class Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor
Attributes
Public Class Methods
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 129 def self.encryptor_keys %w{ encrypted_data iv version cipher } end
Create a new Encryptor for
data
, which will be encrypted with the given key
.
Arguments:¶ ↑
-
data: An object of any type that can be serialized to json
-
key: A String representing the desired passphrase
-
iv: The optional
iv
parameter is intended for testing use only. When
not supplied, Encryptor will use OpenSSL to generate a secure random IV, which is what you want.
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 68 def initialize(plaintext_data, key, iv = nil) @plaintext_data = plaintext_data @key = key @iv = iv && Base64.decode64(iv) end
Public Instance Methods
Returns the used encryption algorithm
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 75 def algorithm ALGORITHM end
Encrypts and Base64 encodes serialized_data
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 113 def encrypted_data @encrypted_data ||= begin enc_data = openssl_encryptor.update(serialized_data) enc_data << openssl_encryptor.final Base64.encode64(enc_data) end end
Returns a wrapped and encrypted version of plaintext_data
suitable for using as the value in an encrypted data bag item.
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 81 def for_encrypted_item { "encrypted_data" => encrypted_data, "iv" => Base64.encode64(iv), "version" => 1, "cipher" => algorithm, } end
Generates or returns the IV.
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 91 def iv # Generated IV comes from OpenSSL::Cipher#random_iv # This gets generated when +openssl_encryptor+ gets created. openssl_encryptor if @iv.nil? @iv end
Generates (and memoizes) an OpenSSL::Cipher object and configures it for the specified iv and encryption key.
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 100 def openssl_encryptor @openssl_encryptor ||= begin encryptor = OpenSSL::Cipher.new(algorithm) encryptor.encrypt # We must set key before iv: https://bugs.ruby-lang.org/issues/8221 encryptor.key = OpenSSL::Digest::SHA256.digest(key) @iv ||= encryptor.random_iv encryptor.iv = @iv encryptor end end
Wraps the data in a single key Hash (JSON Object) and converts to JSON. The wrapper is required because we accept values (such as Integers or Strings) that do not produce valid JSON when serialized without the wrapper.
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 125 def serialized_data FFI_Yajl::Encoder.encode(:json_wrapper => plaintext_data) end