An encryptor exposes the encryption API that ActiveRecord::Encryption::EncryptedAttributeType uses for encrypting and decrypting attribute values.

It interacts with a KeyProvider for getting the keys, and delegate to ActiveRecord::Encryption::Cipher the actual encryption algorithm.

Methods

Constants

DECRYPT_ERRORS = [OpenSSL::Cipher::CipherError, Errors::EncryptedContentIntegrity, Errors::Decryption]
ENCODING_ERRORS = [EncodingError, Errors::Encoding]
THRESHOLD_TO_JUSTIFY_COMPRESSION = 140.bytes

Attributes

[R] compressor

The compressor to use for compressing the payload

Class Public methods

new(compress: true, compressor: nil)

Options

  • :compress - Boolean indicating whether records should be compressed before encryption. Defaults to true.

  • :compressor - The compressor to use.

    1. If compressor is provided, it will be used.

    2. If not, it will use ActiveRecord::Encryption.config.compressor which default value is Zlib.

    If you want to use a custom compressor, it must respond to deflate and inflate.

📝 Source code
# File activerecord/lib/active_record/encryption/encryptor.rb, line 25
      def initialize(compress: true, compressor: nil)
        @compress = compress
        @compressor = compressor || ActiveRecord::Encryption.config.compressor
      end
🔎 See on GitHub

Instance Public methods

binary?()

📝 Source code
# File activerecord/lib/active_record/encryption/encryptor.rb, line 84
      def binary?
        serializer.binary?
      end
🔎 See on GitHub

decrypt(encrypted_text, key_provider: default_key_provider, cipher_options: {})

Decrypts an encrypted_text and returns the result as clean text

Options

:key_provider

Key provider to use for the encryption operation. It will default to ActiveRecord::Encryption.key_provider when not provided

:cipher_options

Cipher-specific options that will be passed to the Cipher configured in ActiveRecord::Encryption.cipher

📝 Source code
# File activerecord/lib/active_record/encryption/encryptor.rb, line 67
      def decrypt(encrypted_text, key_provider: default_key_provider, cipher_options: {})
        message = deserialize_message(encrypted_text)
        keys = key_provider.decryption_keys(message)
        raise Errors::Decryption unless keys.present?
        uncompress_if_needed(cipher.decrypt(message, key: keys.collect(&:secret), **cipher_options), message.headers.compressed)
      rescue *(ENCODING_ERRORS + DECRYPT_ERRORS)
        raise Errors::Decryption
      end
🔎 See on GitHub

encrypt(clear_text, key_provider: default_key_provider, cipher_options: {})

Encrypts clean_text and returns the encrypted result

Internally, it will:

  1. Create a new ActiveRecord::Encryption::Message

  2. Compress and encrypt clean_text as the message payload

  3. Serialize it with ActiveRecord::Encryption.message_serializer (ActiveRecord::Encryption::SafeMarshal by default)

  4. Encode the result with Base 64

Options

:key_provider

Key provider to use for the encryption operation. It will default to ActiveRecord::Encryption.key_provider when not provided.

:cipher_options

Cipher-specific options that will be passed to the Cipher configured in ActiveRecord::Encryption.cipher

📝 Source code
# File activerecord/lib/active_record/encryption/encryptor.rb, line 49
      def encrypt(clear_text, key_provider: default_key_provider, cipher_options: {})
        clear_text = force_encoding_if_needed(clear_text) if cipher_options[:deterministic]

        validate_payload_type(clear_text)
        serialize_message build_encrypted_message(clear_text, key_provider: key_provider, cipher_options: cipher_options)
      end
🔎 See on GitHub

encrypted?(text)

Returns whether the text is encrypted or not

📝 Source code
# File activerecord/lib/active_record/encryption/encryptor.rb, line 77
      def encrypted?(text)
        deserialize_message(text)
        true
      rescue Errors::Encoding, *DECRYPT_ERRORS
        false
      end
🔎 See on GitHub