Implements a simple envelope encryption approach where:
It generates a random data-encryption key for each encryption operation
It stores the generated key along with the encrypted payload. It encrypts this key with the master key provided in the credential +active_record.encryption.master key+
This provider can work with multiple master keys. It will use the last one for encrypting.
When `config.store_key_references` is true, it will also store a reference to the specific master key that was used to encrypt the data-encryption key. When not set, it will try all the configured master keys looking for the right one, in order to return the right decryption key.
# File activerecord/lib/active_record/encryption/envelope_encryption_key_provider.rb, line 31 def active_primary_key @active_primary_key ||= primary_key_provider.encryption_key end
# File activerecord/lib/active_record/encryption/envelope_encryption_key_provider.rb, line 26 def decryption_keys(encrypted_message) secret = decrypt_data_key(encrypted_message) secret ? [ActiveRecord::Encryption::Key.new(secret)] : [] end
# File activerecord/lib/active_record/encryption/envelope_encryption_key_provider.rb, line 18
def encryption_key
random_secret = generate_random_secret
ActiveRecord::Encryption::Key.new(random_secret).tap do |key|
key.public_tags.encrypted_data_key = encrypt_data_key(random_secret)
key.public_tags.encrypted_data_key_id = active_primary_key.id if ActiveRecord::Encryption.config.store_key_references
end
end
© 2004–2021 David Heinemeier Hansson
Licensed under the MIT License.