Skip to content

Releases: codebyjass/active-cipher-storage

v2.0.0

Choose a tag to compare

@codebyjass codebyjass released this 01 Jun 18:24

Active Cipher Storage 2.0.0

This is a breaking release that simplifies configuration, aligns the Rails integration with the official Active Storage service API, and removes legacy/unfinished APIs.

Highlights

  • Rails integration now uses the canonical ActiveStorage::Service::ActiveCipherStorageService.
  • Active Storage config remains simple: service: ActiveCipherStorage with wrapped_service:.
  • Provider setup is centralized through config.provider and config.provider_options.
  • EnvProvider now receives the actual Base64 encryption key via provider_options[:encryption_key].
  • Large multipart uploads and streaming downloads are documented with clearer memory behavior.
  • Legacy Active Storage adapter aliases and key-rotation APIs were removed.

Breaking Changes

  • Removed ActiveCipherStorage::Adapters::ActiveStorageService.
    Use ActiveStorage::Service::ActiveCipherStorageService through Rails storage.yml.

  • Removed active_cipher_storage/active_storage_integration.
    The engine now loads the Active Storage service directly.

  • Removed global Configuration#chunk_size.
    Pass chunk_size where it is used:

    • storage.yml for the Active Storage service
    • S3Adapter.new(...)
    • EncryptedMultipartUpload.new(...)
    • StreamCipher.new(...)
  • Removed provider-specific config helpers such as aws_kms / env_provider.
    Use provider_options instead.

  • Changed EnvProvider configuration.

    Before:

    config.provider_options[:env_var] = "ACTIVE_CIPHER_MASTER_KEY"

    Now:

    config.provider = :env
    config.provider_options[:encryption_key] = ENV.fetch("ACTIVE_CIPHER_MASTER_KEY")
  • Removed key rotation APIs:

    • ActiveCipherStorage::KeyRotation
    • ActiveCipherStorageService#rekey
    • BlobMetadata.blobs_for
    • BlobMetadata.update_after_rotation
    • provider wrap_data_key / rotate_data_key

Configuration

Environment key provider:

ActiveCipherStorage.configure do |config|
  config.provider = :env
  config.provider_options[:encryption_key] = ENV.fetch("ACTIVE_CIPHER_MASTER_KEY")
end

AWS KMS provider:

ActiveCipherStorage.configure do |config|
  config.provider = "aws:kms"
  config.provider_options[:key_id] = Rails.application.credentials.dig(:aws, :kms_key_id)
  config.provider_options[:region] = "us-east-1"
end

AwsKmsProvider now builds its own Aws::KMS::Client and accepts endpoint, access_key_id, secret_access_key, and encryption_context.

Active Storage

Use the Rails-standard service wrapper:

encrypted_s3:
  service: ActiveCipherStorage
  wrapped_service: s3
  chunk_size: 6291456

The service wraps another Active Storage service, encrypts uploads before storage, and decrypts downloads transparently.

Multipart Uploads And Streaming Downloads

For frontend chunked uploads, use EncryptedMultipartUpload.

The app does not assemble the whole file before uploading. Each frontend chunk is read, encrypted into an authenticated ACS frame, and flushed to S3 multipart upload parts as encrypted bytes accumulate.

For large downloads, use streaming:

s3.stream_decrypted(key) do |chunk|
  response.stream.write(chunk)
end

Avoid get_decrypted for huge files because it buffers the encrypted object before decrypting.

Other Changes

  • Blob metadata failures now rescue StandardError only and re-raise in development.
  • path_for now raises NotImplementedError when the wrapped Active Storage service does not support local paths.
  • The tracked examples/ directory was removed. Local sample apps can still be generated outside git as needed.

Verification

  • RSpec: 120 examples, 0 failures
  • RuboCop: no offenses

v1.0.3

Choose a tag to compare

@codebyjass codebyjass released this 25 Apr 17:03
0d728cd

Active Cipher Storage 1.0.3

Documentation-focused release.

Changed

  • Update the README with clearer usage guidance and improved readability.

v1.0.2

Choose a tag to compare

@codebyjass codebyjass released this 25 Apr 16:26
6d94d2f

ActiveCipherStorage 1.0.2

Patch release to publish updated RubyGems metadata for better discoverability around Rails Active Storage encryption.

Changed

  • Updated gem version to 1.0.2.
  • Published improved RubyGems metadata for:
    • Rails Active Storage encryption
    • Ruby encryption/decryption
    • S3 streaming and multipart uploads
    • AES-256-GCM envelope encryption
    • AWS KMS support

v1.0.1

Choose a tag to compare

@codebyjass codebyjass released this 25 Apr 13:43
47c4f9d

ActiveCipherStorage 1.0.1

Patch release after the initial 1.0.0.

Changed

  • Backed gem configuration with Rails-style ActiveSupport options while preserving the existing public configuration API.
  • Documented config.encrypt_uploads for enabling/disabling encryption on new Active Storage uploads.
  • Clarified that downloads auto-detect encrypted vs plaintext payloads by the ACS header.

Fixed

  • Reject reordered encrypted streaming frames.
  • Reject trailing bytes after the final encrypted frame.
  • Validate S3 multipart chunk sizes before upload so invalid part sizes fail early.
  • Mark plaintext Active Storage uploads with encrypted: false metadata when encryption is disabled.

v1.0.0

Choose a tag to compare

@codebyjass codebyjass released this 25 Apr 11:48
a6addf5

ActiveCipherStorage v1.0.0

Initial public release of ActiveCipherStorage.

Highlights

  • Transparent AES-256-GCM envelope encryption for Rails Active Storage.
  • Direct S3 encrypted upload, download, multipart upload, and streaming download support.
  • Backend-managed frontend chunk upload support using encrypted S3 multipart uploads.
  • Pluggable key providers for environment-variable master keys, AWS KMS, and custom connectors.
  • Large file support with chunked encryption and bounded-memory streaming decryption.
  • Legacy plaintext Active Storage fallback for safe migration of existing buckets.
  • Header-only key rotation for re-wrapping encrypted data keys without re-encrypting file bodies.
  • Rails-compatible Active Storage service adapter registration.

Compatibility

  • Ruby 3.2+
  • Rails / Active Storage 7.0+
  • Optional AWS S3 SDK integration
  • Optional AWS KMS SDK integration

Security Notes

  • Uses per-file data encryption keys.
  • Wraps data encryption keys through the configured provider.
  • Uses AES-256-GCM authenticated encryption.
  • Detects tampering before returning plaintext.
  • Disables direct browser uploads because they bypass server-side encryption.

CI / Project Setup

  • GitHub Actions CI for Ruby 3.2, 3.3, and 3.4.
  • Gem build validation in CI.
  • RuboCop linting in CI.
  • Trusted Publishing support for RubyGems releases.