symmetric-encryption 1.0.0 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ce8b40ac71f3b255ea4947fe3a41ba51145b5188
-  data.tar.gz: de4ceb7712388671b92054ed66409e78ddcf21bd
+  metadata.gz: 94fbb4339aaed37c7526621cf7dd768aaae56fb7
+  data.tar.gz: bc40aa329637465ca0747be1efac9a29a9154007
 SHA512:
-  metadata.gz: 83166719c8132a10e4108c6d8e3822b61dc02be4bcd0159a47d44a6f23ebc914b8ab5cf2b979cd7a4fffc413f6d0a1aa0b6e7f211afa2e4031173f72cf2c5ef4
-  data.tar.gz: 1c0917a0a784610aaa517b526374fed613883203bb0d9ff04f56c6182581af415f4b2b73adb81c15948e8a5e2c2ed17d83d5820f9ed47b75498c4863d79c8668
+  metadata.gz: 04f23adcb3fbdf114a28a7460c9e120aa33fbb3d5897b2adf7700b559cf4fa78ae8cebb7b972383816c9a4b1f5202fead4abb5d87e1335cc65cdb6020169e6bc
+  data.tar.gz: bce09dff95ff11023aab38965f02a12f1ae6c49069256c54963b7db8bc5dd0889680c878d4b906b1f603599dbf9431d4239c987004d13ee00c5751420793f444

data/README.md

@@ -12,6 +12,9 @@ in configuration files have to be encrypted
 This Gem helps achieve compliance by supporting encryption of data in a simple
 and consistent way
 
+Symmetric Encryption uses OpenSSL to encrypt and decrypt data, and can therefore
+expose all the encryption algorithms supported by OpenSSL.
+
 ## Security
 
 Many solutions that encrypt data require the encryption keys to be stored in the
@@ -239,6 +242,25 @@ Encrypt a known value, such as a password:
 Note: Passwords must be encrypted in the environment in which they will be used.
   Since each environment should have its own symmetric encryption keys
 
+Encrypt a file
+
+    INFILE="Gemfile.lock" OUTFILE="Gemfile.lock.encrypted" rake symmetric_encryption:encrypt_file
+
+Encrypt and compress a file
+
+    INFILE="Gemfile.lock" OUTFILE="Gemfile.lock.encrypted" COMPRESS=1 rake symmetric_encryption:encrypt_file
+
+Decrypt a file encrypted and optionally compressed using symmetric encryption
+
+    INFILE="Gemfile.lock.encrypted" OUTFILE="Gemfile.lock2" rake symmetric_encryption:decrypt_file
+
+When decrypting a compressed file it is not necessary to specify whether the file was compressed
+since the header embedded in the file will indicate whether it was compressed
+
+The file header also contains a random key and iv used to encrypt the files contents.
+The key and iv is encrypted with the global encryption key being used by the symmetric
+encryption installation.
+
 ## Installation
 
 ### Add to an existing Rails project

data/lib/rails/generators/symmetric_encryption/config/templates/symmetric-encryption.yml

@@ -6,9 +6,9 @@
 # can be placed directly in the source code.
 # And therefore no RSA private key is required
 development: &development_defaults
-  key: 1234567890ABCDEF1234567890ABCDEF
-  iv: 1234567890ABCDEF
-  cipher: aes-128-cbc
+  key:       1234567890ABCDEF1234567890ABCDEF
+  iv:        1234567890ABCDEF
+  cipher:    aes-128-cbc
 
 test:
   <<: *development_defaults
@@ -29,7 +29,8 @@ release:
       iv_filename:  <%= File.join(key_path, "#{app_name}_release.iv") %>
       cipher:       aes-256-cbc
       # Base64 encode encrypted data without newlines
-      encoding:     base64strict
+      encoding:     :base64strict
+      version:      1
 
 production:
   # Since the key to encrypt and decrypt with must NOT be stored along with the
@@ -47,4 +48,5 @@ production:
       iv_filename:  <%= File.join(key_path, "#{app_name}_production.iv") %>
       cipher:       aes-256-cbc
       # Base64 encode encrypted data without newlines
-      encoding:     base64strict
+      encoding:     :base64strict
+      version:      1

data/lib/symmetric_encryption/cipher.rb

@@ -7,7 +7,7 @@ module SymmetricEncryption
   # threads at the same time without needing an instance of Cipher per thread
   class Cipher
     # Cipher to use for encryption and decryption
-    attr_reader :cipher, :version, :version
+    attr_reader :cipher, :version
     attr_accessor :encoding
 
