Module: Lockbox

Extended by:
Padding
Defined in:
lib/lockbox/active_storage_extensions.rb,
lib/lockbox.rb,
lib/lockbox/io.rb,
lib/lockbox/box.rb,
lib/lockbox/model.rb,
lib/lockbox/utils.rb,
lib/lockbox/aes_gcm.rb,
lib/lockbox/padding.rb,
lib/lockbox/railtie.rb,
lib/lockbox/version.rb,
lib/lockbox/migrator.rb,
lib/lockbox/encryptor.rb,
lib/lockbox/calculations.rb,
lib/lockbox/key_generator.rb,
lib/lockbox/log_subscriber.rb,
lib/lockbox/carrier_wave_extensions.rb,
lib/generators/lockbox/audits_generator.rb

Overview

Ideally encryption and decryption would happen at the blob/service level. However, Active Storage < 6.1 only supports a single service (per environment). This means all attachments need to be encrypted or none of them, which is often not practical.

Active Storage 6.1 adds support for multiple services, which changes this. We could have a Lockbox service:

lockbox:

service: Lockbox
backend: local    # delegate to another service, like mirror service
key:     ...      # Lockbox options

However, the checksum is computed *and stored on the blob* before the file is passed to the service. We don't want the MD5 checksum of the plaintext stored in the database.

Instead, we encrypt and decrypt at the attachment level, and we define encryption settings at the model level.

Defined Under Namespace

Modules: ActiveStorageExtensions, Calculations, CarrierWaveExtensions, Generators, Model, Padding Classes: AES_GCM, Box, DecryptionError, Encryptor, Error, IO, KeyGenerator, LogSubscriber, Migrator, PaddingError, Railtie, Utils

Constant Summary collapse

VERSION =
"0.6.6"

Constants included from Padding

Padding::PAD_FIRST_BYTE, Padding::PAD_ZERO_BYTE

Class Attribute Summary collapse

Class Method Summary collapse

Methods included from Padding

pad, pad!, unpad, unpad!

Class Attribute Details

.default_optionsObject

Returns the value of attribute default_options.


59
60
61
# File 'lib/lockbox.rb', line 59

def default_options
  @default_options
end

.master_keyObject


64
65
66
# File 'lib/lockbox.rb', line 64

def self.master_key
  @master_key ||= ENV["LOCKBOX_MASTER_KEY"]
end

Class Method Details

.attribute_key(table:, attribute:, master_key: nil, encode: true) ⇒ Object

Raises:

  • (ArgumentError)

94
95
96
97
98
99
100
101
# File 'lib/lockbox.rb', line 94

def self.attribute_key(table:, attribute:, master_key: nil, encode: true)
  master_key ||= Lockbox.master_key
  raise ArgumentError, "Missing master key" unless master_key

  key = Lockbox::KeyGenerator.new(master_key).attribute_key(table: table, attribute: attribute)
  key = to_hex(key) if encode
  key
end

.encrypts_action_text_body(**options) ⇒ Object


111
112
113
114
115
# File 'lib/lockbox.rb', line 111

def self.encrypts_action_text_body(**options)
  ActiveSupport.on_load(:action_text_rich_text) do
    ActionText::RichText.lockbox_encrypts :body, **options
  end
end

.generate_keyObject


76
77
78
# File 'lib/lockbox.rb', line 76

def self.generate_key
  SecureRandom.hex(32)
end

.generate_key_pairObject


80
81
82
83
84
85
86
87
88
89
90
91
92
# File 'lib/lockbox.rb', line 80

def self.generate_key_pair
  require "rbnacl"
  # encryption and decryption servers exchange public keys
  # this produces smaller ciphertext than sealed box
  alice = RbNaCl::PrivateKey.generate
  bob = RbNaCl::PrivateKey.generate
  # alice is sending message to bob
  # use bob first in both cases to prevent keys being swappable
  {
    encryption_key: to_hex(bob.public_key.to_bytes + alice.to_bytes),
    decryption_key: to_hex(bob.to_bytes + alice.public_key.to_bytes)
  }
end

.migrate(relation, batch_size: 1000, restart: false) ⇒ Object


68
69
70
# File 'lib/lockbox.rb', line 68

def self.migrate(relation, batch_size: 1000, restart: false)
  Migrator.new(relation, batch_size: batch_size).migrate(restart: restart)
end

.new(**options) ⇒ Object


107
108
109
# File 'lib/lockbox.rb', line 107

def self.new(**options)
  Encryptor.new(**options)
end

.rotate(relation, batch_size: 1000, attributes:) ⇒ Object


72
73
74
# File 'lib/lockbox.rb', line 72

def self.rotate(relation, batch_size: 1000, attributes:)
  Migrator.new(relation, batch_size: batch_size).rotate(attributes: attributes)
end

.to_hex(str) ⇒ Object


103
104
105
# File 'lib/lockbox.rb', line 103

def self.to_hex(str)
  str.unpack("H*").first
end