Class: ActiveRecord::Encryption::Cipher::Aes256Gcm
| Relationships & Source Files | |
| Inherits: | Object |
| Defined in: | activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb |
Overview
A 256-GCM cipher.
By default it will use random initialization vectors. For deterministic encryption, it will use a SHA-256 hash of the text to encrypt and the secret.
Constant Summary
-
CIPHER_TYPE =
# File 'activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb', line 15"aes-256-gcm"
Class Method Summary
- .iv_length
- .key_length
-
.new(secret, deterministic: false) ⇒ Aes256Gcm
constructor
When iv not provided, it will generate a random iv on each encryption operation (default and recommended operation).
Instance Method Summary
- #decrypt(encrypted_message)
- #encrypt(clear_text)
- #generate_deterministic_iv(clear_text) private
- #generate_iv(cipher, clear_text) private
- #inspect Internal use only
Constructor Details
.new(secret, deterministic: false) ⇒ Aes256Gcm
When iv not provided, it will generate a random iv on each encryption operation (default and recommended operation)
# File 'activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb', line 29
def initialize(secret, deterministic: false) @secret = secret @deterministic = deterministic end
Class Method Details
.iv_length
[ GitHub ]# File 'activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb', line 22
def iv_length OpenSSL::Cipher.new(CIPHER_TYPE).iv_len end
.key_length
[ GitHub ]# File 'activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb', line 18
def key_length OpenSSL::Cipher.new(CIPHER_TYPE).key_len end
Instance Method Details
#decrypt(encrypted_message)
[ GitHub ]# File 'activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb', line 55
def decrypt() encrypted_data = .payload iv = .headers.iv auth_tag = .headers.auth_tag # Currently the OpenSSL bindings do not raise an error if auth_tag is # truncated, which would allow an attacker to easily forge it. See # https://github.com/ruby/openssl/issues/63 raise ActiveRecord::Encryption::Errors::EncryptedContentIntegrity if auth_tag.nil? || auth_tag.bytes.length != 16 cipher = OpenSSL::Cipher.new(CIPHER_TYPE) cipher.decrypt cipher.key = @secret cipher.iv = iv cipher.auth_tag = auth_tag cipher.auth_data = "" decrypted_data = encrypted_data.empty? ? encrypted_data : cipher.update(encrypted_data) decrypted_data << cipher.final decrypted_data rescue OpenSSL::Cipher::CipherError, TypeError, ArgumentError raise ActiveRecord::Encryption::Errors::Decryption end
#encrypt(clear_text)
[ GitHub ]# File 'activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb', line 34
def encrypt(clear_text) # This code is extracted from ActiveSupport::MessageEncryptor. Not using it directly because we want to control # the message format and only serialize things once at the ActiveRecord::Encryption::Message level. Also, this # cipher is prepared to deal with deterministic/non deterministic encryption modes. cipher = OpenSSL::Cipher.new(CIPHER_TYPE) cipher.encrypt cipher.key = @secret iv = generate_iv(cipher, clear_text) cipher.iv = iv encrypted_data = clear_text.empty? ? clear_text.dup : cipher.update(clear_text) encrypted_data << cipher.final ActiveRecord::Encryption::Message.new(payload: encrypted_data).tap do || .headers.iv = iv .headers.auth_tag = cipher.auth_tag end end
#generate_deterministic_iv(clear_text) (private)
[ GitHub ]# File 'activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb', line 95
def generate_deterministic_iv(clear_text) OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, @secret, clear_text)[0, ActiveRecord::Encryption.cipher.iv_length] end
#generate_iv(cipher, clear_text) (private)
[ GitHub ]# File 'activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb', line 87
def generate_iv(cipher, clear_text) if @deterministic generate_deterministic_iv(clear_text) else cipher.random_iv end end
#inspect
This method is for internal use only.
[ GitHub ]
# File 'activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb', line 82
def inspect # :nodoc: "#<#{self.class.name}:#{'%#016x' % (object_id << 1)}>" end