d4085ba Aug 28, 2012
114 lines (106 sloc) 5.08 KB
#
# Symmetric Encryption for Ruby
#
---
# For the development and test environments the test symmetric encryption keys
# can be placed directly in the source code.
# And therefore no RSA private key is required
development: &development_defaults
key: 1234567890ABCDEF1234567890ABCDEF
iv: 1234567890ABCDEF
cipher: aes-128-cbc
test:
<<: *development_defaults
production:
# Since the key to encrypt and decrypt with must NOT be stored along with the
# source code, we only hold a RSA key that is used to unlock the file
# containing the actual symmetric encryption key
#
# Sample RSA Key, DO NOT use this RSA key, generate a new one using
# openssl genrsa 2048
private_rsa_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxIL9H/jYUGpA38v6PowRSRJEo3aNVXULNM/QNRpx2DTf++KH
6DcuFTFcNSSSxG9n4y7tKi755be8N0uwCCuOzvXqfWmXYjbLwK3Ib2vm0btpHyvA
qxgqeJOOCxKdW/cUFLWn0tACUcEjVCNfWEGaFyvkOUuR7Ub9KfhbW9cZO3BxZMUf
IPGlHl/gWyf484sXygd+S7cpDTRRzo9RjG74DwfE0MFGf9a1fTkxnSgeOJ6asTOy
fp9tEToUlbglKaYGpOGHYQ9TV5ZsyJ9jRUyb4SP5wK2eK6dHTxTcHvT03kD90Hv4
WeKIXv3WOjkwNEyMdpnJJfSDb5oquQvCNi7ZSQIDAQABAoIBAQCbzR7TUoBugU+e
ICLvpC2wOYOh9kRoFLwlyv3QnH7WZFWRZzFJszYeJ1xr5etXQtyjCnmOkGAg+WOI
k8GlOKOpAuA/PpB/leJFiYL4lBwU/PmDdTT0cdx6bMKZlNCeMW8CXGQKiFDOcMqJ
0uGtH5YD+RChPIEeFsJxnC8SyZ9/t2ra7XnMGiCZvRXIUDSEIIsRx/mOymJ7bL+h
Lbp46IfXf6ZuIzwzoIk0JReV/r+wdmkAVDkrrMkCmVS4/X1wN/Tiik9/yvbsh/CL
ztC55eSIEjATkWxnXfPASZN6oUfQPEveGH3HzNjdncjH/Ho8FaNMIAfFpBhhLPi9
nG5sbH+BAoGBAOdoUyVoAA/QUa3/FkQaa7Ajjehe5MR5k6VtaGtcxrLiBjrNR7x+
nqlZlGvWDMiCz49dgj+G1Qk1bbYrZLRX/Hjeqy5dZOGLMfgf9eKUmS1rDwAzBMcj
M9jnnJEBx8HIlNzaR6wzp3GMd0rrccs660A8URvzkgo9qNbvMLq9vyUtAoGBANll
SY1Iv9uaIz8klTXU9YzYtsfUmgXzw7K8StPdbEbo8F1J3JPJB4D7QHF0ObIaSWuf
suZqLsvWlYGuJeyX2ntlBN82ORfvUdOrdrbDlmPyj4PfFVl0AK3U3Ai374DNrjKR
hF6YFm4TLDaJhUjeV5C43kbE1N2FAMS9LYtPJ44NAoGAFDGHZ/E+aCLerddfwwun
MBS6MnftcLPHTZ1RimTrNfsBXipBw1ItWEvn5s0kCm9X24PmdNK4TnhqHYaF4DL5
ZjbQK1idEA2Mi8GGPIKJJ2x7P6I0HYiV4qy7fe/w1ZlCXE90B7PuPbtrQY9wO7Ll
ipJ45X6I1PnyfOcckn8yafUCgYACtPAlgjJhWZn2v03cTbqA9nHQKyV/zXkyUIXd
/XPLrjrP7ouAi5A8WuSChR/yx8ECRgrEM65Be3qBEtoGCB4AS1G0NcigM6qhKBFi
VS0aMXr3+V8argcUIwJaWW/x+p2go48yXlJpLHPweeXe8mXEt4iM+QZte6p2yKQ4
h9PGQQKBgQCqSydmXBnXGIVTp2sH/2GnpxLYnDBpcJE0tM8bJ42HEQQgRThIChsn
PnGA91G9MVikYapgI0VYBHQOTsz8rTIUzsKwXG+TIaK+W84nxH5y6jUkjqwxZmAz
r1URaMAun2PfAB4g2N/kEZTExgeOGqXjFhvvjdzl97ux2cTyZhaTXg==
-----END RSA PRIVATE KEY-----
# List Symmetric Key Ciphers in the order of current / latest first
ciphers:
# Filename containing Symmetric Encryption Key encrypted using the
# RSA public key derived from the private key above
- key_filename: /etc/rails/.rails.key
iv_filename: /etc/rails/.rails.iv
# Encryption cipher
# Recommended values:
# aes-256-cbc
# 256 AES CBC Algorithm. Very strong
# Ruby 1.8.7 MRI Approximately 100,000 encryptions or decryptions per second
# JRuby 1.6.7 with Ruby 1.8.7 Approximately 22,000 encryptions or decryptions per second
# aes-128-cbc
# 128 AES CBC Algorithm. Less strong.
# Ruby 1.8.7 MRI Approximately 100,000 encryptions or decryptions per second
# JRuby 1.6.7 with Ruby 1.8.7 Approximately 22,000 encryptions or decryptions per second
cipher: aes-256-cbc
# Set the way the encrypted data is encoded:
# base64
# Encrypted data is returned in base64 encoding format
# Symmetric::Encryption.decrypt will also base64 decode any data prior
# to decrypting it
# base64strict
# As base64 except that does not contain any newlines
# This is the recommended setting
# none
# Encrypted data is returned as raw binary
# Although smaller than base64 it cannot be stored in MySQL text columns
# It can only be held in binary columns such as BINARY or BLOB
# Default: base64
encoding: base64strict
# FUTURE ENHANCEMENT:
#
# By adding a version indicator all encrypted data will include
# an additional first Byte that includes this version number to
# assist with speeding up decryption when adding new encryption keys
# and to support old data decryption using older keys
#
# By not specifying a version, or setting it to 0 will disable version
# identification prior to decrypting data
# During decryption these Keys will be tried in the order listed in the
# configuration file starting with the first in the list
# Slower since a decryption attempt is made for every key until the
# correct key is located. However, all encrypted data does not require
# the 1 Byte version header prefix
#
# Default: 0
#version: 0
# OPTIONAL:
#
# Any previous Symmetric Encryption Keys
#
# Only used when old data still exists that requires old decryption keys
# to be used
- key_filename: /etc/rails/.rails_old.key
iv_filename: /etc/rails/.rails_old.iv
cipher: aes-256-cbc
encoding: base64strict