     # Available encodings
@@ -29,6 +29,17 @@ module SymmetricEncryption
       }
     end
 
+    # Returns a new Cipher with a random key and iv
+    #
+    # The cipher and encoding used are from the global encryption cipher
+    #
+    def self.random_cipher(cipher=nil, encoding=nil)
+      global_cipher = SymmetricEncryption.cipher
+      options = random_key_pair(cipher || global_cipher.cipher)
+      options[:encoding] = encoding || global_cipher.encoding
+      new(options)
+    end
+
     # Create a Symmetric::Key for encryption and decryption purposes
     #
     # Parameters:
@@ -61,11 +72,13 @@ module SymmetricEncryption
     #   :version [Fixnum]
     #     Optional. The version number of this encryption key
     #     Used by SymmetricEncryption to select the correct key when decrypting data
+    #     Maximum value: 255
     def initialize(parms={})
       raise "Missing mandatory parameter :key" unless @key = parms[:key]
       @iv = parms[:iv]
       @cipher = parms[:cipher] || 'aes-256-cbc'
       @version = parms[:version]
+      raise "Cipher version has a maximum of 255. #{@version} is too high" if @version.to_i > 255
       @encoding = (parms[:encoding] || :base64).to_sym
 
       raise("Invalid Encoding: #{@encoding}") unless ENCODINGS.include?(@encoding)
@@ -80,9 +93,9 @@ module SymmetricEncryption
     if defined?(Encoding)
       def encrypt(str, encode = true)
         return if str.nil?
-        buf = str.to_s.encode(SymmetricEncryption::UTF8_ENCODING)
-        return str if buf.empty?
-        encrypted = crypt(:encrypt, buf)
+        str = str.to_s  #.force_encoding(SymmetricEncryption::BINARY_ENCODING)
+        return str if str.empty?
+        encrypted = crypt(:encrypt, str)
         encode ? self.encode(encrypted) : encrypted
       end
     else
@@ -107,18 +120,25 @@ module SymmetricEncryption
         decoded = self.decode(str) if decode
         return unless decoded
 
-        buf = decoded.to_s.force_encoding(SymmetricEncryption::BINARY_ENCODING)
-        return decoded if buf.empty?
-        crypt(:decrypt, buf).force_encoding(SymmetricEncryption::UTF8_ENCODING)
+        return decoded if decoded.empty?
+        crypt(:decrypt, decoded).force_encoding(SymmetricEncryption::UTF8_ENCODING)
+      end
+
+      # Returns a binary decrypted string
+      def decrypt_binary(str, decode = true)
+        decoded = self.decode(str) if decode
+        return unless decoded
+
+        return decoded if decoded.empty?
+        crypt(:decrypt, decoded).force_encoding(SymmetricEncryption::BINARY_ENCODING)
       end
     else
       def decrypt(str, decode = true)
         decoded = self.decode(str) if decode
         return unless decoded
 
-        buf = decoded.to_s
-        return decoded if buf.empty?
-        crypt(:decrypt, buf)
+        return decoded if decoded.empty?
+        crypt(:decrypt, decoded)
       end
     end
 
@@ -133,20 +153,24 @@ module SymmetricEncryption
       ::OpenSSL::Cipher::Cipher.new(@cipher).block_size
     end
 
+    # Returns UTF8 encoded string after encoding the supplied Binary string
+    #
     # Encode the supplied string using the encoding in this cipher instance
     # Returns nil if the supplied string is nil
     # Note: No encryption or decryption is performed
+    #
+    # Returned string is UTF8 encoded except for encoding :none
     def encode(binary_string)
       return unless binary_string
 
       # Now encode data based on encoding setting
       case encoding
       when :base64
-        ::Base64.encode64(binary_string)
+        ::Base64.encode64(binary_string).force_encoding(SymmetricEncryption::UTF8_ENCODING)
       when :base64strict
-        ::Base64.encode64(binary_string).gsub(/\n/, '')
+        ::Base64.encode64(binary_string).gsub(/\n/, '').force_encoding(SymmetricEncryption::UTF8_ENCODING)
       when :base16
-        binary_string.to_s.unpack('H*').first
+        binary_string.to_s.unpack('H*').first.force_encoding(SymmetricEncryption::UTF8_ENCODING)
       else
         binary_string
       end
@@ -154,19 +178,139 @@ module SymmetricEncryption
 
