Slosilo is providing a ruby interface to some cryptographic primitives:

  • symmetric encryption,
  • a mixin for easy encryption of object attributes,
  • asymmetric encryption and signing,
  • a keystore in a postgres sequel db -- it allows easy storage and retrieval of keys,
  • a keystore in files.


Add this line to your application's Gemfile:

gem 'slosilo'

And then execute:

$ bundle


Version 2.0 introduced new symmetric encryption scheme using AES-256-GCM for authenticated encryption. It allows you to provide AAD on all symmetric encryption primitives. It's also NOT COMPATIBLE with CBC used in version <2.

This means you'll have to migrate all your existing data. There's no easy way to do this currently provided; it's recommended to create a database migration and put relevant code fragments in it directly. (This will also have the benefit of making the migration self-contained.)

Since symmetric encryption is used in processing asymetrically encrypted messages, this incompatibility extends to those too.


Symmetric encryption

sym =
key = sym.random_key
# additional authenticated data
message_id = "message 001"
ciphertext = sym.encrypt "secret message", key: key, aad: message_id
sym =
message = sym.decrypt ciphertext, key: key, aad: message_id

Encryption mixin

require 'slosilo'

class Foo
  attr_accessor :foo
  attr_encrypted :foo, aad: :id

  def raw_foo

  def id
    "unique record id"

Slosilo::encryption_key =

obj = = "bar"
obj.raw_foo # => "\xC4\xEF\x87\xD3b\xEA\x12\xDF\xD0\xD4hk\xEDJ\v\x1Cr\xF2#\xA3\x11\xA4*k\xB7\x8F\x8F\xC2\xBD\xBB\xFF\xE3" # => "bar"

You can safely use it in ie. ActiveRecord::Base or Sequel::Model subclasses.

Asymmetric encryption and signing

private_key =
public_key = private_key.public

Key dumping

k = public_key.to_s # => "-----BEGIN PUBLIC KEY----- ...
( k) == public_key # => true


encrypted = public_key.encrypt_message "eagle one sees many clouds"
# => "\xA3\x1A\xD2\xFC\xB0 ...

public_key.decrypt_message encrypted
# => OpenSSL::PKey::RSAError: private key needed.

private_key.decrypt_message encrypted
# => "eagle one sees many clouds"


token = private_key.signed_token "missile launch not authorized"
# => {"data"=>"missile launch not authorized", "timestamp"=>"2014-10-13 12:41:25 UTC", "signature"=>"bSImk...DzV3o", "key"=>"455f7ac42d2d483f750b4c380761821d"}

public_key.token_valid? token # => true

token["data"] = "missile launch authorized"
public_key.token_valid? token # => false


Slosilo::encryption_key = ENV['SLOSILO_KEY']
Slosilo.adapter = "~/.keys"

Slosilo[:own] =
Slosilo[:their] ="foo.pem")

msg = Slosilo[:their].encrypt_message 'bar'
p Slosilo[:own].signed_token msg

Keystore in database

Add a migration to create the necessary table:

require 'slosilo/adapters/sequel_adapter/migration'

Remember to migrate your database

$ rake db:migrate


Slosilo.adapter =


We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our contributing guide.