#
# Symmetric Encryption for Ruby
#
---
# For the development and test environments the test symmetric encryption keys
# can be placed directly in the source code.
# And therefore no RSA private key is required
development: &development_defaults
  symmetric_key: 1234567890ABCDEF1234567890ABCDEF
  symmetric_iv:  1234567890ABCDEF
  cipher:        aes-128-cbc

test:
  <<: *development_defaults

production:
  # Since the key to encrypt and decrypt with must NOT be stored along with the
  # source code, we only hold a RSA key that is used to unlock the file
  # containing the actual symmetric encryption key
  #
  # Sample RSA Key, DO NOT use this RSA key, generate a new one using
  #    openssl genrsa 2048
  private_rsa_key: |
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAxIL9H/jYUGpA38v6PowRSRJEo3aNVXULNM/QNRpx2DTf++KH
    6DcuFTFcNSSSxG9n4y7tKi755be8N0uwCCuOzvXqfWmXYjbLwK3Ib2vm0btpHyvA
    qxgqeJOOCxKdW/cUFLWn0tACUcEjVCNfWEGaFyvkOUuR7Ub9KfhbW9cZO3BxZMUf
    IPGlHl/gWyf484sXygd+S7cpDTRRzo9RjG74DwfE0MFGf9a1fTkxnSgeOJ6asTOy
    fp9tEToUlbglKaYGpOGHYQ9TV5ZsyJ9jRUyb4SP5wK2eK6dHTxTcHvT03kD90Hv4
    WeKIXv3WOjkwNEyMdpnJJfSDb5oquQvCNi7ZSQIDAQABAoIBAQCbzR7TUoBugU+e
    ICLvpC2wOYOh9kRoFLwlyv3QnH7WZFWRZzFJszYeJ1xr5etXQtyjCnmOkGAg+WOI
    k8GlOKOpAuA/PpB/leJFiYL4lBwU/PmDdTT0cdx6bMKZlNCeMW8CXGQKiFDOcMqJ
    0uGtH5YD+RChPIEeFsJxnC8SyZ9/t2ra7XnMGiCZvRXIUDSEIIsRx/mOymJ7bL+h
    Lbp46IfXf6ZuIzwzoIk0JReV/r+wdmkAVDkrrMkCmVS4/X1wN/Tiik9/yvbsh/CL
    ztC55eSIEjATkWxnXfPASZN6oUfQPEveGH3HzNjdncjH/Ho8FaNMIAfFpBhhLPi9
    nG5sbH+BAoGBAOdoUyVoAA/QUa3/FkQaa7Ajjehe5MR5k6VtaGtcxrLiBjrNR7x+
    nqlZlGvWDMiCz49dgj+G1Qk1bbYrZLRX/Hjeqy5dZOGLMfgf9eKUmS1rDwAzBMcj
    M9jnnJEBx8HIlNzaR6wzp3GMd0rrccs660A8URvzkgo9qNbvMLq9vyUtAoGBANll
    SY1Iv9uaIz8klTXU9YzYtsfUmgXzw7K8StPdbEbo8F1J3JPJB4D7QHF0ObIaSWuf
    suZqLsvWlYGuJeyX2ntlBN82ORfvUdOrdrbDlmPyj4PfFVl0AK3U3Ai374DNrjKR
    hF6YFm4TLDaJhUjeV5C43kbE1N2FAMS9LYtPJ44NAoGAFDGHZ/E+aCLerddfwwun
    MBS6MnftcLPHTZ1RimTrNfsBXipBw1ItWEvn5s0kCm9X24PmdNK4TnhqHYaF4DL5
    ZjbQK1idEA2Mi8GGPIKJJ2x7P6I0HYiV4qy7fe/w1ZlCXE90B7PuPbtrQY9wO7Ll
    ipJ45X6I1PnyfOcckn8yafUCgYACtPAlgjJhWZn2v03cTbqA9nHQKyV/zXkyUIXd
    /XPLrjrP7ouAi5A8WuSChR/yx8ECRgrEM65Be3qBEtoGCB4AS1G0NcigM6qhKBFi
    VS0aMXr3+V8argcUIwJaWW/x+p2go48yXlJpLHPweeXe8mXEt4iM+QZte6p2yKQ4
    h9PGQQKBgQCqSydmXBnXGIVTp2sH/2GnpxLYnDBpcJE0tM8bJ42HEQQgRThIChsn
    PnGA91G9MVikYapgI0VYBHQOTsz8rTIUzsKwXG+TIaK+W84nxH5y6jUkjqwxZmAz
    r1URaMAun2PfAB4g2N/kEZTExgeOGqXjFhvvjdzl97ux2cTyZhaTXg==
    -----END RSA PRIVATE KEY-----

  # List Symmetric Key Ciphers in the order of current / latest first
  ciphers:
      # Filename containing Symmetric Encryption Key encrypted using the
      # RSA public key derived from the private key above
    - symmetric_key_filename: /etc/rails/.rails.key
      symmetric_iv_filename: /etc/rails/.rails.iv

      # Encryption cipher
      #   Recommended values:
      #      aes-256-cbc
      #         256 AES CBC Algorithm. Very strong
      #         Ruby 1.8.7 MRI Approximately 100,000 encryptions or decryptions per second
      #         JRuby 1.6.7 with Ruby 1.8.7 Approximately 22,000 encryptions or decryptions per second
      #      aes-128-cbc
      #         128 AES CBC Algorithm. Less strong.
      #         Ruby 1.8.7 MRI Approximately 100,000 encryptions or decryptions per second
      #         JRuby 1.6.7 with Ruby 1.8.7 Approximately 22,000 encryptions or decryptions per second
      cipher: aes-256-cbc

      # FUTURE ENHANCEMENT:
      #
      # By adding a version indicator all encrypted data will include
      # an additional first Byte that includes this version number to
      # assist with speeding up decryption when adding new encryption keys
      # and to support old data decryption using older keys
      #
      # By not specifying a version, or setting it to 0 will disable version
      # identification prior to decrypting data
      # During decryption these Keys will be tried in the order listed in the
      # configuration file starting with the first in the list
      # Slower since a decryption attempt is made for every key until the
      # correct key is located. However, all encrypted data does not require
      # the 1 Byte version header prefix
      #
      # Default: 0
      #version: 0

      # FUTURE ENHANCEMENT:
      #
      # Set the way the encrypted data is encoded:
      # base64
      #   Encrypted data is returned in base64 encoding format
      #   Symmetric::Encryption.decrypt will also base64 decode any data prior
      #   to decrypting it
      # binary
      #   Encrypted data is returned as raw binary
      #   Although smaller than base64 it cannot be stored in MySQL text columns
      #   It can only be held in binary columns such as BINARY or BLOB
      # Default: base64
      #encoding: base64

      # OPTIONAL:
      #
      # Any previous Symmetric Encryption Keys
      #
      # Only used when old data still exists that requires old decryption keys
      # to be used
    - symmetric_key_filename: /etc/rails/.rails_old.key
      symmetric_iv_filename:  /etc/rails/.rails_old.iv
      cipher:                 aes-256-cbc