Class: SymmetricEncryption::Keystore::Environment

Inherits:

Memory

• Object
• Memory
• SymmetricEncryption::Keystore::Environment

Defined in:

lib/symmetric_encryption/keystore/environment.rb

Overview

Store the encrypted encryption key in an environment variable

Instance Attribute Summary

• #encoding ⇒ Object

  Returns the value of attribute encoding.

• #key_env_var ⇒ Object

  Returns the value of attribute key_env_var.

Attributes inherited from Memory

#encrypted_key, #key_encrypting_key

Class Method Summary

• .new_config(app_name: 'symmetric-encryption', environments: %i[development test release production],, cipher_name: 'aes-256-cbc') ⇒ Object

  Returns [Hash] initial configuration for heroku.

• .new_key_config(cipher_name:, app_name:, environment:, version: 0, dek: nil) ⇒ Object

  Returns [Hash] a new cipher, and writes its encrypted key file.

Instance Method Summary

• #initialize(key_encrypting_key:, key_env_var:, encoding: :base64strict) ⇒ Environment constructor

  Stores the Encryption key in an environment var.

• #read ⇒ Object

  Returns the Encryption key in the clear.

• #write(key) ⇒ Object

  Write the encrypted Encryption key to ‘encrypted_key` attribute.

Constructor Details

#initialize(key_encrypting_key:, key_env_var:, encoding: :base64strict) ⇒ Environment

Stores the Encryption key in an environment var. Secures the Encryption key by encrypting it with a key encryption key.

# File 'lib/symmetric_encryption/keystore/environment.rb', line 55

def initialize(key_encrypting_key:, key_env_var:, encoding: :base64strict)
  @key_env_var        = key_env_var
  @key_encrypting_key = key_encrypting_key
  @encoding           = encoding
end

Instance Attribute Details

#encoding ⇒ Object

Returns the value of attribute encoding.

# File 'lib/symmetric_encryption/keystore/environment.rb', line 5

def encoding
  @encoding
end

#key_env_var ⇒ Object

Returns the value of attribute key_env_var.

# File 'lib/symmetric_encryption/keystore/environment.rb', line 5

def key_env_var
  @key_env_var
end

Class Method Details

.new_config(app_name: 'symmetric-encryption', environments: %i[development test release production],, cipher_name: 'aes-256-cbc') ⇒ Object

Returns [Hash] initial configuration for heroku. Displays the keys that need to be added to the heroku environment.

# File 'lib/symmetric_encryption/keystore/environment.rb', line 9

def self.new_config(app_name: 'symmetric-encryption',
                    environments: i[development test release production],
                    cipher_name: 'aes-256-cbc')

  configs = {}
  environments.each do |environment|
    environment          = environment.to_sym
    configs[environment] =
      if i[development test].include?(environment)
        Keystore.dev_config
      else
        cfg = new_key_config(cipher_name: cipher_name, app_name: app_name, environment: environment)
        {
          ciphers: [cfg]
        }
      end
  end
  configs
end

.new_key_config(cipher_name:, app_name:, environment:, version: 0, dek: nil) ⇒ Object

Returns [Hash] a new cipher, and writes its encrypted key file.

Increments the supplied version number by 1.

# File 'lib/symmetric_encryption/keystore/environment.rb', line 32

def self.new_key_config(cipher_name:, app_name:, environment:, version: 0, dek: nil)
  version >= 255 ? (version = 1) : (version += 1)

  kek = SymmetricEncryption::Key.new(cipher_name: cipher_name)
  dek ||= SymmetricEncryption::Key.new(cipher_name: cipher_name)

  key_env_var = "#{app_name}_#{environment}_v#{version}".upcase.tr('-', '_')
  new(key_env_var: key_env_var, key_encrypting_key: kek).write(dek.key)

  {
    cipher_name:        dek.cipher_name,
    version:            version,
    key_env_var:        key_env_var,
    iv:                 dek.iv,
    key_encrypting_key: {
      key: kek.key,
      iv:  kek.iv
    }
  }
end

Instance Method Details

#read ⇒ Object

Returns the Encryption key in the clear.

# File 'lib/symmetric_encryption/keystore/environment.rb', line 62

def read
  encrypted = ENV[key_env_var]
  raise "The Environment Variable #{key_env_var} must be set with the encrypted encryption key." unless encrypted
  binary = encoder.decode(encrypted)
  key_encrypting_key.decrypt(binary)
end

#write(key) ⇒ Object

Write the encrypted Encryption key to ‘encrypted_key` attribute.

# File 'lib/symmetric_encryption/keystore/environment.rb', line 70

def write(key)
  encrypted_key = key_encrypting_key.encrypt(key)
  puts "\n\n********************************************************************************"
  puts "Add the environment key to Heroku:\n\n"
  puts "  heroku config:add #{key_env_var}=#{encoder.encode(encrypted_key)}"
  puts
  puts "Or, if using environment variables on another system set the environment variable as follows:\n\n"
  puts "  export #{key_env_var}=\"#{encoder.encode(encrypted_key)}\"\n\n"
  puts '********************************************************************************'
end