Code Monkey home page Code Monkey logo

Comments (8)

itspriddle avatar itspriddle commented on August 16, 2024

It seems weird to use a migration encryptor IMO, since you could end up with data encrypted by either the old or new styles. If I were migrating data from one version to another, I would write a script to do it on all models immediately. I think we should encourage people to do the same.

The code above looks fine, I just think we should make people deal with the migration at once instead of spreading it out until every model has been saved.

from crypt_keeper.

itspriddle avatar itspriddle commented on August 16, 2024

Maybe this could even be packaged as an ActiveRecord::Migration helper. Then you could migrate in two steps:

  1. Edit the model and specify the new encryptor
  2. Create an irreversible migration with something like crypt_keeper_migrate :table_name, :old_encryptor

from crypt_keeper.

jmazzi avatar jmazzi commented on August 16, 2024

@itspriddle how could the end up with old encryption? Doing Model.all { |m| m.save } would re-encrypt everything with the new encryption.

from crypt_keeper.

jmazzi avatar jmazzi commented on August 16, 2024

@itspriddle I like the idea of db migration, hmmm

from crypt_keeper.

fabiokr avatar fabiokr commented on August 16, 2024

Looks good overall, my only concern is that it seems we will need to keep
the old versions around. If that is the case, maybe we should have some
kind of versioning mechanism?
On Feb 17, 2014 10:39 PM, "Justin Mazzi" [email protected] wrote:

Models can be migrated by use the migrate encryptors. Example:
:migrate_aes or :migrate_mysql_aes. This works by attempting to read the
data using the old encryption method and falling back to the new method.
Encryption always uses the new method

@fabiokr https://github.com/fabiokr @itspriddlehttps://github.com/itspriddlewhat are your thoughts on the below? It's pretty rough but seems to work in
my testing.

require 'digest/sha2'require 'openssl'require 'base64'
module CryptKeeper
module Provider
class OldMysqlAes < CryptKeeper::Provider::MysqlAes
def initialize(options = {})
@key = options.fetch(:key)
end
end

class MigrateMysqlAes
  def initialize(options = {})
    @new_enc = CryptKeeper::Provider::MysqlAes.new(options)
    @old_enc = OldMysqlAes.new(options)
  end

  def decrypt(value)
    plain_text = @old_enc.decrypt(value)

    if plain_text.blank?
      @new_enc.decrypt(value)
    else
      plain_text
    end
  end

  def encrypt(value)
    @new_enc.encrypt(value)
  end
end

class OldAes
  SEPARATOR = ":crypt_keeper:"

  attr_accessor :key
  attr_accessor :aes

  def initialize(options = {})
    @aes         = ::OpenSSL::Cipher::Cipher.new("AES-256-CBC")
    @aes.padding = 1

    key = options.fetch(:key) do
      raise ArgumentError, "Missing :key"
    end

    @key = Digest::SHA256.digest(key)
  end

  def encrypt(value)
    aes.encrypt
    aes.key = key
    Base64::encode64("#{aes.random_iv}#{SEPARATOR}#{aes.update(value.to_s) + aes.final}")
  end

  def decrypt(value)
    iv, value = Base64::decode64(value.to_s).split(SEPARATOR)
    aes.decrypt
    aes.key = key
    aes.iv  = iv
    aes.update(value) + aes.final
  end

  def search(records, field, criteria)
    records.select { |record| record[field] == criteria }
  end
end

class MigrateAes
  def initialize(options = {})
    @new_enc = CryptKeeper::Provider::Aes.new(options)
    @old_enc = OldAes.new(options)
  end

  def decrypt(value)
    plain_text = @old_enc.decrypt(value)

    if plain_text.blank?
      @new_enc.decrypt(value)
    else
      plain_text
    end
  end

  def encrypt(value)
    @new_enc.encrypt(value)
  end
end

endend

Reply to this email directly or view it on GitHubhttps://github.com//issues/63
.

from crypt_keeper.

itspriddle avatar itspriddle commented on August 16, 2024

@itspriddle how could the end up with old encryption? Doing Model.all { |m| m.save } would re-encrypt everything with the new encryption.

That is true – I didn't realize that was your intention. The migrators made it seem like you wanted to re-encrypt on demand.

from crypt_keeper.

jmazzi avatar jmazzi commented on August 16, 2024

My plan was to remove them in 0.17 release

On Feb 18, 2014, at 10:30 AM, Fabio Kreusch [email protected] wrote:

Looks good overall, my only concern is that it seems we will need to keep
the old versions around. If that is the case, maybe we should have some
kind of versioning mechanism?
On Feb 17, 2014 10:39 PM, "Justin Mazzi" [email protected] wrote:

Models can be migrated by use the migrate encryptors. Example:
:migrate_aes or :migrate_mysql_aes. This works by attempting to read the
data using the old encryption method and falling back to the new method.
Encryption always uses the new method

@fabiokr https://github.com/fabiokr @itspriddlehttps://github.com/itspriddlewhat are your thoughts on the below? It's pretty rough but seems to work in
my testing.

require 'digest/sha2'require 'openssl'require 'base64'
module CryptKeeper
module Provider
class OldMysqlAes < CryptKeeper::Provider::MysqlAes
def initialize(options = {})
@key = options.fetch(:key)
end
end

class MigrateMysqlAes
def initialize(options = {})
@new_enc = CryptKeeper::Provider::MysqlAes.new(options)
@old_enc = OldMysqlAes.new(options)
end

def decrypt(value)
plain_text = @old_enc.decrypt(value)

if plain_text.blank?
@new_enc.decrypt(value)
else
plain_text
end
end

def encrypt(value)
@new_enc.encrypt(value)
end
end

class OldAes
SEPARATOR = ":crypt_keeper:"

attr_accessor :key
attr_accessor :aes

def initialize(options = {})
@aes = ::OpenSSL::Cipher::Cipher.new("AES-256-CBC")
@aes.padding = 1

key = options.fetch(:key) do
raise ArgumentError, "Missing :key"
end

@key = Digest::SHA256.digest(key)
end

def encrypt(value)
aes.encrypt
aes.key = key
Base64::encode64("#{aes.random_iv}#{SEPARATOR}#{aes.update(value.to_s) + aes.final}")
end

def decrypt(value)
iv, value = Base64::decode64(value.to_s).split(SEPARATOR)
aes.decrypt
aes.key = key
aes.iv = iv
aes.update(value) + aes.final
end

def search(records, field, criteria)
records.select { |record| record[field] == criteria }
end
end

class MigrateAes
def initialize(options = {})
@new_enc = CryptKeeper::Provider::Aes.new(options)
@old_enc = OldAes.new(options)
end

def decrypt(value)
plain_text = @old_enc.decrypt(value)

if plain_text.blank?
@new_enc.decrypt(value)
else
plain_text
end
end

def encrypt(value)
@new_enc.encrypt(value)
end
end
endend

Reply to this email directly or view it on GitHubhttps://github.com//issues/63
.


Reply to this email directly or view it on GitHub.

from crypt_keeper.

jmazzi avatar jmazzi commented on August 16, 2024

Closed via #67

from crypt_keeper.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.