A KeyProvider serves keys:

  • An encryption key

  • A list of potential decryption keys. Serving multiple decryption keys supports rotation-schemes where new keys are added but old keys need to continue working

Methods

Class Public methods

new(keys)

📝 Source code
# File activerecord/lib/active_record/encryption/key_provider.rb, line 11
      def initialize(keys)
        @keys = Array(keys)
      end
🔎 See on GitHub

Instance Public methods

decryption_keys(encrypted_message)

Returns the list of decryption keys

When the message holds a reference to its encryption key, it will return an array with that key. If not, it will return the list of keys.

📝 Source code
# File activerecord/lib/active_record/encryption/key_provider.rb, line 32
      def decryption_keys(encrypted_message)
        if encrypted_message.headers.encrypted_data_key_id
          keys_grouped_by_id[encrypted_message.headers.encrypted_data_key_id]
        else
          @keys
        end
      end
🔎 See on GitHub

encryption_key()

Returns the last key in the list as the active key to perform encryptions

When ActiveRecord::Encryption.config.store_key_references is true, the key will include a public tag referencing the key itself. That key will be stored in the public headers of the encrypted message

📝 Source code
# File activerecord/lib/active_record/encryption/key_provider.rb, line 20
      def encryption_key
        @encryption_key ||= @keys.last.tap do |key|
          key.public_tags.encrypted_data_key_id = key.id if ActiveRecord::Encryption.config.store_key_references
        end

        @encryption_key
      end
🔎 See on GitHub