class ActiveRecord::Encryption::KeyProvider
where new keys are added but old keys need to continue working
* A list of potential decryption keys. Serving multiple decryption keys supports rotation-schemes
* An encryption key
A KeyProvider
serves keys:
def decryption_keys(encrypted_message)
When the message holds a reference to its encryption key, it will return an array
Returns the list of decryption keys
def decryption_keys(encrypted_message) if encrypted_message.headers.encrypted_data_key_id keys_grouped_by_id[encrypted_message.headers.encrypted_data_key_id] else @keys end end
def encryption_key
a public tag referencing the key itself. That key will be stored in the public
When +ActiveRecord::Encryption.config.store_key_references+ is true, the key will include
Returns the first key in the list as the active key to perform encryptions
def encryption_key @encryption_key ||= @keys.last.tap do |key| key.public_tags.encrypted_data_key_id = key.id if ActiveRecord::Encryption.config.store_key_references end @encryption_key end
def initialize(keys)
def initialize(keys) @keys = Array(keys) end
def keys_grouped_by_id
def keys_grouped_by_id @keys_grouped_by_id ||= @keys.group_by(&:id) end