Cryptor is a multi-backend high-level encryption library for Ruby,
partly
inspired by tools like GPG and Google Keyczar:
Much like an audiophile soundsystem, Cryptor doesn’t have a whole lot of
knobs. Instead, all of the tough decisions have been made for you in
advance by experts, providing a safe API that’s simple and easy-to-use.
Cryptor utilizes what’s known as “authenticated encryption” exclusively,
and supports two backends:
- RbNaCl: a Ruby binding to libsodium, a portable version of the
state-of-the-art NaCl encryption library - ActiveSupport::MessageEncryptor: a bespoke authenticated encryption
scheme using AES-CBC and HMAC built on Ruby’s OpenSSL extension
Here’s an example of using Cryptor with the recommended
“xsalsa20poly1305”
cipher supplied by RbNaCl:
require 'cryptor'
require 'cryptor/symmetric_encryption/ciphers/message_encryptor'
secret_key =
Cryptor::SymmetricEncryption.random_key(:xsalsa20poly1305)
cryptor = Cryptor::SymmetricEncryption.new(secret_key)
ciphertext = cryptor.encrypt(plaintext)
decrypted = cryptor.decrypt(ciphertext)
That’s it!
Cryptor also supports key rotation, allowing multiple decryption keys to
be
active at the same time, but ensuring all new ciphertexts are produced
by
the newest, “active” key. This means that if keys are ever compromised,
or
you’d like to have a policy of rotating keys, you can easily update
existing ciphertexts to be encrypted under a new key.
Cryptor uses the experimental ORDO message format for representing
ciphertexts:
Future versions of Cryptor may support additional message formats like
OpenPGP and JWE.
Cryptor only supports symmetric encryption at this time. Future versions
may support asymmetric encryption using RbNaCl’s “Box” encryption
primitive
(a.k.a. curve25519xsalsa20poly1305)
Enjoy!