Class: ActiveRecord::Encryption::EnvelopeEncryptionKeyProvider

Inherits:

Object

• Object
• ActiveRecord::Encryption::EnvelopeEncryptionKeyProvider

Defined in:

lib/active_record/encryption/envelope_encryption_key_provider.rb

Overview

Implements a simple envelope encryption approach where:

• It generates a random data-encryption key for each encryption operation.

• It stores the generated key along with the encrypted payload. It encrypts this key with the master key provided in the active_record_encryption.primary_key credential.

This provider can work with multiple master keys. It will use the last one for encrypting.

When config.active_record.encryption.store_key_references is true, it will also store a reference to the specific master key that was used to encrypt the data-encryption key. When not set, it will try all the configured master keys looking for the right one, in order to return the right decryption key.

Instance Method Summary

• #active_primary_key ⇒ Object
• #decryption_keys(encrypted_message) ⇒ Object
• #encryption_key ⇒ Object

Instance Method Details

#active_primary_key ⇒ Object

# File 'lib/active_record/encryption/envelope_encryption_key_provider.rb', line 31

def active_primary_key
  @active_primary_key ||= primary_key_provider.encryption_key
end

#decryption_keys(encrypted_message) ⇒ Object

# File 'lib/active_record/encryption/envelope_encryption_key_provider.rb', line 26

def decryption_keys(encrypted_message)
  secret = decrypt_data_key(encrypted_message)
  secret ? [ActiveRecord::Encryption::Key.new(secret)] : []
end

#encryption_key ⇒ Object

# File 'lib/active_record/encryption/envelope_encryption_key_provider.rb', line 18

def encryption_key
  random_secret = generate_random_secret
  ActiveRecord::Encryption::Key.new(random_secret).tap do |key|
    key.public_tags.encrypted_data_key = encrypt_data_key(random_secret)
    key.public_tags.encrypted_data_key_id = active_primary_key.id if ActiveRecord::Encryption.config.store_key_references
  end
end