class Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor
Attributes
Public Class Methods
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 129 def self.encryptor_keys %w{ encrypted_data iv version cipher } end
Create a new Encryptor
for data
, which will be encrypted with the given key
.
Arguments:¶ ↑
-
data: An object of any type that can be serialized to json
-
key: A
String
representing the desired passphrase -
iv: The optional
iv
parameter is intended for testing use only. When
not supplied, Encryptor
will use OpenSSL to generate a secure random IV, which is what you want.
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 68 def initialize(plaintext_data, key, iv = nil) @plaintext_data = plaintext_data @key = key @iv = iv && Base64.decode64(iv) end
Public Instance Methods
Returns the used encryption algorithm
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 75 def algorithm ALGORITHM end
Encrypts and Base64 encodes serialized_data
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 113 def encrypted_data @encrypted_data ||= begin enc_data = openssl_encryptor.update(serialized_data) enc_data << openssl_encryptor.final Base64.encode64(enc_data) end end
Returns a wrapped and encrypted version of plaintext_data
suitable for using as the value in an encrypted data bag item.
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 81 def for_encrypted_item { "encrypted_data" => encrypted_data, "iv" => Base64.encode64(iv), "version" => 1, "cipher" => algorithm, } end
Generates or returns the IV.
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 91 def iv # Generated IV comes from OpenSSL::Cipher#random_iv # This gets generated when +openssl_encryptor+ gets created. openssl_encryptor if @iv.nil? @iv end
Generates (and memoizes) an OpenSSL::Cipher object and configures it for the specified iv and encryption key.
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 100 def openssl_encryptor @openssl_encryptor ||= begin encryptor = OpenSSL::Cipher.new(algorithm) encryptor.encrypt # We must set key before iv: https://bugs.ruby-lang.org/issues/8221 encryptor.key = OpenSSL::Digest::SHA256.digest(key) @iv ||= encryptor.random_iv encryptor.iv = @iv encryptor end end
Wraps the data in a single key Hash (JSON Object
) and converts to JSON. The wrapper is required because we accept values (such as Integers or Strings) that do not produce valid JSON when serialized without the wrapper.
# File lib/chef/encrypted_data_bag_item/encryptor.rb, line 125 def serialized_data FFI_Yajl::Encoder.encode(json_wrapper: plaintext_data) end