symmetric-encryption 4.3.1 → 4.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Rakefile +9 -9
- data/bin/symmetric-encryption +1 -1
- data/lib/symmetric-encryption.rb +1 -1
- data/lib/symmetric_encryption.rb +9 -9
- data/lib/symmetric_encryption/active_record/attr_encrypted.rb +1 -1
- data/lib/symmetric_encryption/cipher.rb +14 -10
- data/lib/symmetric_encryption/cli.rb +51 -51
- data/lib/symmetric_encryption/coerce.rb +3 -3
- data/lib/symmetric_encryption/config.rb +27 -26
- data/lib/symmetric_encryption/core.rb +22 -22
- data/lib/symmetric_encryption/encoder.rb +8 -8
- data/lib/symmetric_encryption/generator.rb +7 -3
- data/lib/symmetric_encryption/header.rb +12 -12
- data/lib/symmetric_encryption/key.rb +1 -1
- data/lib/symmetric_encryption/keystore.rb +20 -20
- data/lib/symmetric_encryption/keystore/aws.rb +6 -6
- data/lib/symmetric_encryption/keystore/environment.rb +4 -4
- data/lib/symmetric_encryption/keystore/file.rb +17 -3
- data/lib/symmetric_encryption/keystore/gcp.rb +6 -6
- data/lib/symmetric_encryption/keystore/heroku.rb +1 -1
- data/lib/symmetric_encryption/keystore/memory.rb +1 -1
- data/lib/symmetric_encryption/railtie.rb +6 -6
- data/lib/symmetric_encryption/railties/mongoid_encrypted.rb +3 -3
- data/lib/symmetric_encryption/railties/symmetric_encryption_validator.rb +1 -1
- data/lib/symmetric_encryption/reader.rb +13 -13
- data/lib/symmetric_encryption/rsa_key.rb +1 -1
- data/lib/symmetric_encryption/symmetric_encryption.rb +23 -17
- data/lib/symmetric_encryption/utils/aws.rb +8 -8
- data/lib/symmetric_encryption/utils/files.rb +3 -3
- data/lib/symmetric_encryption/utils/re_encrypt_files.rb +5 -5
- data/lib/symmetric_encryption/version.rb +1 -1
- data/lib/symmetric_encryption/writer.rb +17 -11
- metadata +3 -3
@@ -1,4 +1,4 @@
|
|
1
|
-
require
|
1
|
+
require "aws-sdk-kms"
|
2
2
|
module SymmetricEncryption
|
3
3
|
module Keystore
|
4
4
|
# Support AWS Key Management Service (KMS)
|
@@ -82,12 +82,12 @@ module SymmetricEncryption
|
|
82
82
|
# TODO: Also support generating environment variables instead of files.
|
83
83
|
|
84
84
|
version >= 255 ? (version = 1) : (version += 1)
|
85
|
-
regions
|
85
|
+
regions = Array(regions).dup
|
86
86
|
|
87
87
|
master_key_alias = master_key_alias(app_name, environment)
|
88
88
|
|
89
89
|
# File per region for holding the encrypted data key
|
90
|
-
key_files
|
90
|
+
key_files = regions.collect do |region|
|
91
91
|
file_name = "#{app_name}_#{environment}_#{region}_v#{version}.encrypted_key"
|
92
92
|
{region: region, file_name: ::File.join(key_path, file_name)}
|
93
93
|
end
|
@@ -119,9 +119,9 @@ module SymmetricEncryption
|
|
119
119
|
def initialize(region: nil, key_files:, master_key_alias:, key_encrypting_key: nil)
|
120
120
|
@key_files = key_files
|
121
121
|
@master_key_alias = master_key_alias
|
122
|
-
@region = region || ENV[
|
122
|
+
@region = region || ENV["AWS_REGION"] || ENV["AWS_DEFAULT_REGION"] || ::Aws.config[:region]
|
123
123
|
if key_encrypting_key
|
124
|
-
raise(SymmetricEncryption::ConfigError,
|
124
|
+
raise(SymmetricEncryption::ConfigError, "AWS KMS keystore encrypts the key itself, so does not support supplying a key_encrypting_key")
|
125
125