     # Decode the supplied string using the encoding in this cipher instance
     # Note: No encryption or decryption is performed
+    #
+    # Returned string is Binary encoded
     def decode(encoded_string)
       return unless encoded_string
 
       case encoding
       when :base64, :base64strict
-        ::Base64.decode64(encoded_string)
+        ::Base64.decode64(encoded_string).force_encoding(SymmetricEncryption::BINARY_ENCODING)
       when :base16
-        [encoded_string].pack('H*')
+        [encoded_string].pack('H*').force_encoding(SymmetricEncryption::BINARY_ENCODING)
       else
         encoded_string
       end
     end
 
+    # Returns an Array with the first element being Symmetric Cipher that must
+    # be used to decrypt the data. The second element indicates whether the data
+    # must be decompressed after decryption
+    #
+    # If the buffer does not start with the Magic Header the global cipher will
+    # be returned
+    #
+    # The supplied buffer will be updated directly and will have the header
+    # portion removed
+    #
+    # Parameters
+    #   buffer
+    #     String to extract the header from if present
+    #
+    #   default_version
+    #     If no header is present, this is the default value for the version
+    #     of the cipher to use
+    #
+    #   default_compressed
+    #     If no header is present, this is the default value for the compression
+    def self.parse_magic_header!(buffer, default_version=nil, default_compressed=false)
+      buffer.force_encoding(SymmetricEncryption::BINARY_ENCODING)
+      return [SymmetricEncryption.cipher(default_version), default_compressed] unless buffer.start_with?(MAGIC_HEADER)
+
+      # Header includes magic header and version byte
+      # Remove header and extract flags
+      header, flags = buffer.slice!(0..MAGIC_HEADER_SIZE+1).unpack(MAGIC_HEADER_UNPACK)
+      compressed    = (flags & 0b1000_0000_0000_0000) != 0
+      include_iv    = (flags & 0b0100_0000_0000_0000) != 0
+      include_key   = (flags & 0b0010_0000_0000_0000) != 0
+      include_cipher= (flags & 0b0001_0000_0000_0000) != 0
+      version       = flags & 0b0000_0000_1111_1111
+      decryption_cipher = SymmetricEncryption.cipher(version)
+      raise "Cipher with version:#{version.inspect} not found in any of the configured SymmetricEncryption ciphers" unless decryption_cipher
+      iv, key, cipher   = nil
+
+      if include_iv
+        len = buffer.slice!(0..1).unpack('v').first
+        iv  = buffer.slice!(0..len-1)
+      end
+      if include_key
+        len = buffer.slice!(0..1).unpack('v').first
+        key = decryption_cipher.send(:crypt, :decrypt, buffer.slice!(0..len-1))
+      end
+      if include_cipher
+        len    = buffer.slice!(0..1).unpack('v').first
+        cipher = buffer.slice!(0..len-1)
+      end
+
+      if iv || key || cipher
+        decryption_cipher = SymmetricEncryption::Cipher.new(
+          :iv     => iv,
+          :key    => key || decryption_cipher.key,
+          :cipher => cipher || decryption_cipher.cipher
+        )
+      end
+
+      [decryption_cipher, compressed]
+    end
+
+    # Returns a magic header for this cipher instance that can be placed at
+    # the beginning of a file or stream to indicate how the data was encrypted
+    #
+    # Parameters
+    #   compressed
+    #     Sets the compressed indicator in the header
+    #
+    #   include_iv
+    #     Includes the encrypted Initialization Vector from this cipher if present
+    #     The IV is encrypted using the global encryption key
+    #
+    #   include_key
+    #     Includes the encrypted Key in this cipher
+    #     The key is encrypted using the global encryption key
+    #
+    #   include_cipher
+    #     Includes the cipher used. For example 'aes-256-cbc'
+    #
+    #  encryption_cipher
+    #    Encryption cipher to use when encrypting the iv and key.
+    #    When supplied, the version is set to it's version so that decryption
+    #    knows which cipher to use
+    #    Default: Global cipher: SymmetricEncryption.cipher
+    def magic_header(compressed=false, include_iv=false, include_key=false, include_cipher=false, encryption_cipher=nil)
+      # Ruby V2 named parameters would be perfect here
+
+      # Encryption version indicator if available
+      flags = version || 0 # Same as 0b0000_0000_0000_0000
+
+      # Replace version with cipher used to encrypt Random IV and Key
+      if include_iv || include_key
+        encryption_cipher ||= SymmetricEncryption.cipher
+        flags = (encryption_cipher.version || 0)
+      end
+
+      # If the data is to be compressed before being encrypted, set the
+      # compressed bit in the flags word
+      flags |= 0b1000_0000_0000_0000 if compressed
+      flags |= 0b0100_0000_0000_0000 if @iv && include_iv
+      flags |= 0b0010_0000_0000_0000 if include_key
+      flags |= 0b0001_0000_0000_0000 if include_cipher
+      header = "#{MAGIC_HEADER}#{[flags].pack('v')}".force_encoding(SymmetricEncryption::BINARY_ENCODING)
+      if @iv && include_iv
+        header << [@iv.length].pack('v')
+        header << @iv
+      end
+      if include_key
+        encrypted = encryption_cipher.crypt(:encrypt, @key).force_encoding(SymmetricEncryption::BINARY_ENCODING)
+        header << [encrypted.length].pack('v').force_encoding(SymmetricEncryption::BINARY_ENCODING)
+        header << encrypted
+      end
+      if include_cipher
+        header << [cipher.length].pack('v')
+        header << cipher
+      end
+      header
+    end
+
     protected
 
