Module: ConcernsOnRails::Encryption

Defined in:
lib/concerns_on_rails/encryption.rb

Overview

Configuration and error types backing Models::Encryptable.

The gem stays agnostic about where secrets live: the host app supplies the key (commonly a Proc reading Rails credentials) via a small config object, mirroring the existing ConcernsOnRails.deprecator accessor pattern:

ConcernsOnRails.configure_encryption do |c|
c.key = -> { Rails.application.credentials.dig(:encryption, :key) }
end

A key may be raw 32-byte binary, a 64-char hex string, or any passphrase (stretched to 32 bytes with PBKDF2-HMAC-SHA256). Resolution is lazy — a missing key raises MissingKeyError at first encrypt/decrypt, never at class-load, so a model file can be required before credentials load.

Defined Under Namespace

Classes: Config, DecryptionError, Error, MissingKeyError

Constant Summary collapse

DEFAULT_KDF_SALT =

The KDF salt and iteration count are part of the derived key's identity: change them and existing ciphertext can no longer be decrypted. They are deliberately fixed constants (the salt is overridable via config only for apps that must diverge and are prepared to re-encrypt).

"concerns_on_rails/encryptable/v1".freeze
KDF_ITERATIONS =
65_536