A KeyProvider
serves keys:
-
An encryption key
-
A list of potential decryption keys. Serving multiple decryption keys supports rotation-schemes where new keys are added but old keys need to continue working
Methods
Class Public methods
new(keys)
📝 Source code
# File activerecord/lib/active_record/encryption/key_provider.rb, line 11
def initialize(keys)
@keys = Array(keys)
end
🔎 See on GitHub
Instance Public methods
decryption_keys(encrypted_message)
Returns the list of decryption keys
When the message holds a reference to its encryption key, it will return an array with that key. If not, it will return the list of keys.
📝 Source code
# File activerecord/lib/active_record/encryption/key_provider.rb, line 32
def decryption_keys(encrypted_message)
if encrypted_message.headers.encrypted_data_key_id
keys_grouped_by_id[encrypted_message.headers.encrypted_data_key_id]
else
@keys
end
end
🔎 See on GitHub
encryption_key()
Returns the last key in the list as the active key to perform encryptions
When ActiveRecord::Encryption.config.store_key_references
is true, the key will include a public tag referencing the key itself. That key will be stored in the public headers of the encrypted message
📝 Source code
# File activerecord/lib/active_record/encryption/key_provider.rb, line 20
def encryption_key
@encryption_key ||= @keys.last.tap do |key|
key.public_tags.encrypted_data_key_id = key.id if ActiveRecord::Encryption.config.store_key_references
end
@encryption_key
end
🔎 See on GitHub