class Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor

Attributes

key[R]
plaintext_data[R]

Public Class Methods

encryptor_keys() click to toggle source
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 129
def self.encryptor_keys
  %w{ encrypted_data iv version cipher }
end
new(plaintext_data, key, iv = nil) click to toggle source

Create a new Encryptor for data, which will be encrypted with the given key.

Arguments:

  • data: An object of any type that can be serialized to json

  • key: A String representing the desired passphrase

  • iv: The optional iv parameter is intended for testing use only. When

not supplied, Encryptor will use OpenSSL to generate a secure random IV, which is what you want.

# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 68
def initialize(plaintext_data, key, iv = nil)
  @plaintext_data = plaintext_data
  @key = key
  @iv = iv && Base64.decode64(iv)
end

Public Instance Methods

algorithm() click to toggle source

Returns the used encryption algorithm

# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 75
def algorithm
  ALGORITHM
end
encrypted_data() click to toggle source

Encrypts and Base64 encodes serialized_data

# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 113
def encrypted_data
  @encrypted_data ||= begin
    enc_data = openssl_encryptor.update(serialized_data)
    enc_data << openssl_encryptor.final
    Base64.encode64(enc_data)
  end
end
for_encrypted_item() click to toggle source

Returns a wrapped and encrypted version of plaintext_data suitable for using as the value in an encrypted data bag item.

# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 81
def for_encrypted_item
  {
    "encrypted_data" => encrypted_data,
    "iv" => Base64.encode64(iv),
    "version" => 1,
    "cipher" => algorithm,
  }
end
iv() click to toggle source

Generates or returns the IV.

# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 91
def iv
  # Generated IV comes from OpenSSL::Cipher#random_iv
  # This gets generated when +openssl_encryptor+ gets created.
  openssl_encryptor if @iv.nil?
  @iv
end
openssl_encryptor() click to toggle source

Generates (and memoizes) an OpenSSL::Cipher object and configures it for the specified iv and encryption key.

# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 100
def openssl_encryptor
  @openssl_encryptor ||= begin
    encryptor = OpenSSL::Cipher.new(algorithm)
    encryptor.encrypt
    # We must set key before iv: https://bugs.ruby-lang.org/issues/8221
    encryptor.key = OpenSSL::Digest.digest("SHA256", key)
    @iv ||= encryptor.random_iv
    encryptor.iv = @iv
    encryptor
  end
end
serialized_data() click to toggle source

Wraps the data in a single key Hash (JSON Object) and converts to JSON. The wrapper is required because we accept values (such as Integers or Strings) that do not produce valid JSON when serialized without the wrapper.

# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 125
def serialized_data
  FFI_Yajl::Encoder.encode(json_wrapper: plaintext_data)
end