version == version)
+    return @cipher if version.nil? || (@cipher.version == version)
 
-    secondary_ciphers.find { |c| c.version == version } || (@@cipher if version.zero?)
+    secondary_ciphers.find { |c| c.version == version } || (@cipher if version.zero?)
   end
 
   # Returns whether a primary cipher has been set
   def self.cipher?
-    !@@cipher.nil?
+    !@cipher.nil?
   end
 
   # Set the Secondary Symmetric Ciphers Array to be used
   def self.secondary_ciphers=(secondary_ciphers)
-    raise(ArgumentError, 'secondary_ciphers must be a collection') unless secondary_ciphers.respond_to? :each
+    raise(ArgumentError, "secondary_ciphers must be a collection") unless secondary_ciphers.respond_to? :each
 
     secondary_ciphers.each do |cipher|
-      raise(ArgumentError, 'secondary_ciphers can only consist of SymmetricEncryption::Ciphers') unless cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt)
+      unless cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt)
+        raise(ArgumentError, "secondary_ciphers can only consist of SymmetricEncryption::Ciphers")
+      end
     end
-    @@secondary_ciphers = secondary_ciphers
+    @secondary_ciphers = secondary_ciphers
   end
 
   # Returns the Primary Symmetric Cipher being used
   def self.secondary_ciphers
-    @@secondary_ciphers
+    @secondary_ciphers
+  end
+
+  # Whether to randomize the iv by default.
+  # true: Generate a new random IV by default. [HIGHLY RECOMMENDED]
+  # false: Do not generate a new random IV by default.
+  def self.randomize_iv?
+    @randomize_iv
+  end
+
+  def self.randomize_iv=(randomize_iv)
+    @randomize_iv = randomize_iv
   end
 
   # Decrypt supplied string.
@@ -115,7 +125,7 @@ module SymmetricEncryption
   #       the incorrect key. Clearly the data returned is garbage, but it still
   #       successfully returns a string of data
   def self.decrypt(encrypted_and_encoded_string, version: nil, type: :string)
-    return encrypted_and_encoded_string if encrypted_and_encoded_string.nil? || (encrypted_and_encoded_string == '')
+    return encrypted_and_encoded_string if encrypted_and_encoded_string.nil? || (encrypted_and_encoded_string == "")
 
     str = encrypted_and_encoded_string.to_s
 
@@ -133,9 +143,9 @@ module SymmetricEncryption
           if version
             # Supplied version takes preference
             cipher(version)
-          elsif @@select_cipher
+          elsif @select_cipher
             # Use cipher_selector if present to decide which cipher to use
-            @@select_cipher.call(str, decoded)
+            @select_cipher.call(str, decoded)
           else
             # Global cipher
             cipher
@@ -144,14 +154,16 @@ module SymmetricEncryption
       end
 
     # Try to force result to UTF-8 encoding, but if it is not valid, force it back to Binary
-    decrypted.force_encoding(SymmetricEncryption::BINARY_ENCODING) unless decrypted.force_encoding(SymmetricEncryption::UTF8_ENCODING).valid_encoding?
+    unless decrypted.force_encoding(SymmetricEncryption::UTF8_ENCODING).valid_encoding?
+      decrypted.force_encoding(SymmetricEncryption::BINARY_ENCODING)
+    end
     Coerce.coerce_from_string(decrypted, type)
   end
 
   # Returns the header for the encrypted string
   # Returns [nil] if no header is present
   def self.header(encrypted_and_encoded_string)
-    return if encrypted_and_encoded_string.nil? || (encrypted_and_encoded_string == '')
+    return if encrypted_and_encoded_string.nil? || (encrypted_and_encoded_string == "")
 
     # Decode before decrypting supplied string
     decoded = cipher.encoder.decode(encrypted_and_encoded_string.to_s)
@@ -172,10 +184,12 @@ module SymmetricEncryption
   #     to convert it to a string
   #
   #   random_iv [true|false]
-  #     Whether the encypted value should use a random IV every time the
-  #     field is encrypted.
-  #     It is recommended to set this to true where feasible. If the encrypted
-  #     value could be used as part of a SQL where clause, or as part
+  #     Mandatory unless `SymmetricEncryption.randomize_iv = true` has been called.
+  #
+  #     Whether the encrypted value should use a random IV every time the field is encrypted.
+  #     It is recommended to set this to true where possible.
+  #
+  #     If the encrypted value could be used as part of a SQL where clause, or as part
   #     of any lookup, then it must be false.
   #     Setting random_iv to true will result in a different encrypted output for
   #     the same input string.
@@ -203,8 +217,8 @@ module SymmetricEncryption
   #     Note: If type is set to something other than :string, it's expected that
   #       the coercible gem is available in the path.
   #     Default: :string
-  def self.encrypt(str, random_iv: false, compress: false, type: :string, header: cipher.always_add_header)
-    return str if str.nil? || (str == '')
+  def self.encrypt(str, random_iv: SymmetricEncryption.randomize_iv?, compress: false, type: :string, header: cipher.always_add_header)
+    return str if str.nil? || (str == "")
 
     # Encrypt and then encode the supplied string
     cipher.encrypt(Coerce.coerce_to_string(str, type), random_iv: random_iv, compress: compress, header: header)
@@ -233,7 +247,7 @@ module SymmetricEncryption
   # * This method only works reliably when the encrypted data includes the symmetric encryption header.
   # * nil and '' are considered "encrypted" so that validations do not blow up on empty values.
   def self.encrypted?(encrypted_data)
-    return false if encrypted_data.nil? || (encrypted_data == '')
+    return false if encrypted_data.nil? || (encrypted_data == "")
 
     @header ||= SymmetricEncryption.cipher.encoded_magic_header
     encrypted_data.to_s.start_with?(@header)
@@ -265,7 +279,7 @@ module SymmetricEncryption
   #     encoded_str.end_with?("\n") ? SymmetricEncryption.cipher(0) : SymmetricEncryption.cipher
   #   end
   def self.select_cipher(&block)
-    @@select_cipher = block || nil
+    @select_cipher = block || nil
   end
 
   # Load the Encryption Configuration from a YAML file
@@ -282,10 +296,16 @@ module SymmetricEncryption
 
   # Generate a Random password
   def self.random_password(size = 22)
-    require 'securerandom' unless defined?(SecureRandom)
+    require "securerandom" unless defined?(SecureRandom)
     SecureRandom.urlsafe_base64(size)
   end
 
-  BINARY_ENCODING = Encoding.find('binary')
-  UTF8_ENCODING   = Encoding.find('UTF-8')
+  BINARY_ENCODING = Encoding.find("binary")
+  UTF8_ENCODING   = Encoding.find("UTF-8")
+
+  # Defaults
+  @cipher            = nil
+  @secondary_ciphers = []
+  @select_cipher     = nil
+  @randomize_iv      = false
 end