Implements a simple envelope encryption approach where:

  • It generates a random data-encryption key for each encryption operation

  • It stores the generated key along with the encrypted payload. It encrypts this key with the master key provided in the credential +active_record.encryption.master key+

This provider can work with multiple master keys. It will use the last one for encrypting.

When `config.store_key_references` is true, it will also store a reference to the specific master key that was used to encrypt the data-encryption key. When not set, it will try all the configured master keys looking for the right one, in order to return the right decryption key.

Methods

Instance Public methods

active_primary_key()

# File activerecord/lib/active_record/encryption/envelope_encryption_key_provider.rb, line 31
def active_primary_key
  @active_primary_key ||= primary_key_provider.encryption_key
end

decryption_keys(encrypted_message)

# File activerecord/lib/active_record/encryption/envelope_encryption_key_provider.rb, line 26
def decryption_keys(encrypted_message)
  secret = decrypt_data_key(encrypted_message)
  secret ? [ActiveRecord::Encryption::Key.new(secret)] : []
end

encryption_key()

# File activerecord/lib/active_record/encryption/envelope_encryption_key_provider.rb, line 18
def encryption_key
  random_secret = generate_random_secret
  ActiveRecord::Encryption::Key.new(random_secret).tap do |key|
    key.public_tags.encrypted_data_key = encrypt_data_key(random_secret)
    key.public_tags.encrypted_data_key_id = active_primary_key.id if ActiveRecord::Encryption.config.store_key_references
  end
end