forked from ueno/acts_as_encrypted_with_gpgme
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
105 lines (74 loc) · 3.36 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
== ActsAsEncryptedWithGpgme
acts_as_encrypted_with_gpgme is a rails plugin which does
encryption/decryption with the GPGME (GnuPG Made Easy) library.
The main advantage of this plugin is that it stores encrypted data in
the standard OpenPGP format, while similar plugins use custom data
format. Using the standard format allows you to easily migrate from
some crypto algorithm to the other algorithms.
== Usage
acts_as_encrypted_with_gpgme is capable of encrypting data with either
a public-key cipher or a symmetric cipher.
=== Using a public-key cipher
To use public-key cipher algorithm, you need a key pair for
encryption; the keys are loaded from
<tt>RAILS_ROOT/config/gpgme</tt>.
To generate a new key pair, do:
$ mkdir config/gpgme
$ gpg --homedir config/gpgme --gen-key
...follow the instruction prompted by gpg...
Now you have a key pair. You might want to control detail behavior of
encryption through <tt>RAILS_ROOT/config/gpgme/gpg.conf</tt>. For
example, to specify a cipher algorithm being used internally, add the
following line to the file:
cipher-algo TWOFISH
For other options, see <tt>man gpg</tt>.
Now let's go ahead to create an ActiveRecord model.
$ ./script/generate model account name:string credit_card_number:string
$ rake db:migrate
Create app/models/account.rb containing the following:
class Account < ActiveRecord::Base
acts_as_encrypted_with_gpgme :fields => {
:credit_card_number => {
:recipients => ['AC5C76C1'] # key ID for the key generated above
}
}
end
The above code means that the column named <i>credit_card_number</i>
be encrypted to a public-key identified by 'AC5C76C1'. Note that at
this point the example only does *not* provide decryption---in other
words, the column <i>credit_card_number</i> is regarded as write-only
within your Rails application.
To make the column be decrypted after the data is retrieved from the
database, specify decryption key with the <tt>:key</tt> option:
class Account < ActiveRecord::Base
acts_as_encrypted_with_gpgme :fields => {
:credit_card_number => {
:recipients => ['AC5C76C1'] # key ID for the key generated above
:key => 'AC5C76C1'
}
}
end
and provide the passphrase to unlock the key; add the following to
<tt>config/initializers/gpgme.rb</tt>:
ActsAsEncryptedWithGpgme.set_passphrase('AC5C76C1', 'your passphrase')
=== Using a symmetric cipher
Symmetric encryption can be used in the same way as public-key
encryption described in the previous section, except that you don't
need to prepare keys. Let's start from creating models:
$ ./script/generate model post title:string body:text
$ rake db:migrate
Create app/models/post.rb containing the following:
class Post < ActiveRecord::Base
acts_as_encrypted_with_gpgme :fields => [:body]
end
To tell the passphrase, add the following to
<tt>config/initializers/gpgme.rb</tt>:
ActsAsEncryptedWithGpgme.set_passphrase('Post#body', 'your passphrase')
By default, the key for the passphrase is automatically constructed
from the class and the column name to be encrypted.
== Security consideration
It is generally not a good idea to hold a secret in memory for a long
time. If you really want to support on-the-fly decryption, you should
probably consider hosting your Rails application on a trusted machine
isolated from the database server.
Copyright (c) 2009 Daiki Ueno, released under the MIT license