|
end
|
126
126
|
end
|
127
127
|
|
@@ -143,7 +143,7 @@ module SymmetricEncryption
|
|
143
143
|
region = key_file[:region]
|
144
144
|
file_name = key_file[:file_name]
|
145
145
|
|
146
|
-
raise(ArgumentError,
|
146
|
+
raise(ArgumentError, "region and file_name are mandatory for each key_file entry") unless region && file_name
|
147
147
|
|
148
148
|
encrypted_data_key = aws(region).encrypt(data_key)
|
149
149
|
write_encoded_to_file(file_name, encrypted_data_key)
|
@@ -10,10 +10,10 @@ module SymmetricEncryption
|
|
10
10
|
def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil, **_args)
|
11
11
|
version >= 255 ? (version = 1) : (version += 1)
|
12
12
|
|
13
|
-
kek
|
13
|
+
kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
|
14
14
|
dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
|
15
15
|
|
16
|
-
key_env_var = "#{app_name}_#{environment}_v#{version}".upcase.tr(
|
16
|
+
key_env_var = "#{app_name}_#{environment}_v#{version}".upcase.tr("-", "_")
|
17
17
|
new(key_env_var: key_env_var, key_encrypting_key: kek).write(dek.key)
|
18
18
|
|
19
19
|
{
|
@@ -50,9 +50,9 @@ module SymmetricEncryption
|
|
50
50
|
def write(key)
|
51
51
|
encrypted_key = key_encrypting_key.encrypt(key)
|
52
52
|
puts "\n\n********************************************************************************"
|
53
|
-
puts
|
53
|
+
puts "Set the environment variable as follows:"
|
54
54
|
puts " export #{key_env_var}=\"#{encoder.encode(encrypted_key)}\""
|
55
|
-
puts
|
55
|
+
puts "********************************************************************************"
|
56
56
|
end
|
57
57
|
|
58
58
|
private
|
@@ -2,6 +2,7 @@ module SymmetricEncryption
|
|
2
2
|
module Keystore
|
3
3
|
class File
|
4
4
|
include Utils::Files
|
5
|
+
ALLOWED_PERMISSIONS = %w[100600 100400].freeze
|
5
6
|
|
6
7
|
attr_accessor :file_name, :key_encrypting_key
|
7
8
|
|
@@ -12,7 +13,7 @@ module SymmetricEncryption
|
|
12
13
|
version >= 255 ? (version = 1) : (version += 1)
|
13
14
|
|
14
15
|
dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
|
15
|
-
kek
|
16
|
+
kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
|
16
17
|
kekek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
|
17
18
|
|
18
19
|
dek_file_name = ::File.join(key_path, "#{app_name}_#{environment}_v#{version}.encrypted_key")
|
@@ -56,6 +57,13 @@ module SymmetricEncryption
|
|
56
57
|
"Symmetric Encryption key file '#{file_name}' has the wrong "\
|
57
58
|
"permissions: #{::File.stat(file_name).mode.to_s(8)}. Expected 100600 or 100400.")
|
58
59
|
end
|
60
|
+
unless owned?
|
61
|
+
raise(SymmetricEncryption::ConfigError,
|
62
|
+
"Symmetric Encryption key file '#{file_name}' has the wrong "\
|
63
|
+
"owner (#{stat.uid}) or group (#{stat.gid}). "\
|
64
|
+
"Expected it to be owned by current user "\
|
65
|
+
"#{ENV['USER'] || ENV['USERNAME']}.")
|
66
|
+
end
|
59
67
|
|
60
68
|
data = read_from_file(file_name)
|
61
69
|
key_encrypting_key ? key_encrypting_key.decrypt(data) : data
|
@@ -73,9 +81,15 @@ module SymmetricEncryption
|
|
73
81
|
# has the correct mode - readable and writable by its owner and no one
|
74
82
|
# else, much like the keys one has in ~/.ssh
|
75
83
|
def correct_permissions?
