CarrierWave Secure

Provides scallable strong encryption to CarrierWave, the classier solution for file uploads from Ruby aplications.

CarrierWave Secure uses {Advanced encryption standard}[https://en.wikipedia.org/wiki/Advanced_Encryption_Standard] in {Galois/Counter mode}[https://en.wikipedia.org/wiki/Galois/Counter_Mode] to give quantum-resistant protection to your application data files with great performances.

Requirements

Installation

To install CarrierWave Secure, run:

$ gem install carrierwave-secure

If you are installing via Bundler, add it to the Gemfile:

gem 'carrierwave-secure', '~> 2.0'

Usage

The following examples use cloud storage with OpenStack Swift, but they are easily adaptable to any other storage strategy (such as local filesystem, Amazon S3, Google Cloud, Rackspace, and many others).

# See https://github.com/carrierwaveuploader/carrierwave#fog
CarrierWave.configure do |config|
  config.fog_directory = ENV['OPENSTACK_SWIFT_CONTAINER']
  config.fog_credentials = {
    provider:               :openstack,
    openstack_auth_url:     ENV['OPENSTACK_AUTH_URL'],
    openstack_username:     ENV['OPENSTACK_USERNAME'],
    openstack_api_key:      ENV['OPENSTACK_API_KEY'],
    openstack_region:       ENV['OPENSTACK_REGION'],
    openstack_project_name: ENV['OPENSTACK_USERNAME'],
    openstack_domain_id:    ENV['OPENSTACK_DOMAIN_ID'] || 'default'
  }
  config.secure_key = ENV['ENCRYPTION_KEY'] # base64 encoded
end

# See https://github.com/carrierwaveuploader/carrierwave#getting-started
class CloudUploader < CarrierWave::Uploader::Base
  storage :fog
end

# Decorate your uploader with strong encryption powers
uploader = CarrierWave::Secure::Uploader[CloudUploader].new
# Encrypts the file before uploading it
uploader.store!(my_file)
# Downloads the encrypted file
uploader.retrieve_from_store!(filename)
# Decrypts data locally
uploader.read

Rails

# config/initializers/carrierwave.rb
CarrierWave.configure do |config|
  # See https://github.com/carrierwaveuploader/carrierwave#fog

  # Rails >= 5.2
  config.fog_directory = Rails.application.credentials.carrierwave[:fog_directory] # container name
  config.fog_credentials = Rails.application.credentials.carrierwave[:fog_credentials] # authentication
  config.secure_key = Rails.application.credentials.carrierwave[:secure_key] # 256-bit key (base64 encoded)
  # Rails 5.1
  config.fog_directory = Rails.application.secrets.carrierwave[:fog_directory] # container name
  config.fog_credentials = Rails.application.secrets.carrierwave[:fog_credentials] # authentication
  config.secure_key = Rails.application.secrets.carrierwave[:secure_key] # 256-bit key (base64 encoded)
end

# app/uploaders/cloud_uploader.rb
class CloudUploader < CarrierWave::Uploader::Base
  storage :fog
end

# app/models/document.rb
class Document < ApplicationRecord
  # Set `secure` option to `true`
  mount_uploader :file, CloudUploader, secure: true
end

# Encrypts the file before uploading it
document = Document.create!(file: my_file)
# Downloads the encrypted file and decrypts data locally
document.file.read

Generating the encryption key

Keep the production private key safe and private!

To generate the 256-bit key, download this library's source code and run the following from its root directory:

$ gem install rake
$ rake

Copy the results and store it in a safe place.

Rails

If you're using Rails, run the following from the project's root directory:

$ rake carrierwave_secure:generate_key

We recommended you to store the encryption key using secure credentials.

License

Licensed under {GNU Lesser General Public License v3.0}

Authors