     # Only for use by Symmetric::EncryptedStream
@@ -188,8 +332,12 @@ module SymmetricEncryption
       openssl_cipher.iv = @iv if @iv
       result = openssl_cipher.update(string)
       result << openssl_cipher.final
+      result.force_encoding(SymmetricEncryption::BINARY_ENCODING)
     end
 
-  end
+    private
 
+    attr_reader :key, :iv
+
+  end
 end

data/lib/symmetric_encryption/railties/symmetric_encryption.rake

@@ -30,4 +30,51 @@ namespace :symmetric_encryption do
     puts "Encrypted: #{SymmetricEncryption.encrypt(p)}\n\n"
   end
 
+  desc 'Decrypt a file. Example: INFILE="encrypted_filename" OUTFILE="filename" rake symmetric_encryption:decrypt_file'
+  task :decrypt_file => :environment do
+    input_filename  = ENV['INFILE']
+    output_filename = ENV['OUTFILE']
+    block_size      = ENV['BLOCKSIZE'] || 65535
+
+    if input_filename && output_filename
+      puts "\nDecrypting file: #{input_filename} and writing to: #{output_filename}\n\n"
+      ::File.open(output_filename, 'wb') do |output_file|
+        SymmetricEncryption::Reader.open(input_filename) do |input_file|
+          while !input_file.eof?
+            output_file.write(input_file.read(block_size))
+          end
+        end
+      end
+      puts "\n#{output_filename} now contains the decrypted contents of #{input_filename}\n\n"
+    else
+      puts "Missing input and/or output filename. Usage:"
+      puts '  INFILE="encrypted_filename" OUTFILE="filename" rake symmetric_encryption:decrypt_file'
+    end
+  end
+
+  desc 'Encrypt a file. Example: INFILE="filename" OUTFILE="encrypted_filename" rake symmetric_encryption:encrypt_file'
+  task :encrypt_file => :environment do
+    input_filename  = ENV['INFILE']
+    output_filename = ENV['OUTFILE']
+    compress        = (ENV['COMPRESS'] != nil)
+    block_size      = ENV['BLOCKSIZE'] || 65535
+
+    if input_filename && output_filename
+      puts "\nEncrypting file: #{input_filename} and writing to: #{output_filename}\n\n"
+      ::File.open(input_filename, 'rb') do |input_file|
+        SymmetricEncryption::Writer.open(output_filename, :compress => compress) do |output_file|
+          while !input_file.eof?
+            output_file.write(input_file.read(block_size))
+          end
+        end
+      end
+      puts "\n#{output_filename} now contains the encrypted #{"and compressed " if compress}contents of #{input_filename}\n\n"
+    else
+      puts "Missing input and/or output filename. Usage:"
+      puts '  INFILE="filename" OUTFILE="encrypted_filename" rake symmetric_encryption:encrypt_file'
+      puts "To compress the file before encrypting:"
+      puts '  COMPRESS=1 INFILE="filename" OUTFILE="encrypted_filename" rake symmetric_encryption:encrypt_file'
+    end
+  end
+
 end