|
76
|
-
stat
|
84
|
+
ALLOWED_PERMISSIONS.include?(stat.mode.to_s(8))
|
85
|
+
end
|
86
|
+
|
87
|
+
def owned?
|
88
|
+
stat.owned?
|
89
|
+
end
|
77
90
|
|
78
|
-
|
91
|
+
def stat
|
92
|
+
::File.stat(file_name)
|
79
93
|
end
|
80
94
|
end
|
81
95
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
require
|
1
|
+
require "google/cloud/kms/v1"
|
2
2
|
|
3
3
|
module SymmetricEncryption
|
4
4
|
module Keystore
|
@@ -68,21 +68,21 @@ module SymmetricEncryption
|
|
68
68
|
end
|
69
69
|
|
70
70
|
def project_id
|
71
|
-
@project_id ||= ENV[
|
72
|
-
raise
|
71
|
+
@project_id ||= ENV["GOOGLE_CLOUD_PROJECT"]
|
72
|
+
raise "GOOGLE_CLOUD_PROJECT must be set" if @project_id.nil?
|
73
73
|
|
74
74
|
@project_id
|
75
75
|
end
|
76
76
|
|
77
77
|
def credentials
|
78
|
-
@credentials ||= ENV[
|
79
|
-
raise
|
78
|
+
@credentials ||= ENV["GOOGLE_CLOUD_KEYFILE"]
|
79
|
+
raise "GOOGLE_CLOUD_KEYFILE must be set" if @credentials.nil?
|
80
80
|
|
81
81
|
@credentials
|
82
82
|
end
|
83
83
|
|
84
84
|
def location_id
|
85
|
-
@location_id ||= ENV[
|
85
|
+
@location_id ||= ENV["GOOGLE_CLOUD_LOCATION"] || "global"
|
86
86
|
end
|
87
87
|
end
|
88
88
|
end
|
@@ -15,7 +15,7 @@ module SymmetricEncryption
|
|
15
15
|
puts "\n\n********************************************************************************"
|
16
16
|
puts "Add the environment key to Heroku:\n\n"
|
17
17
|
puts " heroku config:add #{key_env_var}=#{encoder.encode(encrypted_key)}"
|
18
|
-
puts
|
18
|
+
puts "********************************************************************************"
|
19
19
|
end
|
20
20
|
end
|
21
21
|
end
|
@@ -15,7 +15,7 @@ module SymmetricEncryption
|
|
15
15
|
def self.generate_data_key(cipher_name:, app_name:, environment:, version: 0, dek: nil, **_args)
|
16
16
|
version >= 255 ? (version = 1) : (version += 1)
|
17
17
|
|
18
|
-
kek
|
18
|
+
kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
|
19
19
|
dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)
|
20
20
|
|
21
21
|
encrypted_key = new(key_encrypting_key: kek).write(dek.key)
|
@@ -29,19 +29,19 @@ module SymmetricEncryption #:nodoc:
|
|
29
29
|
config.before_configuration do
|
30
30
|
# Check if already configured
|
31
31
|
unless ::SymmetricEncryption.cipher?
|
32
|
-
parent_method = Module.method_defined?(:module_parent) ?
|
33
|
-
app_name
|
34
|
-
env_var
|
35
|
-
config_file
|
32
|
+
parent_method = Module.method_defined?(:module_parent) ? "module_parent" : "parent"
|
33
|
+
app_name = Rails::Application.subclasses.first.send(parent_method).to_s.underscore
|
34
|
+
env_var = ENV["SYMMETRIC_ENCRYPTION_CONFIG"]
|
35
|
+
config_file =
|
36
36
|
if env_var
|
37
37
|
Pathname.new(File.expand_path(env_var))
|
38
38
|
else
|
39
|
-
Rails.root.join(
|
39
|
+
Rails.root.join("config", "symmetric-encryption.yml")
|
40
40
|
end
|
41
41
|
|
42
42
|
if config_file.file?
