Class: PorkyLib::Symmetric
- Inherits:
-
Object
- Object
- PorkyLib::Symmetric
- Includes:
- Singleton
- Defined in:
- lib/porky_lib/symmetric.rb
Constant Summary collapse
- CMK_KEY_ORIGIN =
'AWS_KMS'
- CMK_KEY_USAGE =
'ENCRYPT_DECRYPT'
- SYMMETRIC_KEY_SPEC =
'AES_256'
Instance Method Summary collapse
- #client ⇒ Object
- #cmk_alias_exists?(key_alias) ⇒ Boolean
- #create_alias(key_id, key_alias) ⇒ Object
- #create_key(tags, key_alias = nil, key_rotation_enabled = true) ⇒ Object
- #decrypt(ciphertext_dek, ciphertext, nonce, encryption_context = nil) ⇒ Object
- #decrypt_data_encryption_key(ciphertext_key, encryption_context = nil) ⇒ Object
- #decrypt_with_benchmark(ciphertext_dek, ciphertext, nonce, encryption_context = nil) ⇒ Object
- #decrypt_with_key(ciphertext, plaintext_key, nonce) ⇒ Object
- #decrypt_with_key_with_benchmark(ciphertext, plaintext_key, nonce) ⇒ Object
- #enable_key_rotation(key_id) ⇒ Object
- #encrypt(data, cmk_key_id, ciphertext_dek = nil, encryption_context = nil) ⇒ Object
- #encrypt_with_benchmark(data, cmk_key_id, ciphertext_dek = nil, encryption_context = nil) ⇒ Object
- #encrypt_with_key(plaintext, plaintext_key) ⇒ Object
- #encrypt_with_key_with_benchmark(plaintext, plaintext_key) ⇒ Object
- #generate_data_encryption_key(cmk_key_id, encryption_context = nil) ⇒ Object
- #secure_delete_plaintext_key(length) ⇒ Object
Instance Method Details
#client ⇒ Object
15 16 17 18 |
# File 'lib/porky_lib/symmetric.rb', line 15 def client require 'porky_lib/aws/kms/client' if PorkyLib::Config.config[:aws_client_mock] @client ||= Aws::KMS::Client.new end |
#cmk_alias_exists?(key_alias) ⇒ Boolean
33 34 35 36 37 38 39 40 |
# File 'lib/porky_lib/symmetric.rb', line 33 def cmk_alias_exists?(key_alias) alias_list = client.list_aliases.to_h[:aliases] alias_list.each do |item| return true if item[:alias_name] == key_alias end false end |
#create_alias(key_id, key_alias) ⇒ Object
46 47 48 |
# File 'lib/porky_lib/symmetric.rb', line 46 def create_alias(key_id, key_alias) client.create_alias(target_key_id: key_id, alias_name: key_alias) end |
#create_key(tags, key_alias = nil, key_rotation_enabled = true) ⇒ Object
20 21 22 23 24 25 26 27 28 29 30 31 |
# File 'lib/porky_lib/symmetric.rb', line 20 def create_key(, key_alias = nil, key_rotation_enabled = true) resp = client.create_key(key_usage: CMK_KEY_USAGE, origin: CMK_KEY_ORIGIN, tags: ) key_id = resp.to_h[:key_metadata][:key_id] # Enable automatic key rotation for the newly created CMK enable_key_rotation(key_id) if key_rotation_enabled # Create an alias for the newly created CMK create_alias(key_id, key_alias) if key_alias key_id end |
#decrypt(ciphertext_dek, ciphertext, nonce, encryption_context = nil) ⇒ Object
90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
# File 'lib/porky_lib/symmetric.rb', line 90 def decrypt(ciphertext_dek, ciphertext, nonce, encryption_context = nil) return if ciphertext.nil? || ciphertext_dek.nil? || nonce.nil? # Decrypt the data encryption key plaintext_key = decrypt_data_encryption_key(ciphertext_dek, encryption_context) secret_box = RbNaCl::SecretBox.new(plaintext_key) should_reencrypt = false begin # Decrypt the message = secret_box.decrypt(nonce, ciphertext) rescue RbNaCl::CryptoError # For backwards compatibility due to a code error in a previous release plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize)) = secret_box.decrypt(nonce, ciphertext) should_reencrypt = true end # Securely delete the plaintext value from memory plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize)) [, should_reencrypt] end |
#decrypt_data_encryption_key(ciphertext_key, encryption_context = nil) ⇒ Object
58 59 60 61 62 63 |
# File 'lib/porky_lib/symmetric.rb', line 58 def decrypt_data_encryption_key(ciphertext_key, encryption_context = nil) return client.decrypt(ciphertext_blob: ciphertext_key, encryption_context: encryption_context).plaintext if encryption_context resp = client.decrypt(ciphertext_blob: ciphertext_key) resp.plaintext end |
#decrypt_with_benchmark(ciphertext_dek, ciphertext, nonce, encryption_context = nil) ⇒ Object
