Module: Lockbox
- Extended by:
- Padding
- Defined in:
- lib/lockbox/active_storage_extensions.rb,
lib/lockbox.rb,
lib/lockbox/io.rb,
lib/lockbox/box.rb,
lib/lockbox/model.rb,
lib/lockbox/utils.rb,
lib/lockbox/aes_gcm.rb,
lib/lockbox/padding.rb,
lib/lockbox/railtie.rb,
lib/lockbox/version.rb,
lib/lockbox/migrator.rb,
lib/lockbox/encryptor.rb,
lib/lockbox/calculations.rb,
lib/lockbox/key_generator.rb,
lib/lockbox/log_subscriber.rb,
lib/lockbox/carrier_wave_extensions.rb,
lib/generators/lockbox/audits_generator.rb
Overview
Ideally encryption and decryption would happen at the blob/service level. However, Active Storage < 6.1 only supports a single service (per environment). This means all attachments need to be encrypted or none of them, which is often not practical.
Active Storage 6.1 adds support for multiple services, which changes this. We could have a Lockbox service:
lockbox:
service: Lockbox
backend: local # delegate to another service, like mirror service
key: ... # Lockbox options
However, the checksum is computed *and stored on the blob* before the file is passed to the service. We don’t want the MD5 checksum of the plaintext stored in the database.
Instead, we encrypt and decrypt at the attachment level, and we define encryption settings at the model level.
Defined Under Namespace
Modules: ActiveStorageExtensions, Calculations, CarrierWaveExtensions, Generators, Model, Padding
Classes: AES_GCM, Box, DecryptionError, Encryptor, Error, IO, KeyGenerator, LogSubscriber, Migrator, PaddingError, Railtie, Utils
Constant Summary
collapse
- VERSION =
"0.6.6"
Constants included
from Padding
Padding::PAD_FIRST_BYTE, Padding::PAD_ZERO_BYTE
Class Attribute Summary collapse
Class Method Summary
collapse
Methods included from Padding
pad, pad!, unpad, unpad!
Class Attribute Details
.default_options ⇒ Object
Returns the value of attribute default_options.
59
60
61
|
# File 'lib/lockbox.rb', line 59
def default_options
@default_options
end
|
.master_key ⇒ Object
64
65
66
|
# File 'lib/lockbox.rb', line 64
def self.master_key
@master_key ||= ENV["LOCKBOX_MASTER_KEY"]
end
|
Class Method Details
.attribute_key(table:, attribute:, master_key: nil, encode: true) ⇒ Object
94
95
96
97
98
99
100
101
|
# File 'lib/lockbox.rb', line 94
def self.attribute_key(table:, attribute:, master_key: nil, encode: true)
master_key ||= Lockbox.master_key
raise ArgumentError, "Missing master key" unless master_key
key = Lockbox::KeyGenerator.new(master_key).attribute_key(table: table, attribute: attribute)
key = to_hex(key) if encode
key
end
|
.encrypts_action_text_body(**options) ⇒ Object
111
112
113
114
115
|
# File 'lib/lockbox.rb', line 111
def self.encrypts_action_text_body(**options)
ActiveSupport.on_load(:action_text_rich_text) do
ActionText::RichText.lockbox_encrypts :body, **options
end
end
|
.generate_key ⇒ Object
76
77
78
|
# File 'lib/lockbox.rb', line 76
def self.generate_key
SecureRandom.hex(32)
end
|
.generate_key_pair ⇒ Object
80
81
82
83
84
85
86
87
88
89
90
91
92
|
# File 'lib/lockbox.rb', line 80
def self.generate_key_pair
require "rbnacl"
alice = RbNaCl::PrivateKey.generate
bob = RbNaCl::PrivateKey.generate
{
encryption_key: to_hex(bob.public_key.to_bytes + alice.to_bytes),
decryption_key: to_hex(bob.to_bytes + alice.public_key.to_bytes)
}
end
|
.migrate(relation, batch_size: 1000, restart: false) ⇒ Object
68
69
70
|
# File 'lib/lockbox.rb', line 68
def self.migrate(relation, batch_size: 1000, restart: false)
Migrator.new(relation, batch_size: batch_size).migrate(restart: restart)
end
|
.new(**options) ⇒ Object
107
108
109
|
# File 'lib/lockbox.rb', line 107
def self.new(**options)
Encryptor.new(**options)
end
|
.rotate(relation, batch_size: 1000, attributes:) ⇒ Object
72
73
74
|
# File 'lib/lockbox.rb', line 72
def self.rotate(relation, batch_size: 1000, attributes:)
Migrator.new(relation, batch_size: batch_size).rotate(attributes: attributes)
end
|
.to_hex(str) ⇒ Object
103
104
105
|
# File 'lib/lockbox.rb', line 103
def self.to_hex(str)
str.unpack("H*").first
end
|