class ActiveRecord::Encryption::EnvelopeEncryptionKeyProvider
Implements a simple envelope encryption approach where:
-
It generates a random data-encryption key for each encryption operation.
-
It stores the generated key along with the encrypted payload. It encrypts this key with the master key provided in the
active_record_encryption.primary_keycredential.
This provider can work with multiple master keys. It will use the last one for encrypting.
When config.active_record.encryption.store_key_references is true, it will also store a reference to the specific master key that was used to encrypt the data-encryption key. When not set, it will try all the configured master keys looking for the right one, in order to return the right decryption key.
Public instance methods
active_primary_key()
Source code GitHub
# File activerecord/lib/active_record/encryption/envelope_encryption_key_provider.rb, line 31
def active_primary_key
@active_primary_key ||= primary_key_provider.encryption_key
enddecryption_keys(encrypted_message)
Source code GitHub
# File activerecord/lib/active_record/encryption/envelope_encryption_key_provider.rb, line 26
def decryption_keys(encrypted_message)
secret = decrypt_data_key(encrypted_message)
secret ? [ActiveRecord::Encryption::Key.new(secret)] : []
endencryption_key()
Source code GitHub
# File activerecord/lib/active_record/encryption/envelope_encryption_key_provider.rb, line 18
def encryption_key
random_secret = generate_random_secret
ActiveRecord::Encryption::Key.new(random_secret).tap do |key|
key.public_tags.encrypted_data_key = encrypt_data_key(random_secret)
key.public_tags.encrypted_data_key_id = active_primary_key.id if ActiveRecord::Encryption.config.store_key_references
end
end