Class: ActiveRecord::Encryption::EnvelopeEncryptionKeyProvider
- Defined in:
- activerecord/lib/active_record/encryption/envelope_encryption_key_provider.rb
Overview
Implements a simple envelope encryption approach where:
-
It generates a random data-encryption key for each encryption operation.
-
It stores the generated key along with the encrypted payload. It encrypts this key with the master key provided in the
active_record_encryption.primary_key
credential.
This provider can work with multiple master keys. It will use the last one for encrypting.
When config.active_record.encryption.store_key_references
is true, it will also store a reference to the specific master key that was used to encrypt the data-encryption key. When not set, it will try all the configured master keys looking for the right one, in order to return the right decryption key.
Instance Method Summary collapse
Instance Method Details
#active_primary_key ⇒ Object
31 32 33 |
# File 'activerecord/lib/active_record/encryption/envelope_encryption_key_provider.rb', line 31 def active_primary_key @active_primary_key ||= primary_key_provider.encryption_key end |
#decryption_keys(encrypted_message) ⇒ Object
26 27 28 29 |
# File 'activerecord/lib/active_record/encryption/envelope_encryption_key_provider.rb', line 26 def decryption_keys() secret = decrypt_data_key() secret ? [ActiveRecord::Encryption::Key.new(secret)] : [] end |
#encryption_key ⇒ Object
18 19 20 21 22 23 24 |
# File 'activerecord/lib/active_record/encryption/envelope_encryption_key_provider.rb', line 18 def encryption_key random_secret = generate_random_secret ActiveRecord::Encryption::Key.new(random_secret).tap do |key| key..encrypted_data_key = encrypt_data_key(random_secret) key..encrypted_data_key_id = active_primary_key.id if ActiveRecord::Encryption.config.store_key_references end end |