EncryptedEnv
Allows you to read from and write to the ENV in an encrypted way. This is useful if you are running an app on a server that do you not have complete control over (Heroku). You can place an encryption key in your code, or in the database. You can then place your various API tokens in the ENV encrypted.
If you also use attr_encypted to encrypt database columns and store the ENV decryption key in an encrypted column then a hacker would have to get your code, your database, and your running ENV to get your API keys. Not 100% fool proof but a lot more secure.
Installation
Add this line to your application's Gemfile:
gem 'encrypted_env', :git => '[email protected]:WaterfallFMS/encrypted_env.git'
And then execute:
$ bundle install
Usage
Decypting ENV variables (programatically)
If the gem is in your Gemfile then you can just start using it. Otherwise require 'encrypted_env'
should be in your
boot script. Also in the boot script, set the default encryption key
EncryptedEnv.default_options = {:key => 'default key'}
. If you have a different :algorithm
you can set that too.
Anywhere you use ENV['KEY']
change it to ENV.decrypt('KEY')
.
If you decrypt variables using different keys and algorithms you can pass those in as options to decrypt
: `Env.decrypt('KEY',:key => 'other encryption key')
Example:
# rails config/initializers/asset_sync.rb
require 'encrypted_env'
EncryptedEnv. = {:key => 'super secret', :algorithm => 'aes-256-ecb'}
AssetSync.configure do |config|
config.fog_provider = 'AWS'
config.aws_access_key_id = ENV.decrypt('AWS_ACCESS_KEY')
config.aws_secret_access_key = ENV.decrypt('AWS_SECRET_ACCESS_KEY')
config.fog_directory = ENV.decrypt('AWS_DIRECTORY')
end
Decrypting ENV Variables (from shell)
encrypt_env
actually has a decrypt option as well. It will only read values in the ENV.
$ encrypted_env decrypt key -k ENCRYPTION_KEY
key: value
Full flow might be something like this.
$ encrypted_env bash KEY=test OTHER=good -k FOOBAR > output.txt ; source output.txt
$ encrypted_env decrypt KEY OTHER -k foobar
# Encryption is case sensitive, hence no output
$ encrypted_env decrypt KEY OTHER -k FOOBAR
KEY: test
OTHER: good
Encrypting ENV Variables
Ruby provides no way to write environment variables, without some serious hacks. However, it is pretty often that ENV is used to pass information into a ruby program at start (RAILS_ENV for example). Often times this will include API keys so that they do not have been stored in sources or HD.
encrypt_env
provides output that can be used to print assignment commands that can be used to set up an env with the
data already encyrpted.
Bash
Bash is the default output.
Print something that bash will understand.
$ ecrypted_env bash var=value var1="value1" etc...
Why not just execute set the ENV from it.
$ encrypt_env bash var=value > output.txt ; source output.txt
Heroku
Print something that heorku will understand.
$ ecrypted_env heroku var=value var1="value1" etc...
If you already have heroku installed, why not just execute it directly.
$ `encrypt_env heroku var=value`
If you have more then one heroku app for the repo you can specify it with -r
.
$ `encrypt_env heroku -r staging var=value`
Custom Algorithms
Run openssl list-cipher-commands
to view a list of algorithms supported on your platform. See http://github.com/shuber/encryptor for more information.
aes-128-cbc
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc
aes-256-ecb
base64
bf
bf-cbc
bf-cfb
bf-ecb
bf-ofb
cast
cast-cbc
cast5-cbc
cast5-cfb
cast5-ecb
cast5-ofb
des
des-cbc
des-cfb
des-ecb
des-ede
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-ofb
des-ofb
des3
desx
idea
idea-cbc
idea-cfb
idea-ecb
idea-ofb
rc2
rc2-40-cbc
rc2-64-cbc
rc2-cbc
rc2-cfb
rc2-ecb
rc2-ofb
rc4
rc4-40
Contributing
- Fork it
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Added some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request