Class: ActiveCipherStorage::Providers::EnvProvider

Inherits:

Base

• Object
• Base
• ActiveCipherStorage::Providers::EnvProvider

Includes:

KeyUtils

Defined in:

lib/active_cipher_storage/providers/env_provider.rb

Constant Summary

PROVIDER_ID =

"env"

WRAP_ALGO =

"aes-256-gcm"

MASTER_KEY_SIZE =

32

WRAP_IV_SIZE =

12

WRAP_TAG_SIZE =

16

Instance Method Summary

• #decrypt_data_key(encrypted_key) ⇒ Object
• #generate_data_key ⇒ Object
• #initialize(env_var: "ACTIVE_CIPHER_MASTER_KEY", old_env_var: nil) ⇒ EnvProvider constructor

  A new instance of EnvProvider.

• #key_id ⇒ Object
• #provider_id ⇒ Object
• #rotate_data_key(encrypted_key, old_provider: nil) ⇒ Object
• #wrap_data_key(plaintext_dek) ⇒ Object

Constructor Details

#initialize(env_var: "ACTIVE_CIPHER_MASTER_KEY", old_env_var: nil) ⇒ EnvProvider

Returns a new instance of EnvProvider.

# File 'lib/active_cipher_storage/providers/env_provider.rb', line 16

def initialize(env_var: "ACTIVE_CIPHER_MASTER_KEY", old_env_var: nil)
  @env_var     = env_var
  @old_env_var = old_env_var
end

Instance Method Details

#decrypt_data_key(encrypted_key) ⇒ Object

# File 'lib/active_cipher_storage/providers/env_provider.rb', line 32

def decrypt_data_key(encrypted_key)
  master = read_master_key(@env_var)
  unwrap_key(encrypted_key, master)
ensure
  zero_bytes!(master)
end

#generate_data_key ⇒ Object

# File 'lib/active_cipher_storage/providers/env_provider.rb', line 24

def generate_data_key
  master = read_master_key(@env_var)
  dek    = SecureRandom.random_bytes(Cipher::KEY_SIZE)
  { plaintext_key: dek, encrypted_key: wrap_key(dek, master) }
ensure
  zero_bytes!(master)
end

#key_id ⇒ Object

# File 'lib/active_cipher_storage/providers/env_provider.rb', line 22

def key_id      = @env_var

#provider_id ⇒ Object

# File 'lib/active_cipher_storage/providers/env_provider.rb', line 21

def provider_id = PROVIDER_ID

#rotate_data_key(encrypted_key, old_provider: nil) ⇒ Object

# File 'lib/active_cipher_storage/providers/env_provider.rb', line 46

def rotate_data_key(encrypted_key, old_provider: nil)
  source = old_provider || begin
    raise Errors::UnsupportedOperation,
          "Supply :old_provider to rotate via EnvProvider" unless @old_env_var
    EnvProvider.new(env_var: @old_env_var)
  end

  plaintext_dek = source.decrypt_data_key(encrypted_key)
  new_master    = read_master_key(@env_var)
  wrap_key(plaintext_dek, new_master)
ensure
  zero_bytes!(plaintext_dek)
  zero_bytes!(new_master)
end

#wrap_data_key(plaintext_dek) ⇒ Object

# File 'lib/active_cipher_storage/providers/env_provider.rb', line 39

def wrap_data_key(plaintext_dek)
  master = read_master_key(@env_var)
  wrap_key(plaintext_dek, master)
ensure
  zero_bytes!(master)
end