Project

kms_attrs

0.0
No commit activity in last 3 years
No release in over 3 years
kms_attrsjustinoue/kms_attrsHomepageDocumentationSource CodeBug TrackerWiki
Quickly add KMS encryption and decryption to your ActiveRecord model attributes.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
6,766
Stars
3
Forks
2
Watchers
1
 Releases
Current version
0.0.2
Total releases
2
First release
2015-06-26
Latest release
2015-06-26
 Issues
Open Issues
1
Closed Issues
0
Total Issues
1
Issue Closure Rate
0%
 Development
Primary Language
Ruby
Licenses
GPLv3
Average date of last 50 commits
2015-06-26
Reverse Dependencies
0

 Dependencies

Development

rspec
>= 0

Runtime

activerecord
>= 0
aws-sdk-resources
~> 2
 Project Readme

#kms_attrs

kms_attrs is a gem for easily adding Amazon Web Services KMS encryption to your ActiveRecord model attributes. It uses the GenerateDataKey method to perform "envelope" encryption locally with an OpenSSL AES-256-CBC cipher.

To use, simply put the following code in your models for the fields you want to encrypt:

kms_attr :my_attribute, key_id: 'my-aws-kms-key-id'

Encryption is done at time of assignment.

To retrieve the decrypted data, call:

  my_model_instance.my_attribute_d

Encrypted data is stored as a hash in your database in the attribute column. It should be a text column as string may not be long enough.

##Additional Options You can add encryption contexts as strings, method calls, or procs. Default is none.

kms_attr :my_attribute, key_id: 'my-aws-kms-key-id',
  context_key: 'my context key', context_value: 'my context value'

kms_attr :my_attribute, key_id: 'my-aws-kms-key-id',
  context_key: :model_method_context_key, context_value: :model_method_context_value

kms_attr :my_attribute, key_id: 'my-aws-kms-key-id',
  context_key: Proc.new { }, context_value: Proc.new { }

You can also toggle whether or not the model instance should retain decrypted values. Default is false. Change to true if you want to reduce the AWS API calls made for constant decryption. I cannot comment on the security implications enabling or disabling retaining.

kms_attr :my_attribute, key_id: 'my-aws-kms-key-id',
  retain: true

##Aws Configuration This gem expects some standard Aws SDK configuration and some not so standard. The Aws client is initiated with no credentials. This should then load credentials either from ENV['AWS_ACCESS_KEY_ID'] and ENV['AWS_SECRET_ACCESS_KEY'] or an IAM role on an EC2 instance.

The not so standard configuration is specifiying ENV['AWS_DEFAULT_REGION'] for the AWS region you are using KMS in. KMS key IDs and operations are region specific. This will be moved to an overrideable initialization parameter. I forgot.

###Notes This gem has been developed against Ruby 2.1.5, Rails 4.2, and AWS SDK v2. Credit where credit is due, I used strongbox by spikex as an inspiration and guide when creating this. https://github.com/spikex/strongbox

###Disclaimer I make no claims about enhanced security when using this gem.

###To Do

  • Tests
  • Choose your own encryption method
  • Choose your own KMS key type
  • Specify AWS region in configuration

###Read more about AWS KMS