Convergent encryption support #1
Conversation
finalwharf
force-pushed
the
master
branch
2 times, most recently
from
b816bff to
54b6047
Compare
finalwharf
force-pushed
the
convergent_encryption
branch
2 times, most recently
from
544c52f to
28c3d67
Compare
spec/integration/rails_spec.rb
Outdated
| expect(first_person.email_encrypted).to eq second_person.email_encrypted | ||
| end | ||
|
|
||
| it 'generates different ciphertexts different plaintexts' do |
lib/vault/rails.rb
Outdated
| @@ -27,6 +27,10 @@ module Rails | |||
| DEV_WARNING = "[vault-rails] Using in-memory cipher - this is not secure " \ | |||
| "and should never be used in production-like environments!".freeze | |||
|
|
|||
| CONVERGENT_ENCRYPTION_CONTEXT = Base64.strict_encode64( | |||
| ENV.fetch('VAULT_CONVERGENT_ENCRYPTION_CONTEXT', 'convergent-encryption-context') | |||
There was a problem hiding this comment.
Let's remove the default value here
finalwharf
force-pushed
the
convergent_encryption
branch
2 times, most recently
from
fa1feee to
6b0e6bf
Compare
lib/vault/rails.rb
Outdated
| @@ -30,7 +30,7 @@ module Rails | |||
| class << self | |||
| # API client object based off the configured options in {Configurable}. | |||
| # | |||
| # @return [Vault::Client] | |||
| # @return [Vault::Client] for use with convergent encryption | |||
There was a problem hiding this comment.
You can drop the addition, you can use it without the convergent encryption
There was a problem hiding this comment.
Accidental copy/paste 🤷🏻♂️
finalwharf
force-pushed
the
convergent_encryption
branch
from
6b0e6bf to
069c75e
Compare
|
Some context: Vault::Rails has two protected methods - Both using the same IV and no IV in the first place poses the same security issues. The reason for using the same IV is to make the gem behave the same both in development and production as the current PR adds support for convergent encryption for production as well. The way that the VAULT_CONVERGENT_ENCRYPTION_CONTEXT is used is not the same in dev and prod. In development I use it as an IV (to keep things simple), but in prod, Vault uses it for key derivation. Again, memory encryption is used only when Vault is not enabled (dev and test envs). |
finalwharf
force-pushed
the
convergent_encryption
branch
from
069c75e to
22113ec
Compare
|
@finalwharf @bliof - RE: memory_encrypt / memory_decrypt / AES CBC 128 / static IV - this is fine from a security perspective as long as it is used for development and testing |
finalwharf
force-pushed
the
convergent_encryption
branch
2 times, most recently
from
1ebdde1 to
37516fa
Compare
spec/unit/rails_spec.rb
Outdated
|
|
||
| describe '.vault_encrypt' do | ||
| it 'sends the correct paramaters to vault client' do | ||
|
|
spec/unit/rails_spec.rb
Outdated
| with(expected_route, expected_options). | ||
| and_return(spy('Vault::Secret')) | ||
|
|
||
| Vault::Rails.send(:vault_encrypt, 'path', 'key', 'plaintext', Vault::Rails.client, true) |
There was a problem hiding this comment.
Please use the public methods to test this
finalwharf
force-pushed
the
convergent_encryption
branch
2 times, most recently
from
e4f4df2 to
6ab4e33
Compare
spec/unit/rails_spec.rb
Outdated
| end | ||
| end | ||
|
|
||
| describe '.decrypt' do |
There was a problem hiding this comment.
tbo you can delete this and the one above
finalwharf
force-pushed
the
convergent_encryption
branch
2 times, most recently
from
14365fc to
8fc09aa
Compare
What does this PR do? --------------------- * Adds support for convergent encryption Where should the reviewer start? -------------------------------- * `lib/vault/rails.rb` * `lib/vault/encrypted_model.rb` Any background context you want to provide? ------------------------------------------- * Vault supports convergent encryption since v0.6.1, but this gem does not take advantage of this functionality.
finalwharf
force-pushed
the
convergent_encryption
branch
from
8fc09aa to
f71550c
Compare
What does this PR do?
Where should the reviewer start?
lib/vault/rails.rblib/vault/encrypted_model.rbAny background context you want to provide?
does not take advantage of this functionality.
/cc @popovm @bliof please review