Open ezekg opened 2 years ago
Consider using ActiveSupport::MessageEncryptor
. Still need to figure out signature, so perhaps writing our own based on Rails's stuff would be best, but keeping this here for future reference. Maybe peek the sign_secret
param.
Should also use a JSON serializer and not Ruby's default object marshaling, since decrypt needs to be polygot.
len = ActiveSupport::MessageEncryptor.key_len
salt = SecureRandom.random_bytes(len)
key = ActiveSupport::KeyGenerator.new('secret').generate_key(salt, len)
crypt = ActiveSupport::MessageEncryptor.new(key, serializer: JSON)
enc = crypt.encrypt_and_sign('my secret data').gsub('--', '.')
dec = crypt.decrypt_and_verify(enc.gsub('.', '--'))
Ref: https://api.rubyonrails.org/classes/ActiveSupport/MessageEncryptor.html
All values base64url encoded. Signature should be signature of plaintext.
<CIPHER TEXT>.<IV>.<AUTH TAG>.<ED25519 SIGNATURE>
Use same encryption as license files.
For server-side use only. Would be useful to embed encrypted data into license keys that can be decrypted server-side with a configurable per-product secret key. We should also sign the data so that even if the secret key is leaked, the integrity of the license key can still be verifiable.
I can see this being useful for Ents who want to embed data, but also want to assert the data is never publicly readable i.e. it’s encrypted.