Decrypt performs AES-256-GCM decryption in a Rails-compatible manner by expecting the message to comprise encrypted data, nonce, and an auth tag.

Encrypt performs AES-256-GCM encryption in a Rails-compatible manner by imitating the `Marshal.dump(value)`` effect (for a string value, as of v4.8) and also splitting the authentication tag into a separate value joined with dashes.

EncryptWithNonce is the deterministic core of Encrypt for testing purposes.

KeyID uses square/go-jose to extract the JWK thumbprint for a RSA public key.

Marshal is an incomplete implementation of Ruby's Marshal.dump as of v4.8.

UnmarshalInt imitates Marshal.load(dumped_int) as of v4.8.

UnmarshalString imitates Marshal.load(dumped_str) as of v4.8.