|
43
43
|
begin
|
44
|
-
::SymmetricEncryption::Config.load!(file_name: config_file, env: ENV[
|
44
|
+
::SymmetricEncryption::Config.load!(file_name: config_file, env: ENV["SYMMETRIC_ENCRYPTION_ENV"] || Rails.env)
|
45
45
|
rescue ArgumentError => e
|
46
46
|
puts "\nSymmetric Encryption not able to read keys."
|
47
47
|
puts "#{e.class.name} #{e.message}"
|
@@ -1,4 +1,4 @@
|
|
1
|
-
require
|
1
|
+
require "mongoid"
|
2
2
|
# Add :encrypted option for Mongoid models
|
3
3
|
#
|
4
4
|
# Example:
|
@@ -95,8 +95,8 @@ Mongoid::Fields.option :encrypted do |model, field, options|
|
|
95
95
|
|
96
96
|
# Support overriding the name of the decrypted attribute
|
97
97
|
decrypted_field_name = options.delete(:decrypt_as)
|
98
|
-
if decrypted_field_name.nil? && encrypted_field_name.to_s.start_with?(
|
99
|
-
decrypted_field_name = encrypted_field_name.to_s[
|
98
|
+
if decrypted_field_name.nil? && encrypted_field_name.to_s.start_with?("encrypted_")
|
99
|
+
decrypted_field_name = encrypted_field_name.to_s["encrypted_".length..-1]
|
100
100
|
end
|
101
101
|
|
102
102
|
if decrypted_field_name.nil?
|
@@ -15,6 +15,6 @@ class SymmetricEncryptionValidator < ActiveModel::EachValidator
|
|
15
15
|
def validate_each(record, attribute, value)
|
16
16
|
return if value.blank? || SymmetricEncryption.encrypted?(value)
|
17
17
|
|
18
|
-
record.errors.add(attribute,
|
18
|
+
record.errors.add(attribute, "must be a value encrypted using SymmetricEncryption.encrypt")
|
19
19
|
end
|
20
20
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
require
|
1
|
+
require "openssl"
|
2
2
|
|
3
3
|
module SymmetricEncryption
|
4
4
|
# Read from encrypted files and other IO streams
|
@@ -60,7 +60,7 @@ module SymmetricEncryption
|
|
60
60
|
# csv.close if csv
|
61
61
|
# end
|
62
62
|
def self.open(file_name_or_stream, buffer_size: 16_384, **args, &block)
|
63
|
-
ios = file_name_or_stream.is_a?(String) ? ::File.open(file_name_or_stream,
|
63
|
+
ios = file_name_or_stream.is_a?(String) ? ::File.open(file_name_or_stream, "rb") : file_name_or_stream
|
64
64
|
|
65
65
|
begin
|
66
66
|
file = new(ios, buffer_size: buffer_size, **args)
|
@@ -104,7 +104,7 @@ module SymmetricEncryption
|
|
104
104
|
|
105
105
|
# Returns [true|false] whether the file contains the encryption header
|
106
106
|
def self.header_present?(file_name)
|
107
|
-
::File.open(file_name,
|
107
|
+
::File.open(file_name, "rb") { |file| new(file).header_present? }
|
108
108
|
end
|
109
109
|
|
110
110
|
# After opening a file Returns [true|false] whether the file being
|
@@ -120,9 +120,9 @@ module SymmetricEncryption
|
|
120
120
|
@version = version
|
121
121
|
@header_present = false
|
122
122
|
@closed = false
|
123
|
-
@read_buffer =
|
123
|
+
@read_buffer = "".b
|
124
124
|
|
125
|
-
raise(ArgumentError,
|
125
|
+
raise(ArgumentError, "Buffer size cannot be smaller than 128") unless @buffer_size >= 128
|
126
126
|
|
127
127
|
read_header
|
128
128
|
end
|
@@ -185,10 +185,10 @@ module SymmetricEncryption
|
|
185
185
|
# At end of file, it returns nil if no more data is available, or the last
|
186
186
|
# remaining bytes
|
187
187
|
def read(length = nil, outbuf = nil)
|
188
|
-
data = outbuf.