data/lib/symmetric_encryption/reader.rb

@@ -14,6 +14,17 @@ module SymmetricEncryption
     #     avoid having the stream closed automatically
     #
     #   options:
+    #     :mode
+    #          See File.open for open modes
+    #          Default: 'rb'
+    #
+    #     :buffer_size
+    #          Amount of data to read at a time
+    #          The buffer size must be at least large enough to hold the entire
+    #          magic header if one is present
+    #          Default: 4096
+    #
+    #   The following options are only used if the stream/file has no header
     #     :compress [true|false]
     #          Uses Zlib to decompress the data after it is decrypted
     #          Note: This option is only used if the file does not have a header
@@ -25,14 +36,6 @@ module SymmetricEncryption
     #          file/stream does not include a header at the beginning
     #          Default: Current primary key
     #
-    #     :mode
-    #          See File.open for open modes
-    #          Default: 'r'
-    #
-    #     :buffer_size
-    #          Amount of data to read at a time
-    #          Default: 4096
-    #
     # Note: Decryption occurs before decompression
     #
     # # Example: Read and decrypt a line at a time from a file
@@ -74,9 +77,9 @@ module SymmetricEncryption
     # end
     def self.open(filename_or_stream, options={}, &block)
       raise "options must be a hash" unless options.respond_to?(:each_pair)
-      mode = options.fetch(:mode, 'rb')
+      mode     = options.fetch(:mode, 'rb')
       compress = options.fetch(:compress, false)
-      ios = filename_or_stream.is_a?(String) ? ::File.open(filename_or_stream, mode) : filename_or_stream
+      ios      = filename_or_stream.is_a?(String) ? ::File.open(filename_or_stream, mode) : filename_or_stream
 
       begin
         file = self.new(ios, options)
@@ -91,7 +94,7 @@ module SymmetricEncryption
     def initialize(ios,options={})
       @ios         = ios
       @buffer_size = options.fetch(:buffer_size, 4096).to_i
-      @version = options[:version]
+      @version     = options[:version]
       read_header
     end
 
@@ -288,17 +291,13 @@ module SymmetricEncryption
 
       # Read first block and check for the header
       buf = @ios.read(@buffer_size)
-      if buf.start_with?(MAGIC_HEADER)
-        # Header includes magic header and version byte
-        # Remove header and extract flags
-        header, flags = buf.slice!(0..MAGIC_HEADER_SIZE+1).unpack(MAGIC_HEADER_UNPACK)
-        @compressed = (flags & 0b1000_0000_0000_0000) != 0
-        @version = @compressed ? flags - 0b1000_0000_0000_0000 : flags
-      end
 
-      # Use primary cipher by default, but allow a secondary cipher to be selected for encryption
-      @cipher = SymmetricEncryption.cipher(@version)
-      raise "Cipher with version:#{@version.inspect} not found in any of the configured SymmetricEncryption ciphers" unless @cipher
+      # Use cipher specified in header, or global cipher if it has no header
+      @cipher, @compressed = SymmetricEncryption::Cipher.parse_magic_header!(buf, @version)
+
+      # Use supplied version if cipher could not be detected due to missing header
+      @cipher ||= SymmetricEncryption.cipher(@version)
+
       @stream_cipher = @cipher.send(:openssl_cipher, :decrypt)
 
       # First call to #update should return an empty string anyway

data/lib/symmetric_encryption/symmetric_encryption.rb

@@ -22,17 +22,18 @@ module SymmetricEncryption
   #     :cipher => 'aes-128-cbc'
   #   )
   def self.cipher=(cipher)
-    raise "Cipher must be similar to SymmetricEncryption::Ciphers" unless cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt)
+    raise "Cipher must be similar to SymmetricEncryption::Ciphers" unless cipher.nil? || (cipher.respond_to?(:encrypt) && cipher.respond_to?(:decrypt))
     @@cipher = cipher
   end
 
   # Returns the Primary Symmetric Cipher being used
-  # If a version is supplied, then the cipher matching that version will be
-  # returned or nil if no match was found
-  def self.cipher(version = 0)
+  # If a version is supplied
+  #   Returns the primary cipher if no match was found and version == 0
+  #   Returns nil if no match was found and version != 0
+  def self.cipher(version = nil)
     raise "Call SymmetricEncryption.load! or SymmetricEncryption.cipher= prior to encrypting or decrypting data" unless @@cipher
-    return @@cipher if version.nil? || (version == 0) || (@@cipher.version == version)
-    secondary_ciphers.find {|c| c.version == version}
+    return @@cipher if version.nil? || (@@cipher.version == version)
+    secondary_ciphers.find {|c| c.version == version} || (@@cipher if version == 0)
   end
 
   # Set the Secondary Symmetric Ciphers Array to be used
@@ -227,7 +228,8 @@ module SymmetricEncryption
           :cipher       => cipher_cfg['cipher'] || default_cipher,
           :key_filename => key_filename,
           :iv_filename  => iv_filename,
-          :encoding     => cipher_cfg['encoding']
+          :encoding     => cipher_cfg['encoding'],
+          :version      => cipher_cfg['version']
         }
       end
 
