README.md in lockbox-0.4.9 vs README.md in lockbox-0.5.0
- old
+ new
@@ -1,16 +1,17 @@
# Lockbox
-:package: Modern encryption for Rails
+:package: Modern encryption for Ruby and Rails
- Works with database fields, files, and strings
- Maximizes compatibility with existing code and libraries
- Makes migrating existing data and key rotation easy
+- Has zero dependencies and many integrations
Learn [the principles behind it](https://ankane.org/modern-encryption-rails), [how to secure emails with Devise](https://ankane.org/securing-user-emails-lockbox), and [how to secure sensitive data in Rails](https://ankane.org/sensitive-data-rails).
-[](https://travis-ci.org/ankane/lockbox)
+[](https://github.com/ankane/lockbox/actions)
## Installation
Add this line to your application’s Gemfile:
@@ -411,50 +412,64 @@
Finally, delete the unencrypted files and drop the column for the original uploader. You can also remove the `key` option from the uploader.
## Shrine
-Generate a key
+#### Models
+Include the attachment as normal:
+
```ruby
-key = Lockbox.generate_key
+class User < ApplicationRecord
+ include LicenseUploader::Attachment(:license)
+end
```
-Create a lockbox
+And encrypt in a controller (or background job, etc) with:
```ruby
-lockbox = Lockbox.new(key: key)
+license = params.require(:user).fetch(:license)
+lockbox = Lockbox.new(key: Lockbox.attribute_key(table: "users", attribute: "license"))
+user.license = lockbox.encrypt_io(license)
```
-Encrypt files before passing them to Shrine
+To serve encrypted files, use a controller action.
```ruby
-LicenseUploader.upload(lockbox.encrypt_io(file), :store)
+def license
+ user = User.find(params[:id])
+ lockbox = Lockbox.new(key: Lockbox.attribute_key(table: "users", attribute: "license"))
+ send_data lockbox.decrypt(user.license.read), type: user.license.mime_type
+end
```
-And decrypt them after reading
+#### Non-Models
+Generate a key
+
```ruby
-lockbox.decrypt(uploaded_file.read)
+key = Lockbox.generate_key
```
-For models, encrypt with:
+Create a lockbox
```ruby
-license = params.require(:user).fetch(:license)
-user.license = lockbox.encrypt_io(license)
+lockbox = Lockbox.new(key: key)
```
-To serve encrypted files, use a controller action.
+Encrypt files before passing them to Shrine
```ruby
-def license
- user = User.find(params[:id])
- send_data lockbox.decrypt(user.license.read), type: user.license.mime_type
-end
+LicenseUploader.upload(lockbox.encrypt_io(file), :store)
```
+And decrypt them after reading
+
+```ruby
+lockbox.decrypt(uploaded_file.read)
+```
+
## Local Files
Generate a key
```ruby
@@ -653,10 +668,12 @@
- well-studied
- NIST recommended
- an IETF standard
- fast thanks to a [dedicated instruction set](https://en.wikipedia.org/wiki/AES_instruction_set)
+Lockbox uses 256-bit keys.
+
**For users who do a lot of encryptions:** You should rotate an individual key after 2 billion encryptions to minimize the chance of a [nonce collision](https://www.cryptologie.net/article/402/is-symmetric-security-solved/), which will expose the key. Each database field and file uploader use a different key (derived from the master key) to extend this window.
### XSalsa20
You can also use XSalsa20, which uses an extended nonce so you don’t have to worry about nonce collisions. First, [install Libsodium](https://github.com/crypto-rb/rbnacl/wiki/Installing-libsodium). For Homebrew, use:
@@ -706,10 +723,26 @@
```sh
sudo apt-get install libsodium18
```
+##### GitHub Actions
+
+For Ubuntu 20.04 and 18.04, use:
+
+```yml
+ - name: Install Libsodium
+ run: sudo apt-get install libsodium23
+```
+
+For Ubuntu 16.04, use:
+
+```yml
+ - name: Install Libsodium
+ run: sudo apt-get install libsodium18
+```
+
##### Travis CI
On Bionic, add to `.travis.yml`:
```yml
@@ -733,11 +766,10 @@
Add a step to `.circleci/config.yml`:
```yml
- run:
name: install Libsodium
- command: |
- sudo apt-get install -y libsodium18
+ command: sudo apt-get install -y libsodium18
```
## Hybrid Cryptography
[Hybrid cryptography](https://en.wikipedia.org/wiki/Hybrid_cryptosystem) allows servers to encrypt data without being able to decrypt it.