Class: ActiveRecord::Encryption::KeyProvider

Inherits:
Object
  • Object
show all
Defined in:
activerecord/lib/active_record/encryption/key_provider.rb

Overview

A KeyProvider serves keys:

  • An encryption key

  • A list of potential decryption keys. Serving multiple decryption keys supports rotation-schemes where new keys are added but old keys need to continue working

Direct Known Subclasses

DerivedSecretKeyProvider

Instance Method Summary collapse

Constructor Details

#initialize(keys) ⇒ KeyProvider

Returns a new instance of KeyProvider.



11
12
13
# File 'activerecord/lib/active_record/encryption/key_provider.rb', line 11

def initialize(keys)
  @keys = Array(keys)
end

Instance Method Details

#decryption_keys(encrypted_message) ⇒ Object

Returns the list of decryption keys

When the message holds a reference to its encryption key, it will return an array with that key. If not, it will return the list of keys.



32
33
34
35
36
37
38
# File 'activerecord/lib/active_record/encryption/key_provider.rb', line 32

def decryption_keys(encrypted_message)
  if encrypted_message.headers.encrypted_data_key_id
    keys_grouped_by_id[encrypted_message.headers.encrypted_data_key_id]
  else
    @keys
  end
end

#encryption_keyObject

Returns the first key in the list as the active key to perform encryptions

When ActiveRecord::Encryption.config.store_key_references is true, the key will include a public tag referencing the key itself. That key will be stored in the public headers of the encrypted message



20
21
22
23
24
25
26
# File 'activerecord/lib/active_record/encryption/key_provider.rb', line 20

def encryption_key
  @encryption_key ||= @keys.last.tap do |key|
    key.public_tags.encrypted_data_key_id = key.id if ActiveRecord::Encryption.config.store_key_references
  end

  @encryption_key
end