|
188
|
+
data = outbuf.nil? ? "" : outbuf.clear
|
189
189
|
remaining_length = length
|
190
190
|
|
191
|
-
until remaining_length
|
191
|
+
until remaining_length&.zero? || eof?
|
192
192
|
read_block(remaining_length) if @read_buffer.empty?
|
193
193
|
|
194
194
|
if remaining_length && remaining_length < @read_buffer.length
|
@@ -209,7 +209,7 @@ module SymmetricEncryption
|
|
209
209
|
# Raises EOFError on eof
|
210
210
|
# The stream must be opened for reading or an IOError will be raised.
|
211
211
|
def readline(sep_string = "\n")
|
212
|
-
gets(sep_string) || raise(EOFError,
|
212
|
+
gets(sep_string) || raise(EOFError, "End of file reached when trying to read a line")
|
213
213
|
end
|
214
214
|
|
215
215
|
# Reads a single decrypted line from the file up to and including the optional sep_string.
|
@@ -226,8 +226,8 @@ module SymmetricEncryption
|
|
226
226
|
read_block
|
227
227
|
end
|
228
228
|
index ||= -1
|
229
|
-
data
|
230
|
-
@pos
|
229
|
+
data = @read_buffer.slice!(0..index)
|
230
|
+
@pos += data.length
|
231
231
|
return nil if data.empty? && eof?
|
232
232
|
|
233
233
|
data
|
@@ -310,7 +310,7 @@ module SymmetricEncryption
|
|
310
310
|
@pos = 0
|
311
311
|
|
312
312
|
# Read first block and check for the header
|
313
|
-
buf = @ios.read(@buffer_size, @output_buffer ||=
|
313
|
+
buf = @ios.read(@buffer_size, @output_buffer ||= "".b)
|
314
314
|
|
315
315
|
# Use cipher specified in header, or global cipher if it has no header
|
316
316
|
iv, key, cipher_name, cipher = nil
|
@@ -340,7 +340,7 @@ module SymmetricEncryption
|
|
340
340
|
|
341
341
|
# Read a block of data and append the decrypted data in the read buffer
|
342
342
|
def read_block(length = nil)
|
343
|
-
buf = @ios.read(length || @buffer_size, @output_buffer ||=
|
343
|
+
buf = @ios.read(length || @buffer_size, @output_buffer ||= "".b)
|
344
344
|
decrypt(buf)
|
345
345
|
end
|
346
346
|
|
@@ -356,7 +356,7 @@ module SymmetricEncryption
|
|
356
356
|
def decrypt(buf)
|
357
357
|
return if buf.nil? || buf.empty?
|
358
358
|
|
359
|
-
@read_buffer << @stream_cipher.update(buf, @cipher_buffer ||=
|
359
|
+
@read_buffer << @stream_cipher.update(buf, @cipher_buffer ||= "".b)
|
360
360
|
@read_buffer << @stream_cipher.final if @ios.eof?
