End-to-end encryption support for Ruby

This month, we launched end-to-end encryption for the Pusher Channels Ruby library.

Pusher <3 Ruby

Pusher has a long history of supporting Ruby developers and Channels is the best solution for handling long-lived connections in Rails. While Rails now has more features to help with long-lived connections, such as Action Cable, there are still many benefits to using Channels which aren’t solved with Action Cable.

1. Reconnection strategies

2. Decoupling. This is not only useful for holding long lived connections during deployment, but means we can handle the scaling of your WebSocket traffic without it affecting the rest of your application.

• Presence functionality out of the box. By using the presence feature to make others aware of who is subscribed to a channel you can build collaboration, chat rooms, gaming presence and more.

E2EE for our Ruby library

A few months ago we launched the end-to-end encryption feature in general availability for Pusher channels. A number of libraries were supported by default and the response was fantastic. We’ve now had requests from many users to add it to more of the Pusher SDKs.

We saw huge demand from our Ruby community to add support for the feature. You can find the new version here.

End-to-end encryption is an important tool to help you enforce the principle of least privilege. It removes Pusher from the list of privileged entities that can read and write sensitive data such as prescription requests.

Many of our users prefer to err on the side of caution when sending data through other systems, and we don’t want to have access to any sensitive data that you’d rather we didn’t see and that we don’t need to!

How to get started

You can quickly switch to end-to-end encryption by following these steps:

1. Add the rbnacl gem to your Gemfile (this is not a gem dependency).

2. Install Libsodium, which we rely on to do the heavy lifting. Follow the installation instructions for your platform.

3. Next, generate your 32 byte master encryption key, encode it as base64 and pass it to the Pusher constructor. This is a secret and you should never share it with anyone, not even Pusher.

openssl rand -base64 32

php
1pusher = new Pusher::Client.new({
2  app_id: 'your-app-id',
3  key: 'your-app-key',
4  secret: 'your-app-secret',
5  cluster: 'your-app-cluster',
6  use_tls: true,
7  encryption_master_key_base64: '<KEY GENERATED BY PREVIOUS COMMAND>',
8});
Copy

4. Make sure you’re using a client SDK with end-to-end encryption support. For example to use encryption with the JS SDK import pusher-js/with-encryption here.

5. Now channels prefixed with private-encrypted- will be encrypted.

Whatever you stack, we’d love to hear about the features that are important to you. Get in touch with the team to tell us more about what you’re building and how we can help!