@@ -287,7 +289,8 @@ module SymmetricEncryption
       :key      => rsa.private_decrypt(encrypted_key),
       :iv       => iv,
       :cipher   => cipher_conf[:cipher],
-      :encoding => cipher_conf[:encoding]
+      :encoding => cipher_conf[:encoding],
+      :version  => cipher_conf[:version]
     )
   end
 

data/lib/symmetric_encryption/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SymmetricEncryption #:nodoc
-  VERSION = "1.0.0"
+  VERSION = "1.1.1"
 end

data/lib/symmetric_encryption/writer.rb

@@ -20,8 +20,20 @@ module SymmetricEncryption
     #     :compress [true|false]
     #          Uses Zlib to compress the data before it is encrypted and
     #          written to the file
+    #          If true, it forces header to true.
     #          Default: false
     #
+    #     :random_key [true|false]
+    #          Generates a new random key and iv for every new file or stream
+    #          If true, it forces header to true. Version below then has no effect
+    #          The Random key and iv will be written to the file/stream in encrypted
+    #          form as part of the header
+    #          The key and iv are both encrypted using the global key
+    #          Default: true
+    #          Recommended: true. Setting to false will eventually expose the
+    #            encryption key since too much data will be encrypted using the
+    #            same encryption key
+    #
     #     :header [true|false]
     #          Whether to include the magic header that indicates the file
     #          is encrypted and whether its contents are compressed
@@ -32,7 +44,11 @@ module SymmetricEncryption
     #          Default: true
     #
     #     :version
-    #          Version of the encryption key to use when encrypting
+    #          When random_key is true, the version of the encryption key to use
+    #          when encrypting the header portion of the file
+    #
+    #          When random_key is false, the version of the encryption key to use
+    #          to encrypt the entire file
     #          Default: Current primary key
     #
     #     :mode
@@ -81,18 +97,22 @@ module SymmetricEncryption
 
     # Encrypt data before writing to the supplied stream
     def initialize(ios,options={})
-      @ios      = ios
-      header    = options.fetch(:header, true)
+      @ios       = ios
+      header     = options.fetch(:header, true)
       # Compress is only used at this point for setting the flag in the header
-      @compress = options.fetch(:compress, false)
+      random_key = options.fetch(:random_key, true)
+      compress   = options.fetch(:compress, false)
+      # Force header if compressed or using random iv, key pair
+      header     = true if compress || random_key
 
-      # Use primary cipher by default, but allow a secondary cipher to be selected for encryption
-      @cipher   = SymmetricEncryption.cipher(options[:version])
+      # Create random cipher or use global primary cipher
+      @cipher = random_key ? SymmetricEncryption::Cipher.random_cipher : SymmetricEncryption.cipher(options[:version])
       raise "Cipher with version:#{options[:version]} not found in any of the configured SymmetricEncryption ciphers" unless @cipher
 
       @stream_cipher = @cipher.send(:openssl_cipher, :encrypt)
 
-      write_header if header
+      # Write the Encryption header including the random iv, key, and cipher
+      @ios.write(@cipher.magic_header(compress, random_key, random_key, random_key)) if header
     end
 
     # Close the IO Stream
@@ -139,19 +159,5 @@ module SymmetricEncryption
       @ios.flush
     end
 
-    private
-
-    # Write the Encryption header if this is the first write
-    def write_header
-      # Include Header and encryption version indicator
-      flags  = @cipher.version || 0 # Same as 0b0000_0000_0000_0000
-
-      # If the data is to be compressed before being encrypted, set the
-      # compressed bit in the version byte
-      flags |= 0b1000_0000_0000_0000 if @compress
-
-      @ios.write "#{MAGIC_HEADER}#{[flags].pack('v')}"
-    end
-
   end
 end

data/nbproject/private/private.xml

@@ -5,13 +5,13 @@
             <url>lib/symmetric/encryption.rb</url>
             <line>62</line>
         </file>
-        <file>
-            <url>lib/symmetric_encryption/symmetric_encryption.rb</url>
-            <line>75</line>
-        </file>
         <file>
             <url>lib/symmetric_encryption/encryption.rb</url>
             <line>60</line>
         </file>
+        <file>
+            <url>lib/symmetric_encryption/symmetric_encryption.rb</url>
+            <line>76</line>
+        </file>
     </editor-bookmarks>
 </project-private>

data/nbproject/private/rake-d.txt

@@ -1,4 +1,4 @@
-clean=
-clobber=
-gem=
-test=
+clean=Remove any temporary products.
+clobber=Remove any generated file.
+gem=Build gem
+test=Run Test Suite

data/test/cipher_test.rb

@@ -6,6 +6,9 @@ require 'test/unit'
 require 'shoulda'
 require 'symmetric_encryption'
 
