An encryptor exposes the encryption API that ActiveRecord::Encryption::EncryptedAttributeType uses for encrypting and decrypting attribute values.
It interacts with a KeyProvider for getting the keys, and delegate to ActiveRecord::Encryption::Cipher the actual encryption algorithm.
- B
- D
- E
- N
Constants
| DECRYPT_ERRORS | = | [OpenSSL::Cipher::CipherError, Errors::EncryptedContentIntegrity, Errors::Decryption] |
| ENCODING_ERRORS | = | [EncodingError, Errors::Encoding] |
| THRESHOLD_TO_JUSTIFY_COMPRESSION | = | 140.bytes |
This threshold cannot be changed. Users can search for attributes encrypted with ‘deterministic: true`. That is possible because we are able to generate the message for the given clear text deterministically, and with that perform a regular string lookup in SQL. Problem is, messages may have a “c” header that is present or not depending on whether compression was applied on encryption. If this threshold was modified, the message generated for lookup could vary for the same clear text, and searches on exisiting data could fail. |
||
Attributes
| [R] | compressor | The compressor to use for compressing the payload. |
Class Public methods
new(compress: true, compressor: nil) Link
Instance Public methods
binary?() Link
decrypt(encrypted_text, key_provider: default_key_provider, cipher_options: {}) Link
# File activerecord/lib/active_record/encryption/encryptor.rb, line 69 def decrypt(encrypted_text, key_provider: default_key_provider, cipher_options: {}) message = deserialize_message(encrypted_text) keys = key_provider.decryption_keys(message) raise Errors::Decryption unless keys.present? uncompress_if_needed(cipher.decrypt(message, key: keys.collect(&:secret), **cipher_options), message.headers.compressed) rescue *(ENCODING_ERRORS + DECRYPT_ERRORS) raise Errors::Decryption end
encrypt(clear_text, key_provider: default_key_provider, cipher_options: {}) Link
Encrypts clean_text and returns the encrypted result.
Internally, it will:
-
Create a new
ActiveRecord::Encryption::Message. -
Compress and encrypt
clean_textas the message payload. -
Serialize it with
ActiveRecord::Encryption.message_serializer(ActiveRecord::Encryption::SafeMarshalby default). -
Encode the result with Base64.
Options¶ ↑
# File activerecord/lib/active_record/encryption/encryptor.rb, line 51 def encrypt(clear_text, key_provider: default_key_provider, cipher_options: {}) clear_text = force_encoding_if_needed(clear_text) if cipher_options[:deterministic] validate_payload_type(clear_text) serialize_message build_encrypted_message(clear_text, key_provider: key_provider, cipher_options: cipher_options) end