|
361
361
|
end
|
362
362
|
end
|
@@ -1,8 +1,8 @@
|
|
1
|
-
require
|
2
|
-
require
|
3
|
-
require
|
4
|
-
require
|
5
|
-
require
|
1
|
+
require "base64"
|
2
|
+
require "openssl"
|
3
|
+
require "zlib"
|
4
|
+
require "yaml"
|
5
|
+
require "erb"
|
6
6
|
|
7
7
|
# Encrypt using 256 Bit AES CBC symmetric key and initialization vector
|
8
8
|
# The symmetric key is protected using the private key below and must
|
@@ -32,7 +32,9 @@ module SymmetricEncryption
|
|
32
32
|
# cipher: 'aes-128-cbc'
|
33
33
|
# )
|
34
34
|
def self.cipher=(cipher)
|
35
|
-
|
35
|
+
unless cipher.nil? || (cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt))
|
36
|
+
raise(ArgumentError, "Cipher must respond to :encrypt and :decrypt")
|
37
|
+
end
|
36
38
|
|
37
39
|
@cipher = cipher
|
38
40
|
end
|
@@ -45,7 +47,7 @@ module SymmetricEncryption
|
|
45
47
|
unless cipher?
|
46
48
|
raise(
|
47
49
|
SymmetricEncryption::ConfigError,
|
48
|
-
|
50
|
+
"Call SymmetricEncryption.load! or SymmetricEncryption.cipher= prior to encrypting or decrypting data"
|
49
51
|
)
|
50
52
|
end
|
51
53
|
|
@@ -61,10 +63,12 @@ module SymmetricEncryption
|
|
61
63
|
|
62
64
|
# Set the Secondary Symmetric Ciphers Array to be used
|
63
65
|
def self.secondary_ciphers=(secondary_ciphers)
|
64
|
-
raise(ArgumentError,
|
66
|
+
raise(ArgumentError, "secondary_ciphers must be a collection") unless secondary_ciphers.respond_to? :each
|
65
67
|
|
66
68
|
secondary_ciphers.each do |cipher|
|
67
|
-
|
69
|
+
unless cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt)
|
70
|
+
raise(ArgumentError, "secondary_ciphers can only consist of SymmetricEncryption::Ciphers")
|
71
|
+
end
|
68
72
|
end
|
69
73
|
@secondary_ciphers = secondary_ciphers
|
70
74
|
end
|
@@ -121,7 +125,7 @@ module SymmetricEncryption
|
|
121
125
|
# the incorrect key. Clearly the data returned is garbage, but it still
|
122
126
|
# successfully returns a string of data
|
123
127
|
def self.decrypt(encrypted_and_encoded_string, version: nil, type: :string)
|
124
|
-
return encrypted_and_encoded_string if encrypted_and_encoded_string.nil? || (encrypted_and_encoded_string ==
|
128
|
+
return encrypted_and_encoded_string if encrypted_and_encoded_string.nil? || (encrypted_and_encoded_string == "")
|
125
129
|
|
126
130
|
str = encrypted_and_encoded_string.to_s
|
127
131
|
|
@@ -150,14 +154,16 @@ module SymmetricEncryption
|
|
150
154
|
end
|
151
155
|
|
152
156
|
# Try to force result to UTF-8 encoding, but if it is not valid, force it back to Binary
|
153
|
-
|
157
|
+
unless decrypted.force_encoding(SymmetricEncryption::UTF8_ENCODING).valid_encoding?
|
158
|
+
decrypted.force_encoding(SymmetricEncryption::BINARY_ENCODING)
|
159
|
+
end
|
154
160
|
Coerce.coerce_from_string(decrypted, type)
|
155
161
|
end
|
156
162
|
|
157
163
|
# Returns the header for the encrypted string
|
158
164
|
# Returns [nil] if no header is present
|
159
165
|
def self.header(encrypted_and_encoded_string)
|
160
|
-
return if encrypted_and_encoded_string.nil? || (encrypted_and_encoded_string ==
|
166
|
+
return if encrypted_and_encoded_string.nil? || (encrypted_and_encoded_string == "")
|
161
167
|
|
162
168
|
# Decode before decrypting supplied string
|
163
169
|
decoded = cipher.encoder.decode(encrypted_and_encoded_string.to_s)
