Releases: codebyjass/active-cipher-storage
Release list
v2.0.0
Active Cipher Storage 2.0.0
This is a breaking release that simplifies configuration, aligns the Rails integration with the official Active Storage service API, and removes legacy/unfinished APIs.
Highlights
- Rails integration now uses the canonical
ActiveStorage::Service::ActiveCipherStorageService. - Active Storage config remains simple:
service: ActiveCipherStoragewithwrapped_service:. - Provider setup is centralized through
config.providerandconfig.provider_options. EnvProvidernow receives the actual Base64 encryption key viaprovider_options[:encryption_key].- Large multipart uploads and streaming downloads are documented with clearer memory behavior.
- Legacy Active Storage adapter aliases and key-rotation APIs were removed.
Breaking Changes
-
Removed
ActiveCipherStorage::Adapters::ActiveStorageService.
UseActiveStorage::Service::ActiveCipherStorageServicethrough Railsstorage.yml. -
Removed
active_cipher_storage/active_storage_integration.
The engine now loads the Active Storage service directly. -
Removed global
Configuration#chunk_size.
Passchunk_sizewhere it is used:storage.ymlfor the Active Storage serviceS3Adapter.new(...)EncryptedMultipartUpload.new(...)StreamCipher.new(...)
-
Removed provider-specific config helpers such as
aws_kms/env_provider.
Useprovider_optionsinstead. -
Changed
EnvProviderconfiguration.Before:
config.provider_options[:env_var] = "ACTIVE_CIPHER_MASTER_KEY"
Now:
config.provider = :env config.provider_options[:encryption_key] = ENV.fetch("ACTIVE_CIPHER_MASTER_KEY")
-
Removed key rotation APIs:
ActiveCipherStorage::KeyRotationActiveCipherStorageService#rekeyBlobMetadata.blobs_forBlobMetadata.update_after_rotation- provider
wrap_data_key/rotate_data_key
Configuration
Environment key provider:
ActiveCipherStorage.configure do |config|
config.provider = :env
config.provider_options[:encryption_key] = ENV.fetch("ACTIVE_CIPHER_MASTER_KEY")
endAWS KMS provider:
ActiveCipherStorage.configure do |config|
config.provider = "aws:kms"
config.provider_options[:key_id] = Rails.application.credentials.dig(:aws, :kms_key_id)
config.provider_options[:region] = "us-east-1"
endAwsKmsProvider now builds its own Aws::KMS::Client and accepts endpoint, access_key_id, secret_access_key, and encryption_context.
Active Storage
Use the Rails-standard service wrapper:
encrypted_s3:
service: ActiveCipherStorage
wrapped_service: s3
chunk_size: 6291456The service wraps another Active Storage service, encrypts uploads before storage, and decrypts downloads transparently.
Multipart Uploads And Streaming Downloads
For frontend chunked uploads, use EncryptedMultipartUpload.
The app does not assemble the whole file before uploading. Each frontend chunk is read, encrypted into an authenticated ACS frame, and flushed to S3 multipart upload parts as encrypted bytes accumulate.
For large downloads, use streaming:
s3.stream_decrypted(key) do |chunk|
response.stream.write(chunk)
endAvoid get_decrypted for huge files because it buffers the encrypted object before decrypting.
Other Changes
- Blob metadata failures now rescue
StandardErroronly and re-raise in development. path_fornow raisesNotImplementedErrorwhen the wrapped Active Storage service does not support local paths.- The tracked
examples/directory was removed. Local sample apps can still be generated outside git as needed.
Verification
- RSpec:
120 examples, 0 failures - RuboCop: no offenses
v1.0.3
Active Cipher Storage 1.0.3
Documentation-focused release.
Changed
- Update the README with clearer usage guidance and improved readability.
v1.0.2
ActiveCipherStorage 1.0.2
Patch release to publish updated RubyGems metadata for better discoverability around Rails Active Storage encryption.
Changed
- Updated gem version to
1.0.2. - Published improved RubyGems metadata for:
- Rails Active Storage encryption
- Ruby encryption/decryption
- S3 streaming and multipart uploads
- AES-256-GCM envelope encryption
- AWS KMS support
v1.0.1
ActiveCipherStorage 1.0.1
Patch release after the initial 1.0.0.
Changed
- Backed gem configuration with Rails-style ActiveSupport options while preserving the existing public configuration API.
- Documented
config.encrypt_uploadsfor enabling/disabling encryption on new Active Storage uploads. - Clarified that downloads auto-detect encrypted vs plaintext payloads by the ACS header.
Fixed
- Reject reordered encrypted streaming frames.
- Reject trailing bytes after the final encrypted frame.
- Validate S3 multipart chunk sizes before upload so invalid part sizes fail early.
- Mark plaintext Active Storage uploads with
encrypted: falsemetadata when encryption is disabled.
v1.0.0
ActiveCipherStorage v1.0.0
Initial public release of ActiveCipherStorage.
Highlights
- Transparent AES-256-GCM envelope encryption for Rails Active Storage.
- Direct S3 encrypted upload, download, multipart upload, and streaming download support.
- Backend-managed frontend chunk upload support using encrypted S3 multipart uploads.
- Pluggable key providers for environment-variable master keys, AWS KMS, and custom connectors.
- Large file support with chunked encryption and bounded-memory streaming decryption.
- Legacy plaintext Active Storage fallback for safe migration of existing buckets.
- Header-only key rotation for re-wrapping encrypted data keys without re-encrypting file bodies.
- Rails-compatible Active Storage service adapter registration.
Compatibility
- Ruby 3.2+
- Rails / Active Storage 7.0+
- Optional AWS S3 SDK integration
- Optional AWS KMS SDK integration
Security Notes
- Uses per-file data encryption keys.
- Wraps data encryption keys through the configured provider.
- Uses AES-256-GCM authenticated encryption.
- Detects tampering before returning plaintext.
- Disables direct browser uploads because they bypass server-side encryption.
CI / Project Setup
- GitHub Actions CI for Ruby 3.2, 3.3, and 3.4.
- Gem build validation in CI.
- RuboCop linting in CI.
- Trusted Publishing support for RubyGems releases.