ref: https://github.com/ahoward/sekrets
NAME
sekrets.rb
SYNOPSIS
sekrets is a command line tool and library used to securely manage encrypted
files and settings in your rails' applications and git repositories.
INSTALL
gem install sekrets
gem 'sekrets'
DESCRIPTION
TL;DR
# create an encrypted config file
ruby -r yaml -e'puts({:api_key => 1234}.to_yaml)' | sekrets write config/settings.yml.enc --key 42
# display it
sekrets read config/settings.yml.enc --key 42
# edit it
sekrets edit config/settings.yml.enc --key 42
# see that it's encrypted
cat config/settings.yml.enc
# commit it
git add config/settings.yml.enc
# put the decryption key in a file
echo 42 > .sekrets.key
# ignore this file in git
echo .sekrets.key >> .gitgnore
# you now no longer need to provide the --key argument to commands
sekrets read config/settings.yml.enc
sekrets edit config/settings.yml.enc
# make sure this file gets deployed on your server
echo " require 'sekrets/capistrano' " >> Capfile
# commit and deploy
git add config/settings.yml.enc
git commit -am'encrypted settings yo'
git pull && git push && cap staging deploy
# access these settings in your application code
settings = Sekrets.settings_for('./config/settings.yml.enc')
DESCRIPTION
sekrets provides commandline tools and a library to manage and access
encrypted files in your code base.
it allows one to check encrypted infomation into a repository and to manage
it alongside the rest of the code base. it elimnates the need to check in
unencrypted information, keys, or other sensitive infomation.
sekrets provides both a general mechanism for managing arbitrary encrypted
files and a specific mechanism for managing encrypted config files.
KEY LOOKUP
for *all* operations, from the command line or otherwise, sekrets uses the
following algorithm to search for a decryption key:
- any key passed directly as a parameter to a library call will be preferred
- otherwise the code looks for a companion key file. for example, given the
file 'config/sekrets.yml.enc' sekrets will look for a key at
config/.sekrets.yml.enc.key
if either of these is found to be non-empty the contents of the file will
be used as the decryption key for that file. you should *never* commit
these key files and also add them to your .gitignore - or similar.
- next a project key file is looked for. the path of this file is
./.sekrets.key
normally and, in a rails' application
RAILS_ROOT/.sekrets.key
- if that is not found sekrets looks for the key in the environment under
the env var
SEKRETS_KEY
the env var used is configurable in the library
- next the global key file is search for, the path of this file is
~/.sekrets.key
- finally, if no key has yet been specified or found, the user is prompted
to input the key. prompt only occurs if the user us attached to a tty.
so, for example, no prompt will hang and application being started in the
background such as a rails' application being managed by passenger.
see Sekrets.key_for for more details
KEY DISTRIBUTION
sekrets does *not* attempt to solve the key distribution problem for you,
with one exception:
if you are using capistrano to do a 'vanilla' ssh based deploy a simple
recipe is provided which will detect a local keyfile and scp it onto the
remote server(s) on deploy.
sekrets assumes that the local keyfile, if it exists, is correct.
in plain english the capistrano recipe does:
scp ./sekrets.key deploy@remote.host.com:/rails_root/current/sekrets.key
it goes without saying that the local keyfile should *never* be checked in
and also should be in .gitignore
distribution of this key among developers is outside the scope of the
library. likely unencrypted email is the best mechanism for distribution
;-/
Tweet