|
@@ -212,7 +218,7 @@ module SymmetricEncryption
|
|
212
218
|
# the coercible gem is available in the path.
|
213
219
|
# Default: :string
|
214
220
|
def self.encrypt(str, random_iv: SymmetricEncryption.randomize_iv?, compress: false, type: :string, header: cipher.always_add_header)
|
215
|
-
return str if str.nil? || (str ==
|
221
|
+
return str if str.nil? || (str == "")
|
216
222
|
|
217
223
|
# Encrypt and then encode the supplied string
|
218
224
|
cipher.encrypt(Coerce.coerce_to_string(str, type), random_iv: random_iv, compress: compress, header: header)
|
@@ -241,7 +247,7 @@ module SymmetricEncryption
|
|
241
247
|
# * This method only works reliably when the encrypted data includes the symmetric encryption header.
|
242
248
|
# * nil and '' are considered "encrypted" so that validations do not blow up on empty values.
|
243
249
|
def self.encrypted?(encrypted_data)
|
244
|
-
return false if encrypted_data.nil? || (encrypted_data ==
|
250
|
+
return false if encrypted_data.nil? || (encrypted_data == "")
|
245
251
|
|
246
252
|
@header ||= SymmetricEncryption.cipher.encoded_magic_header
|
247
253
|
encrypted_data.to_s.start_with?(@header)
|
@@ -290,12 +296,12 @@ module SymmetricEncryption
|
|
290
296
|
|
291
297
|
# Generate a Random password
|
292
298
|
def self.random_password(size = 22)
|
293
|
-
require
|
299
|
+
require "securerandom" unless defined?(SecureRandom)
|
294
300
|
SecureRandom.urlsafe_base64(size)
|
295
301
|
end
|
296
302
|
|
297
|
-
BINARY_ENCODING = Encoding.find(
|
298
|
-
UTF8_ENCODING = Encoding.find(
|
303
|
+
BINARY_ENCODING = Encoding.find("binary")
|
304
|
+
UTF8_ENCODING = Encoding.find("UTF-8")
|
299
305
|
|
300
306
|
# Defaults
|
301
307
|
@cipher = nil
|
@@ -1,5 +1,5 @@
|
|
1
|
-
require
|
2
|
-
require
|
1
|
+
require "base64"
|
2
|
+
require "aws-sdk-kms"
|
3
3
|
module SymmetricEncryption
|
4
4
|
module Utils
|
5
5
|
# Wrap the AWS KMS client so that it automatically creates the Customer Master Key,
|
@@ -13,8 +13,8 @@ module SymmetricEncryption
|
|
13
13
|
|
14
14
|
# TODO: Map to OpenSSL ciphers
|
15
15
|
AWS_KEY_SPEC_MAP = {
|
16
|
-
|
17
|
-
|
16
|
+
"aes-256-cbc" => "AES_256",
|
17
|
+
"aes-128-cbc" => "AES_128"
|
18
18
|
}.freeze
|
19
19
|
|
20
20
|
# TODO: Move to Keystore::Aws
|
@@ -101,7 +101,7 @@ module SymmetricEncryption
|
|
101
101
|
def whoami
|
102
102
|
@whoami ||= `whoami`.strip
|
103
103
|
rescue StandardError
|
104
|
-
@whoami =
|
104
|
+
@whoami = "unknown"
|
105
105
|
end
|
106
106
|
|
107
107
|
# Creates a new Customer Master Key for Symmetric Encryption use.
|
@@ -109,10 +109,10 @@ module SymmetricEncryption
|
|
109
109
|
# TODO: Add error handling and retry
|
110
110
|
|
111
111
|
resp = client.create_key(
|
112
|
-
description:
|
112
|
+
description: "Symmetric Encryption for Ruby Customer Masker Key",
|
113
113
|
tags: [
|
114
|
-
{tag_key:
|
115
|
-
{tag_key:
|
114
|
+
{tag_key: "CreatedAt", tag_value: Time.now.to_s},
|
115
|
+
{tag_key: "CreatedBy", tag_value: whoami}
|
116
116
|
]
|
117
117
|
)
|
118
118
|
resp.key_metadata.key_id
|