Class: ActiveStorageEncryption::EncryptedDiskService::V2Scheme

Inherits:
Object
  • Object
show all
Defined in:
lib/active_storage_encryption/encrypted_disk_service/v2_scheme.rb

Overview

This scheme uses GCM encryption with CTR-based random access. The auth tag is stored at the end of the message. The message is prefixed by a SHA2 digest of the encryption key.

Instance Method Summary collapse

Constructor Details

#initialize(encryption_key) ⇒ V2Scheme

Returns a new instance of V2Scheme.



6
7
8
9
 
# File 'lib/active_storage_encryption/encrypted_disk_service/v2_scheme.rb', line 6

def initialize(encryption_key)
  @scheme = BlockCipherKit::AES256GCMScheme.new(encryption_key)
  @key_digest = Digest::SHA256.digest(encryption_key.byteslice(0, 32)) # In this scheme just the key is used
end

Instance Method Details

#decrypt_range(from_ciphertext_io:, range:) ⇒ Object 



23
24
25
26
 
# File 'lib/active_storage_encryption/encrypted_disk_service/v2_scheme.rb', line 23

def decrypt_range(from_ciphertext_io:, range:)
  check_key!(from_ciphertext_io)
  @scheme.decrypt_range(from_ciphertext_io:, range:)
end

#streaming_decrypt(from_ciphertext_io:, into_plaintext_io: nil, &blk) ⇒ Object 



11
12
13
14
 
# File 'lib/active_storage_encryption/encrypted_disk_service/v2_scheme.rb', line 11

def streaming_decrypt(from_ciphertext_io:, into_plaintext_io: nil, &blk)
  check_key!(from_ciphertext_io)
  @scheme.streaming_decrypt(from_ciphertext_io:, into_plaintext_io:, &blk)
end

#streaming_encrypt(into_ciphertext_io:, from_plaintext_io: nil, &blk) ⇒ Object 



16
17
18
19
20
21
 
# File 'lib/active_storage_encryption/encrypted_disk_service/v2_scheme.rb', line 16

def streaming_encrypt(into_ciphertext_io:, from_plaintext_io: nil, &blk)
  # See check_key! for rationale. We need a fast KVC (key validation code)
  # to refuse the download if we know the key is incorrect.
  into_ciphertext_io.write(@key_digest)
  @scheme.streaming_encrypt(into_ciphertext_io:, from_plaintext_io:, &blk)
end