Erebus v0.2.0-rc.1

Erebus (Erebus v0.2.0-rc.1) View Source

This is an entry point for the Erebus library. Here you will find operations for both encrypting and decrypting fields in the database.

Erebus is an implementation of the envelope encryption paradigm. For each encrypted struct, it's using a separate key - called DEK (short for data encryption key). Then that key is encrypted using KEK (key encryption key). DEK is a symmetric key - we're using Aes 256 with Galois mode with aead (which guarantees both security and integrity of the data). KEK is an asymmetric key - we're using the public key for encryption (for performance reason when using external key storage) and private for decryption. Specific implementation depends on the backend. Currently, we're providing three:

  • Erebus.KMS.Google - which uses Google KMS key storage. That means that your private key never leaves Google infrastructure, which is the most secure option.
  • Erebus.KMS.Local - which uses private/public key pair stored on your hard drive. Please note that it makes them prone to leakage
  • Erebus.KMS.Dummy - which uses base64 as encryption for DEK. Never use it in production.

Please note that you need to provide config for the operations and call them, providing them for each call.

The preferred way of running it is with your wrapper, like:

defmodule MyApp.Erebus do
  def encrypt(struct, handle, version) do
    opts = Application.get_env(:my_app, :erebus)

    Erebus.encrypt(struct, handle, version, opts)
  end

  def decrypt() do
    opts = Application.get_env(:my_app, :erebus)
  end
end

while providing config in your app config file, so for Google KMS, it would be:

config :my_app, :erebus,
  kms_backend: Erebus.KMS.Google,
  google_project: "someproject",
  google_region: "someregion",
  google_keyring: "some_keyring",
  google_goth: MyApp.Goth

and for using a local key file, it would be:

config :my_app, :erebus,
  kms_backend: Erebus.KMS.Local,
  keys_base_path: "/tmp/keys",
  private_key_password: "1234"

Please note that by using that approach, you can use different Erebus config for less vital data (using local keys) and more important (using more secure Google KMS).

Link to this section Summary

Functions

decrypt(struct, fields_to_decrypt, opts \\ [])

This function decrypts your encrypted struct. It takes

encrypt(struct, handle, version, opts)

This function should be called when you want to encrypt your struct. It takes

reencrypt_dek(struct, handle, version, opts)

This method, called on encrypted struct, force it to re-encrypt DEK using provided KEK backend.

Link to this section Functions

Link to this function

decrypt(struct, fields_to_decrypt, opts \\ [])

View Source

This function decrypts your encrypted struct. It takes:

  • encrypted struct with dek field present
  • list of fields to be decrypted
  • options - providing backend and options for that backend
Link to this function

encrypt(struct, handle, version, opts)

View Source

This function should be called when you want to encrypt your struct. It takes:

  • struct which implements Erebus.Encryption protocol
  • handle for key
  • version of key
  • options - providing backend and options for that backend

One very meaningful option is :force_reencrypt flag, which can be used for re-encrypting all of the fields - even if nothing has been changed there.

Link to this function

reencrypt_dek(struct, handle, version, opts)

View Source

This method, called on encrypted struct, force it to re-encrypt DEK using provided KEK backend.