An encryptor exposes the encryption API that ActiveRecord::Encryption::EncryptedAttributeType
uses for encrypting and decrypting attribute values.
It interacts with a KeyProvider
for getting the keys, and delegate to ActiveRecord::Encryption::Cipher
the actual encryption algorithm.
- B
- D
- E
- N
Constants
DECRYPT_ERRORS | = | [OpenSSL::Cipher::CipherError, Errors::EncryptedContentIntegrity, Errors::Decryption] |
ENCODING_ERRORS | = | [EncodingError, Errors::Encoding] |
THRESHOLD_TO_JUSTIFY_COMPRESSION | = | 140.bytes |
This threshold cannot be changed. Users can search for attributes encrypted with ‘deterministic: true`. That is possible because we are able to generate the message for the given clear text deterministically, and with that perform a regular string lookup in SQL. Problem is, messages may have a “c” header that is present or not depending on whether compression was applied on encryption. If this threshold was modified, the message generated for lookup could vary for the same clear text, and searches on exisiting data could fail. |
Attributes
[R] | compressor | The compressor to use for compressing the payload. |
Class Public methods
new(compress: true, compressor: nil) Link
Instance Public methods
binary?() Link
decrypt(encrypted_text, key_provider: default_key_provider, cipher_options: {}) Link
# File activerecord/lib/active_record/encryption/encryptor.rb, line 69 def decrypt(encrypted_text, key_provider: default_key_provider, cipher_options: {}) message = deserialize_message(encrypted_text) keys = key_provider.decryption_keys(message) raise Errors::Decryption unless keys.present? uncompress_if_needed(cipher.decrypt(message, key: keys.collect(&:secret), **cipher_options), message.headers.compressed) rescue *(ENCODING_ERRORS + DECRYPT_ERRORS) raise Errors::Decryption end
encrypt(clear_text, key_provider: default_key_provider, cipher_options: {}) Link
Encrypts clean_text
and returns the encrypted result.
Internally, it will:
-
Create a new
ActiveRecord::Encryption::Message
. -
Compress and encrypt
clean_text
as the message payload. -
Serialize it with
ActiveRecord::Encryption.message_serializer
(ActiveRecord::Encryption::SafeMarshal
by default). -
Encode the result with Base64.
Options¶ ↑
# File activerecord/lib/active_record/encryption/encryptor.rb, line 51 def encrypt(clear_text, key_provider: default_key_provider, cipher_options: {}) clear_text = force_encoding_if_needed(clear_text) if cipher_options[:deterministic] validate_payload_type(clear_text) serialize_message build_encrypted_message(clear_text, key_provider: key_provider, cipher_options: cipher_options) end