+# Load Symmetric Encryption keys
+SymmetricEncryption.load!(File.join(File.dirname(__FILE__), 'config', 'symmetric-encryption.yml'), 'test')
+
 # Unit Test for SymmetricEncryption::Cipher
 #
 class CipherTest < Test::Unit::TestCase
@@ -90,5 +93,22 @@ class CipherTest < Test::Unit::TestCase
       end
     end
 
+    context "magic header" do
+
+      should "create and parse magic header" do
+        random_cipher = SymmetricEncryption::Cipher.random_cipher
+        header = random_cipher.magic_header(compressed=true, include_iv=true, include_key=true, include_cipher=true)
+        cipher, compressed = SymmetricEncryption::Cipher.parse_magic_header!(header)
+        assert_equal true, compressed
+        assert_equal random_cipher.cipher, cipher.cipher, "Ciphers differ"
+        assert_equal random_cipher.send(:key), cipher.send(:key), "Keys differ"
+        assert_equal random_cipher.send(:iv), cipher.send(:iv), "IVs differ"
+
+        string = "Hellow World"
+        # Test Encryption
+        assert_equal random_cipher.encrypt(string, false), cipher.encrypt(string, false), "Encrypted values differ"
+      end
+    end
+
   end
 end

data/test/config/symmetric-encryption.yml

@@ -41,6 +41,7 @@ test:
       cipher:       aes-128-cbc
       # Base64 encode encrypted data without newlines
       encoding:     base64strict
+      version:      1
 
     # Previous Symmetric Encryption Key
     - key_filename: /Users/rmorrison/Sandbox/symmetric-encryption/test/config/test_secondary_1.key
@@ -48,4 +49,5 @@ test:
       cipher:       aes-128-cbc
       # Base64 encode encrypted data without newlines
       encoding:     base64
+      version:      0
 

data/test/reader_test.rb

@@ -13,7 +13,7 @@ SymmetricEncryption.load!(File.join(File.dirname(__FILE__), 'config', 'symmetric
 # Unit Test for SymmetricEncrypted::ReaderStream
 #
 class ReaderTest < Test::Unit::TestCase
-  context 'Reader' do
+  context SymmetricEncryption::Reader do
     setup do
       @data = [
         "Hello World\n",
@@ -70,7 +70,7 @@ class ReaderTest < Test::Unit::TestCase
 
     context "reading from file" do
       # With and without header
-      [{:header => false}, {:compress => false}, {:compress => true}].each_with_index do |options, i|
+      [{:header => false, :version => 1}, {:header => false, :random_key => false, :version => 1},  {:compress => false}, {:compress => true}, {:random_key => false}].each_with_index do |options, i|
         context "with#{'out' unless options[:header]} header #{i}" do
           setup do
             @filename = '._test'
@@ -112,5 +112,70 @@ class ReaderTest < Test::Unit::TestCase
       end
 
     end
+
+    context "reading from files with previous keys" do
+      setup do
+        @filename = '._test'
+        # Create encrypted file with old encryption key
+        SymmetricEncryption::Writer.open(@filename, :version => 0) do |file|
+          @data.inject(0) {|sum,str| sum + file.write(str)}
+        end
+      end
+
+      teardown do
+        File.delete(@filename) if File.exist?(@filename)
+      end
+
+      should "decrypt from file in a single read" do
+        decrypted = SymmetricEncryption::Reader.open(@filename) {|file| file.read}
+        assert_equal @data_str, decrypted
+      end
+
+      should "decrypt from file a line at a time" do
+        decrypted = SymmetricEncryption::Reader.open(@filename) do |file|
+          i = 0
+          file.each_line do |line|
+            assert_equal @data[i], line
+            i += 1
+          end
+        end
+      end
+
+      should "support rewind" do
+        decrypted = SymmetricEncryption::Reader.open(@filename) do |file|
+          file.read
+          file.rewind
+          file.read
+        end
+        assert_equal @data_str, decrypted
+      end
+    end
+
+    context "reading from files with previous keys without a header" do
+      setup do
+        @filename = '._test'
+        # Create encrypted file with old encryption key
+        SymmetricEncryption::Writer.open(@filename, :version => 0, :header => false, :random_key => false) do |file|
+          @data.inject(0) {|sum,str| sum + file.write(str)}
+        end
+      end
+
+      teardown do
+        File.delete(@filename) if File.exist?(@filename)
+      end
+
+      should "decrypt from file in a single read" do
+        decrypted = SymmetricEncryption::Reader.open(@filename, :version => 0) {|file| file.read}
+        assert_equal @data_str, decrypted
+      end
+
+      should "decrypt from file in a single read with different version" do
+        # Should fail since file was encrypted using version 0 key
+        assert_raise OpenSSL::Cipher::CipherError do
+          SymmetricEncryption::Reader.open(@filename, :version => 1) {|file| file.read}
+        end
+      end
+    end
+
   end
-end
+end

