Cryptor is a multi-backend high-level encryption library for Ruby, partly inspired by tools like GPG and Google Keyczar: https://github.com/cryptosphere/cryptor Much like an audiophile soundsystem, Cryptor doesn't have a whole lot of knobs. Instead, all of the tough decisions have been made for you in advance by experts, providing a safe API that's simple and easy-to-use. Cryptor utilizes what's known as "authenticated encryption" exclusively, and supports two backends: - RbNaCl: a Ruby binding to libsodium, a portable version of the state-of-the-art NaCl encryption library - ActiveSupport::MessageEncryptor: a bespoke authenticated encryption scheme using AES-CBC and HMAC built on Ruby's OpenSSL extension Here's an example of using Cryptor with the recommended "xsalsa20poly1305" cipher supplied by RbNaCl: require 'cryptor' require 'cryptor/symmetric_encryption/ciphers/message_encryptor' secret_key = Cryptor::SymmetricEncryption.random_key(:xsalsa20poly1305) cryptor = Cryptor::SymmetricEncryption.new(secret_key) ciphertext = cryptor.encrypt(plaintext) decrypted = cryptor.decrypt(ciphertext) That's it! Cryptor also supports key rotation, allowing multiple decryption keys to be active at the same time, but ensuring all new ciphertexts are produced by the newest, "active" key. This means that if keys are ever compromised, or you'd like to have a policy of rotating keys, you can easily update existing ciphertexts to be encrypted under a new key. Cryptor uses the experimental ORDO message format for representing ciphertexts: https://github.com/cryptosphere/ordo Future versions of Cryptor may support additional message formats like OpenPGP and JWE. Cryptor only supports symmetric encryption at this time. Future versions may support asymmetric encryption using RbNaCl's "Box" encryption primitive (a.k.a. curve25519xsalsa20poly1305) Enjoy!
on 2014-06-15 01:27
on 2014-06-16 20:04
Hi! Thanks for your work. On 15/06/14 01:26, Tony Arcieri wrote: > Cryptor utilizes what's known as "authenticated encryption" exclusively, > and supports two backends: > > - RbNaCl: a Ruby binding to libsodium, a portable version of the > state-of-the-art NaCl encryption library > - ActiveSupport::MessageEncryptor: a bespoke authenticated encryption > scheme using AES-CBC and HMAC built on Ruby's OpenSSL extension AES-CBC is not a strong decision. If you can, please try to use AES-GCM. Hth. regards, sandor --
on 2014-06-16 20:16
On Mon, Jun 16, 2014 at 11:03 AM, Sándor Szücs <firstname.lastname@example.org> wrote: > AES-CBC is not a strong decision. > If you can, please try to use AES-GCM. While I agree with you that AES-CBC is inferior to AES-GCM, the recommended cipher for Cryptor is XSalsa20Poly1305, an authenticated stream cipher provided by RbNaCl, which is arguably better than AES-GCM. AES-CBC + HMAC is provided as an alternative for those who don't want RbNaCl as a dependency, and used because it's what ActiveSupport's MessageEncryptor class provides. I am not explicitly choosing to use AES-CBC. ActiveSupport made the decision for me.