155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 |
# File 'lib/porky_lib/symmetric.rb', line 155 def decrypt_with_benchmark(ciphertext_dek, ciphertext, nonce, encryption_context = nil) return if ciphertext.nil? || ciphertext_dek.nil? || nonce.nil? encryption_statistics = {} plaintext_key = benchmark_block(encryption_statistics, :decrypt_key) do # Decrypt the data encryption key decrypt_data_encryption_key(ciphertext_dek, encryption_context) end , should_reencrypt = benchmark_block(encryption_statistics, :decrypt) do secret_box = RbNaCl::SecretBox.new(plaintext_key) should_reencrypt = false begin # Decrypt the message = secret_box.decrypt(nonce, ciphertext) rescue RbNaCl::CryptoError # For backwards compatibility due to a code error in a previous release plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize)) = secret_box.decrypt(nonce, ciphertext) should_reencrypt = true end [, should_reencrypt, encryption_statistics] end benchmark_block(encryption_statistics, :clear_key) do # Securely delete the plaintext value from memory plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize)) end [, should_reencrypt, encryption_statistics] end |
#decrypt_with_key(ciphertext, plaintext_key, nonce) ⇒ Object
214 215 216 217 218 219 220 221 222 223 224 225 226 |
# File 'lib/porky_lib/symmetric.rb', line 214 def decrypt_with_key(ciphertext, plaintext_key, nonce) # Initialize the box secret_box = RbNaCl::SecretBox.new(plaintext_key) # Decrypt the message plaintext = secret_box.decrypt(nonce, ciphertext) result = OpenStruct.new result.plaintext = plaintext result end |
#decrypt_with_key_with_benchmark(ciphertext, plaintext_key, nonce) ⇒ Object
255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 |
# File 'lib/porky_lib/symmetric.rb', line 255 def decrypt_with_key_with_benchmark(ciphertext, plaintext_key, nonce) encryption_statistics = {} plaintext = benchmark_block(encryption_statistics, :decrypt) do secret_box = RbNaCl::SecretBox.new(plaintext_key) # Decrypt the message plaintext = secret_box.decrypt(nonce, ciphertext) plaintext end result = OpenStruct.new result.plaintext = plaintext result.statistics = encryption_statistics result end |
#enable_key_rotation(key_id) ⇒ Object
42 43 44 |
# File 'lib/porky_lib/symmetric.rb', line 42 def enable_key_rotation(key_id) client.enable_key_rotation(key_id: key_id) end |
#encrypt(data, cmk_key_id, ciphertext_dek = nil, encryption_context = nil) ⇒ Object
65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 |
# File 'lib/porky_lib/symmetric.rb', line 65 def encrypt(data, cmk_key_id, ciphertext_dek = nil, encryption_context = nil) return if data.nil? || cmk_key_id.nil? # Generate a new data encryption key or decrypt existing key, if provided plaintext_key = decrypt_data_encryption_key(ciphertext_dek, encryption_context) if ciphertext_dek ciphertext_key = ciphertext_dek if ciphertext_dek plaintext_key, ciphertext_key = generate_data_encryption_key(cmk_key_id, encryption_context) unless ciphertext_dek # Initialize the box secret_box = RbNaCl::SecretBox.new(plaintext_key) # First, make a nonce: A single-use value never repeated under the same key # The nonce isn't secret, and can be sent with the ciphertext. # The cipher instance has a nonce_bytes method for determining how many bytes should be in a nonce nonce = RbNaCl::Random.random_bytes(secret_box.nonce_bytes) # Encrypt a message with SecretBox ciphertext = secret_box.encrypt(nonce, data) # Securely delete the plaintext value from memory plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize)) [ciphertext_key, ciphertext, nonce] end |
#encrypt_with_benchmark(data, cmk_key_id, ciphertext_dek = nil, encryption_context = nil) ⇒ Object
