AES symmetric-key encryption/decryption in Ruby with the built-in OpenSSL lib

aes_crypt.rb

require 'openssl'
require 'digest/sha2'

module AESCrypt
  CIPHER_TYPE = "AES-256-CBC".freeze

  class << self
    def decrypt(armored_iv_and_ciphertext, key)
      ciphertext = [armored_iv_and_ciphertext].pack("H*")
      aes = OpenSSL::Cipher::Cipher.new(CIPHER_TYPE)
      aes.decrypt
      aes.key = Digest::SHA512.hexdigest(key)
      aes.iv = ciphertext.slice!(0, 16)
      aes.update(ciphertext) + aes.final
    end

    def encrypt(data, key)
      aes = OpenSSL::Cipher::Cipher.new(CIPHER_TYPE)
      aes.encrypt
      aes.iv = iv = aes.random_iv
      aes.key = Digest::SHA512.hexdigest(key)
      iv_and_ciphertext = iv + aes.update(data) + aes.final
      armored_iv_and_ciphertext = iv_and_ciphertext.unpack("H*")[0]
    end
  end
end

aes_crypt_spec.rb

RSpec.describe AESCrypt do
  describe 'encrypt' do
    let(:key) { "woohoosecret" }
    let(:plaintext) { "its private" }

    it 'returns a non-nil string other than plaintext or the key' do
      result = AESCrypt.encrypt(plaintext, key)
      expect(result).not_to be_nil
      expect(result).to be_a String
      expect(result).not_to match plaintext
      expect(result).not_to match key
    end
  end

  describe 'decrypt' do
    let(:key) { "woohoosecret" }
    let(:plaintext) { "its private" }

    it 'works' do
      result = AESCrypt.decrypt(AESCrypt.encrypt(plaintext, key), key)
      expect(result).to eq plaintext
    end
  end
end

@fullofcaffeine The armored_iv_and_ciphertext is not about security, it's making the encryption output more easily transportable (e.g. over the wire, serialised to a file, database,etc.), it'd simply be an ASCII string of hex characters, no binary bytes to worry about.

I'm by no means an expert in cryptography, so I'm not going to pretend to be one :) It does sound like using OpenSSL::PKCS5.pbkdf2_hmac_sha1 instead of Digest::SHA512.hexdigest may be better, but I'm not sure.