examples/symmetric-encryption.yml in symmetric-encryption-3.8.3 vs examples/symmetric-encryption.yml in symmetric-encryption-3.9.0
- old
+ new
@@ -2,26 +2,26 @@
# Symmetric Encryption for Ruby
#
---
# For the development and test environments the test symmetric encryption keys
# can be placed directly in the source code.
-# And therefore no RSA private key is required
+# And therefore no key encryption key is required
development: &development_defaults
- key: 1234567890ABCDEF1234567890ABCDEF
+ key: 1234567890ABCDEF
iv: 1234567890ABCDEF
cipher: aes-128-cbc
test:
<<: *development_defaults
production:
- # Since the key to encrypt and decrypt with must NOT be stored along with the
- # source code, we only hold a RSA key that is used to unlock the file
- # containing the actual symmetric encryption key
+ # Since the encryption key must NOT be stored along with the
+ # source code, only store the key encryption key here.
#
- # Sample RSA Key, DO NOT use this RSA key, generate a new one using
- # openssl genrsa 2048
+ # Test Key encryption key, DO NOT use this key, generate a new one using
+ # SymmetricEncryption::KeyEncryptionKey.generate
+ # Or use the rails generator to create a new config file as described in the readme
private_rsa_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxIL9H/jYUGpA38v6PowRSRJEo3aNVXULNM/QNRpx2DTf++KH
6DcuFTFcNSSSxG9n4y7tKi755be8N0uwCCuOzvXqfWmXYjbLwK3Ib2vm0btpHyvA
qxgqeJOOCxKdW/cUFLWn0tACUcEjVCNfWEGaFyvkOUuR7Ub9KfhbW9cZO3BxZMUf
@@ -47,15 +47,15 @@
h9PGQQKBgQCqSydmXBnXGIVTp2sH/2GnpxLYnDBpcJE0tM8bJ42HEQQgRThIChsn
PnGA91G9MVikYapgI0VYBHQOTsz8rTIUzsKwXG+TIaK+W84nxH5y6jUkjqwxZmAz
r1URaMAun2PfAB4g2N/kEZTExgeOGqXjFhvvjdzl97ux2cTyZhaTXg==
-----END RSA PRIVATE KEY-----
- # List Symmetric Key Ciphers in the order of current / latest first
+ # List Symmetric Key Ciphers in the order of current / newest first
ciphers:
- # Filename containing Symmetric Encryption Key encrypted using the
- # RSA public key derived from the private key above
- - key_filename: /etc/rails/.rails.key
+ -
+ # Name of the file containing the encrypted key and iv.
+ key_filename: /etc/rails/.rails.key
iv_filename: /etc/rails/.rails.iv
# Encryption cipher
# Recommended values:
# aes-256-cbc
@@ -81,33 +81,28 @@
# Although smaller than base64 it cannot be stored in MySQL text columns
# It can only be held in binary columns such as BINARY or BLOB
# Default: base64
encoding: base64strict
- # FUTURE ENHANCEMENT:
- #
- # By adding a version indicator all encrypted data will include
- # an additional first Byte that includes this version number to
- # assist with speeding up decryption when adding new encryption keys
- # and to support old data decryption using older keys
- #
- # By not specifying a version, or setting it to 0 will disable version
- # identification prior to decrypting data
- # During decryption these Keys will be tried in the order listed in the
- # configuration file starting with the first in the list
- # Slower since a decryption attempt is made for every key until the
- # correct key is located. However, all encrypted data does not require
- # the 1 Byte version header prefix
- #
- # Default: 0
- #version: 0
+ # Version of this key so that when a new key is supplied, old encrypted data can be decrypted
+ # using the correct key.
+ # Increment this version with every time a new key is generated.
+ version: 2
- # OPTIONAL:
- #
- # Any previous Symmetric Encryption Keys
- #
- # Only used when old data still exists that requires old decryption keys
- # to be used
- - key_filename: /etc/rails/.rails_old.key
- iv_filename: /etc/rails/.rails_old.iv
- cipher: aes-256-cbc
- encoding: base64strict
+ # Highly Recommended to always set this to true.
+ # Add a header to every encrypted message.
+ always_add_header: true
+
+ # OPTIONAL:
+ #
+ # Any previous Symmetric Encryption Keys
+ #
+ # Only used when old data still exists that requires old decryption keys
+ # to be used
+ -
+ key_filename: /etc/rails/.rails_old.key
+ iv_filename: /etc/rails/.rails_old.iv
+ cipher: aes-256-cbc
+ encoding: base64strict
+ version: 1
+ always_add_header: true
+