Class: KmsTools::EncryptedFile

Inherits:

Object

• Object
• KmsTools::EncryptedFile

Defined in:

lib/kms-tools/encrypted_file.rb

Overview

Interacts with files and streams for encryption and decryption of large blobs of data

Author:

• Matt Krieger

Constant Summary

META_SIZE_HEADER_LENGTH =

Number of bytes allocated at the beginning of a KMS file noting metadata size. 7 bytes limits metadata to 9.9 MB, which is way too much. Don’t use that much.

7

DEFAULT_CIPHER =

Default cipher for local encryption

'aes-256-cbc'

KMS_REQUIRED_ELEMENTS =

Minimum required metadata elements for a KMS file to be valid

%i(encrypted_key encrypted_iv cipher original_extension checksum)

Instance Method Summary

• #checksum ⇒ string

  Get the SHA1 checksum of the decrypted data.

• #cipher ⇒ string

  Get the cipher used for the encrypted file or set the default.

• #create_from_file(path) ⇒ Hash

  Generate metadata from a plaintext file and prepare for encryption.

• #encrypted_data ⇒ Object
• #encrypted_iv ⇒ string

  Get the encrypted initialization vector of the current file, generate a new one if not present.

• #encrypted_key ⇒ string

  Get the encrypted key of the current file, generate a new one if not present.

• #file_sha(path) ⇒ String

  Calculate SHA of a given file by chunks.

• #initialize(options = {}) ⇒ EncryptedFile constructor

  Creats an EncryptedFile object.

• #is_valid_kms_file?(yaml) ⇒ Boolean

  Verify YAML header of a KMS file to encure necessary information is present to decrypt.

• #load_encrypted_file(path) ⇒ Hash

  Read a KMS encrypted file and populate object metadata from file headers.

• #original_extension ⇒ string

  Get the original extension of the encrypted file.

• #save_decrypted(path) ⇒ Boolean

  Save decrypted data to the provided path.

• #save_encrypted(path) ⇒ Boolean

  Save encrypted data with KMS headers to the provided path.

• #set_up_encryption_params ⇒ nil

  Generate encryption key, iv, and cipher if they do not exist.

Constructor Details

#initialize(options = {}) ⇒ EncryptedFile

Creats an EncryptedFile object.

Parameters:

• options (Hash) (defaults to: {})

Options Hash (options):

• :encrypter (Object) —

  existing (Encrypter) object with options set

• :path (String) —

  Path to an encrypted file to load on initialization

# File 'lib/kms-tools/encrypted_file.rb', line 23

def initialize(options = {})
  @enc = options[:encrypter] || KmsTools::Encrypter.new
  @dec = KmsTools::Decrypter.new
  @kms_meta = {}

  if options[:path]
    if File.readable?(options[:path])
      load_encrypted_file(options[:path])
    else
      raise "#{options[:path]} is not a readable!"
    end
  end
end

Instance Method Details

#checksum ⇒ string

Get the SHA1 checksum of the decrypted data

Returns:

• (string) —

  hex encoded SHA1 checksum

# File 'lib/kms-tools/encrypted_file.rb', line 102

def checksum
  @kms_meta[:checksum]
end

#cipher ⇒ string

Get the cipher used for the encrypted file or set the default

Returns:

• (string) —

  OpenSSL cipher

# File 'lib/kms-tools/encrypted_file.rb', line 95

def cipher
  @kms_meta[:cipher] ||= DEFAULT_CIPHER
end

#create_from_file(path) ⇒ Hash

Generate metadata from a plaintext file and prepare for encryption

Parameters:

• path (String) —

  Path to plaintext file

Returns:

• (Hash) —

  KMS file metadata

# File 'lib/kms-tools/encrypted_file.rb', line 41

def create_from_file(path)
  @decrypted_source = path
  @kms_meta[:arn] = @enc.master_key_arn
  @kms_meta[:checksum] = file_sha(path)
  @kms_meta[:original_extension] = File.extname(path)
  set_up_encryption_params
  @kms_meta
end

#encrypted_data ⇒ Object

# File 'lib/kms-tools/encrypted_file.rb', line 88

def encrypted_data
  @kms_meta[:encrypted_data]
end

#encrypted_iv ⇒ string

Get the encrypted initialization vector of the current file, generate a new one if not present

Returns:

• (string) —

  Base64 encoded encrypted data key

# File 'lib/kms-tools/encrypted_file.rb', line 77

def encrypted_iv
  @kms_meta[:encrypted_iv] ||= @enc.new_encrypted_key
end

#encrypted_key ⇒ string

Get the encrypted key of the current file, generate a new one if not present

Returns:

• (string) —

  Base64 encoded encrypted data key

# File 'lib/kms-tools/encrypted_file.rb', line 70

def encrypted_key
  @kms_meta[:encrypted_key] ||= @enc.new_encrypted_key
end

#file_sha(path) ⇒ String

Calculate SHA of a given file by chunks

Parameters:

• path (String) —

  Path to file

Returns:

• (String) —

  Hex encoded SHA1 hash

# File 'lib/kms-tools/encrypted_file.rb', line 172

def file_sha(path)
  sha1 = Digest::SHA1.new
  file = File.open(path,'rb')
  chunk = ""
  while file.read(STREAM_CHUNK_SIZE, chunk)
    sha1.update(chunk)
  end

  sha1.hexdigest
end

#is_valid_kms_file?(yaml) ⇒ Boolean

Verify YAML header of a KMS file to encure necessary information is present to decrypt

Parameters:

• yaml (Object) —

  object containing KMS metadata

Returns:

• (Boolean)

# File 'lib/kms-tools/encrypted_file.rb', line 164

def is_valid_kms_file?(yaml)
  KMS_REQUIRED_ELEMENTS.all? { |e| yaml.has_key? e }
end

#load_encrypted_file(path) ⇒ Hash

Read a KMS encrypted file and populate object metadata from file headers

Parameters:

• path (String) —

  Path to encrypted file

Returns:

• (Hash) —

  KMS file metadata

# File 'lib/kms-tools/encrypted_file.rb', line 54

def load_encrypted_file(path)
  meta_size = IO.binread(path, META_SIZE_HEADER_LENGTH).to_i
  kms_yaml = YAML::load(IO.binread(path, meta_size, META_SIZE_HEADER_LENGTH))
  if is_valid_kms_file?(kms_yaml)
    @kms_meta = kms_yaml
    @encrypted_file_path = path
    @encrypted_data_start = META_SIZE_HEADER_LENGTH + meta_size
  else
    raise "#{path} is not a valid KMS file!"
  end
  @kms_meta
end

#original_extension ⇒ string

Get the original extension of the encrypted file

Returns:

• (string) —

  file extension

# File 'lib/kms-tools/encrypted_file.rb', line 84

def original_extension
  @kms_meta[:original_extension]
end

#save_decrypted(path) ⇒ Boolean

Save decrypted data to the provided path

Parameters:

• path (String) —

  Path to save decrypted file

Returns:

• (Boolean) —

  returns true on success

# File 'lib/kms-tools/encrypted_file.rb', line 142

def save_decrypted(path)
  path << @kms_meta[:original_extension] unless File.extname(path) == @kms_meta[:original_extension]
  infile = File.open(@encrypted_file_path, 'rb')
  outfile = File.open(path, 'wb+')
  @dec.stream_decrypt_with_data_key({
    in: infile,
    position: @encrypted_data_start,
    out: outfile,
    encrypted_iv: encrypted_iv,
    encrypted_key: encrypted_key,
    cipher: cipher,
    checksum: checksum
    })

  outfile.close
  true
end

#save_encrypted(path) ⇒ Boolean

Save encrypted data with KMS headers to the provided path

Parameters:

• path (String) —

  Path to save encrypted file

Returns:

• (Boolean) —

  returns true on success

# File 'lib/kms-tools/encrypted_file.rb', line 119

def save_encrypted(path)
  kms_yaml = @kms_meta.to_yaml
  meta_size = kms_yaml.bytesize.to_s.rjust(META_SIZE_HEADER_LENGTH, "0")
  infile = File.open(@decrypted_source, 'rb')
  outfile = File.open(path, 'wb+')
  outfile << meta_size
  outfile << kms_yaml
  @enc.stream_encrypt_with_data_key({
      in: infile,
      out: outfile,
      encrypted_iv: encrypted_iv,
      encrypted_key: encrypted_key,
      cipher: cipher
  })

  outfile.close
  true
end

#set_up_encryption_params ⇒ nil

Generate encryption key, iv, and cipher if they do not exist

Returns:

• (nil)

# File 'lib/kms-tools/encrypted_file.rb', line 108

def set_up_encryption_params
  encrypted_key
  encrypted_iv
  cipher
  return nil
end