Class: KmsTools::Encrypter

Inherits:
Base
  • Object
show all
Defined in:
lib/kms-tools/encrypter.rb

Overview

Provides low-level encryption functionality for kms-tools

Author:

  • Matt Krieger

Constant Summary collapse

STRING_SIZE_LIMIT =

Size limit for encrypting data directly using Aws::KMS::Client.encrypt

4096
DEFAULT_KEY_SPEC =

Key spec to use by default unless overridden

'AES_256'

Constants inherited from Base

Base::DEFAULT_REGION

Instance Attribute Summary

Attributes inherited from Base

#kms, #master_key

Instance Method Summary collapse

Methods inherited from Base

#available_aliases, #from_64, #initialize, #master_key_arn, #master_key_id, #region, #to_64, #to_s64, #use_key_alias=

Constructor Details

This class inherits a constructor from KmsTools::Base

Instance Method Details

#encrypt_string(str) ⇒ String

Encrypt a string up 4KB in size

Parameters:

  • str (String)

    String to encrypt

Returns:

  • (String)

    Base64 encoded ciphertext



15
16
17
 
# File 'lib/kms-tools/encrypter.rb', line 15

def encrypt_string(str)
  to_s64(kms_encrypt(str).ciphertext_blob)
end

#encrypt_with_data_key(params) ⇒ String

Encrypt a blob using private keys

Parameters:

  • params (Hash)

Options Hash (params):

  • :cipher (String)

    OpenSSL cipher to use for encryption

  • :encrypted_key (String)

    Encrypted private key

  • :encrypted_iv (String)

    Encrypted initialization vector

  • :data (String)

    Plaintext data blob

Returns:

  • (String)

    Binary encrypted ciphertext



34
35
36
37
38
39
40
41
 
# File 'lib/kms-tools/encrypter.rb', line 34

def encrypt_with_data_key(params)
  d = KmsTools::Decrypter.new()
  cipher = OpenSSL::Cipher.new(params[:cipher])
  cipher.encrypt
  cipher.key = d.decrypt_string(params[:encrypted_key])
  cipher.iv = d.decrypt_string(params[:encrypted_iv])
  encrypted_data = cipher.update(params[:data]) + cipher.final
end

#key_specString

Key spec that will be used for data key creation

Returns:



90
91
92
 
# File 'lib/kms-tools/encrypter.rb', line 90

def key_spec
  @key_spec ||= DEFAULT_KEY_SPEC
end

#kms_encrypt(str) ⇒ Object

Call Aws::KMS::Client.encrypt using object master_key

Parameters:

  • str (String)

    String to encrypt

Returns:



22
23
24
 
# File 'lib/kms-tools/encrypter.rb', line 22

def kms_encrypt(str)
  kms.encrypt({:key_id => master_key, :plaintext => str})
end

#new_encrypted_keyString

Generate Base64 encoded encrypted data key to use for local symmetric encryption

Returns:

  • (String)

    Base64 encoded encrypted data key



84
85
86
 
# File 'lib/kms-tools/encrypter.rb', line 84

def new_encrypted_key
  to_s64(new_key.ciphertext_blob)
end

#new_keyObject

Generate a data key to use for local symmetric encryption

Returns:



75
76
77
78
79
80
 
# File 'lib/kms-tools/encrypter.rb', line 75

def new_key
  kms.generate_data_key({
    :key_id => master_key,
    :key_spec => key_spec
    })
end

#stream_encrypt_with_data_key(params) ⇒ Object

Encrypt a stream using private keys

Parameters:

  • params (Hash)

Options Hash (params):

  • :cipher (String)

    OpenSSL cipher to use for encryption

  • :encrypted_key (String)

    Encrypted private key

  • :encrypted_iv (String)

    Encrypted initialization vector

  • :in (Stream)

    Input stream to read plaintext data from

  • :out (Stream)

    Stream to to write encrypted output to



52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
# File 'lib/kms-tools/encrypter.rb', line 52

def stream_encrypt_with_data_key(params)
  d = KmsTools::Decrypter.new()

  # set up cipher
  cipher = OpenSSL::Cipher.new(params[:cipher])
  cipher.encrypt
  cipher.key = d.decrypt_string(params[:encrypted_key])
  cipher.iv = d.decrypt_string(params[:encrypted_iv])

  # write the output stream
  buf = ""
  params[:in].seek(params[:position], :SET) if params[:position]
  while params[:in].read(STREAM_CHUNK_SIZE, buf)
    params[:out] << cipher.update(buf)
  end
  params[:out] << cipher.final

  # return true if nothing errored out
  true
end