data/test/symmetric_encryption_test.rb

@@ -17,10 +17,36 @@ class SymmetricEncryptionTest < Test::Unit::TestCase
     context 'configuration' do
       setup do
         @config = SymmetricEncryption.send(:read_config, File.join(File.dirname(__FILE__), 'config', 'symmetric-encryption.yml'), 'test')
+        assert @cipher_v1 = @config[:ciphers][0]
+        assert @cipher_v0 = @config[:ciphers][1]
       end
 
-      should "match config file" do
-        assert_equal @config[:ciphers][0][:cipher], SymmetricEncryption.cipher.cipher
+      should "match config file for first cipher" do
+        cipher = SymmetricEncryption.cipher
+        assert_equal @cipher_v1[:cipher], cipher.cipher
+        assert_equal @cipher_v1[:version], cipher.version
+        assert_equal false, SymmetricEncryption.secondary_ciphers.include?(cipher)
+      end
+
+      should "match config file for v1 cipher" do
+        cipher = SymmetricEncryption.cipher(1)
+        assert @cipher_v1[:cipher]
+        assert @cipher_v1[:version]
+        assert_equal @cipher_v1[:cipher], cipher.cipher
+        assert_equal @cipher_v1[:version], cipher.version
+        assert_equal false, SymmetricEncryption.secondary_ciphers.include?(cipher)
+      end
+
+      should "match config file for v0 cipher" do
+        cipher = SymmetricEncryption.cipher(0)
+        assert @cipher_v0[:cipher]
+        assert @cipher_v0[:version]
+        assert_equal @cipher_v0[:cipher], cipher.cipher
+        assert_equal @cipher_v0[:version], cipher.version
+        assert_equal true, SymmetricEncryption.secondary_ciphers.include?(cipher)
+      end
+
+      should 'read ciphers from config file' do
       end
     end
 

data/test/writer_test.rb

@@ -12,8 +12,8 @@ SymmetricEncryption.load!(File.join(File.dirname(__FILE__), 'config', 'symmetric
 
 # Unit Test for Symmetric::EncryptedStream
 #
-class EncryptionWriterTest < Test::Unit::TestCase
-  context 'EncryptionWriter' do
+class WriterTest < Test::Unit::TestCase
+  context SymmetricEncryption::Writer do
     setup do
       @data = [
         "Hello World\n",
@@ -32,7 +32,7 @@ class EncryptionWriterTest < Test::Unit::TestCase
 
     should "encrypt to string stream" do
       stream = StringIO.new
-      file = SymmetricEncryption::Writer.new(stream, :header => false)
+      file = SymmetricEncryption::Writer.new(stream, :header => false, :random_key => false)
       written_len = @data.inject(0) {|sum,str| sum + file.write(str)}
       file.close
 
@@ -53,7 +53,7 @@ class EncryptionWriterTest < Test::Unit::TestCase
 
     should "encrypt to file using .open" do
       written_len = nil
-      SymmetricEncryption::Writer.open(@filename, :header => false) do |file|
+      SymmetricEncryption::Writer.open(@filename, :header => false, :random_key => false) do |file|
         written_len = @data.inject(0) {|sum,str| sum + file.write(str)}
       end
       assert_equal @data_len, written_len

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: symmetric-encryption
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.1
 platform: ruby
 authors:
 - Reid Morrison
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-03-07 00:00:00.000000000 Z
+date: 2013-04-11 00:00:00.000000000 Z
 dependencies: []
 description: SymmetricEncryption supports encrypting ActiveRecord data, Mongoid data,
   passwords in configuration files, encrypting and decrypting of large files through