Project

cloak-rb

0.01
Repository is archived
No release in over a year
cloak-rbankane/cloakHomepageDocumentationSource CodeBug Tracker
Application-level encryption for Redis and Memcached
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
3,901
Stars
34
Forks
0
Watchers
3
 Releases
Current version
0.2.0
Total releases
3
First release
2020-12-15
Latest release
2022-09-05
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
1
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2022-05-17
Reverse Dependencies
0

 Dependencies

Runtime

miscreant
>= 0
 Project Readme

Cloak

🔥 Application-level encryption for Redis and Memcached

Encrypts keys, values, list elements, set members, and hash fields while still being able to perform a majority of operations 🎉

See technical details for more info.

Build Status

Installation

Add this line to your application’s Gemfile:

gem "cloak-rb"

Getting Started

Generate a key

Cloak.generate_key

Store the key with your other secrets. This is typically an environment variable (dotenv is great for this) or Rails credentials. Be sure to use different keys in development and production. Set the following environment variable with your key (you can use this one in development)

CLOAK_KEY=0000000000000000000000000000000000000000000000000000000000000000

or add it to your credentials for each environment (rails credentials:edit --environment <env> for Rails 6+)

cloak_key: "0000000000000000000000000000000000000000000000000000000000000000"

Then follow the instructions for your key-value store.

  • Redis
  • Memcached

Redis

Requires the redis gem

Create a client

redis = Cloak::Redis.new(key: key)

And use it in place of a Redis instance.

redis.set("hello", "world")
redis.get("hello")

A few methods aren’t supported:

  • lrem since encrypted list elements aren’t comparable
  • setrange, setbit, append, and bitop since encrypted strings can’t be modified in-place

Also, for sorted sets, members having the same score are not guaranteed to be returned in lexographical order.

Memcached

Requires the dalli gem

Create a client

dalli = Cloak::Dalli.new(key: key)

And use it in place of a Dalli::Client instance.

dalli.set("hello", "world")
dalli.get("hello")

Technical Details

Cloak uses AES-SIV, which supports deterministic encryption. Unlike most encryption algorithms, AES-SIV supports nonce reuse without catastrophic failure (like AES-GCM) or leaking prefix information (like AES-CBC).

  • Items that need to be comparable across keys use a fixed nonce (keys, set members, HyperLogLog elements)
  • Items that need to be comparable within a key use a key-specific nonce (hash fields)
  • Other items use a random nonce (string values, list elements, hash values)

The fixed nonces are \x00 bytes for keys, \x01 bytes for set members, and \x02 bytes for HyperLogLog elements. Key-specific nonces for hash fields are the first 16 bytes of encrypted key.

Commands, expiration times, increment/decrement values, and sorted set scores are not encrypted.

Key Rotation

Key rotation is not supported right now, but may be possible in a limited capacity in the future.

Credits

Thanks to Miscreant for AES-SIV encryption.

History

View the changelog

Contributing

Everyone is encouraged to help improve this project. Here are a few ways you can help:

To get started with development:

git clone https://github.com/ankane/cloak.git
cd cloak
bundle install
bundle exec rake test