114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 |
# File 'lib/porky_lib/symmetric.rb', line 114 def encrypt_with_benchmark(data, cmk_key_id, ciphertext_dek = nil, encryption_context = nil) return if data.nil? || cmk_key_id.nil? encryption_statistics = {} # Generate a new data encryption key or decrypt existing key, if provided if ciphertext_dek plaintext_key = benchmark_block(encryption_statistics, :decrypt_key) do decrypt_data_encryption_key(ciphertext_dek, encryption_context) end ciphertext_key = ciphertext_dek else plaintext_key, ciphertext_key = benchmark_block(encryption_statistics, :generate_key) do generate_data_encryption_key(cmk_key_id, encryption_context) end end nonce, ciphertext = benchmark_block(encryption_statistics, :encrypt) do # Initialize the box secret_box = RbNaCl::SecretBox.new(plaintext_key) # First, make a nonce: A single-use value never repeated under the same key # The nonce isn't secret, and can be sent with the ciphertext. # The cipher instance has a nonce_bytes method for determining how many bytes should be in a nonce nonce = RbNaCl::Random.random_bytes(secret_box.nonce_bytes) # Encrypt a message with SecretBox ciphertext = secret_box.encrypt(nonce, data) [nonce, ciphertext] end benchmark_block(encryption_statistics, :clear_key) do # Securely delete the plaintext value from memory plaintext_key.replace(secure_delete_plaintext_key(plaintext_key.bytesize)) end [ciphertext_key, ciphertext, nonce, encryption_statistics] end |
#encrypt_with_key(plaintext, plaintext_key) ⇒ Object
194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 |
# File 'lib/porky_lib/symmetric.rb', line 194 def encrypt_with_key(plaintext, plaintext_key) # Initialize the box secret_box = RbNaCl::SecretBox.new(plaintext_key) # First, make a nonce: A single-use value never repeated under the same key # The nonce isn't secret, and can be sent with the ciphertext. # The cipher instance has a nonce_bytes method for determining how many bytes should be in a nonce nonce = RbNaCl::Random.random_bytes(secret_box.nonce_bytes) # Encrypt a message with SecretBox ciphertext = secret_box.encrypt(nonce, plaintext) result = OpenStruct.new result.ciphertext = ciphertext result.nonce = nonce result end |
#encrypt_with_key_with_benchmark(plaintext, plaintext_key) ⇒ Object
228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 |
# File 'lib/porky_lib/symmetric.rb', line 228 def encrypt_with_key_with_benchmark(plaintext, plaintext_key) encryption_statistics = {} nonce, ciphertext = benchmark_block(encryption_statistics, :encrypt) do # Initialize the box secret_box = RbNaCl::SecretBox.new(plaintext_key) # First, make a nonce: A single-use value never repeated under the same key # The nonce isn't secret, and can be sent with the ciphertext. # The cipher instance has a nonce_bytes method for determining how many bytes should be in a nonce nonce = RbNaCl::Random.random_bytes(secret_box.nonce_bytes) # Encrypt a message with SecretBox ciphertext = secret_box.encrypt(nonce, plaintext) [nonce, ciphertext] end result = OpenStruct.new result.ciphertext = ciphertext result.nonce = nonce result.statistics = encryption_statistics result end |
#generate_data_encryption_key(cmk_key_id, encryption_context = nil) ⇒ Object
50 51 52 53 54 55 56 |
# File 'lib/porky_lib/symmetric.rb', line 50 def generate_data_encryption_key(cmk_key_id, encryption_context = nil) resp = {} resp = client.generate_data_key(key_id: cmk_key_id, key_spec: SYMMETRIC_KEY_SPEC, encryption_context: encryption_context) if encryption_context resp = client.generate_data_key(key_id: cmk_key_id, key_spec: SYMMETRIC_KEY_SPEC) unless encryption_context [resp.plaintext, resp.ciphertext_blob] end |
#secure_delete_plaintext_key(length) ⇒ Object
190 191 192 |
# File 'lib/porky_lib/symmetric.rb', line 190 def secure_delete_plaintext_key(length) "\0" * length end |