Secret Keeper

Keep all your secret files within openssl

Install

from console

gem install secret-keeper

with bundler, write follwing line in your Gemfile

gem 'secret-keeper', require: false

Upgrade from v1 to v2

The remove_production parameter of decrypt_files has been removed after version 2.0.0. If you wants to remove production settings after decrypt files, you can set remove_production option to true in secret-keeper.yml:

options:
  remove_production: false

Usage

setup files need to be encrypted in config/secret-keeper.yml

# config/secret-keeper.yml example
development:
  ev_name: SECRET_KEEPER
  cipher: AES-256-CBC
  options:
    slience: false
    remove_production: false
    remove_source: false
  tasks:
    -
      encrypt_from: example/database.yml
      encrypt_to: example/database.yml.enc
      # decrypt_from: example/database.yml.enc
      # decrypt_to: example/database.yml
    -
      encrypt_from: example/secrets_from_other_source.yml
      encrypt_to: example/secrets.yml.enc
      # decrypt_from: example/secrets.yml.enc
      decrypt_to: example/secrets.yml

using environment variable SECRET_KEEPER to be your key of cipher

$> SECRET_KEEPER=[YOUR-CIPHER-KEY-HERE] irb

require on demand

irb> require 'secret-keeper'

encrypt files based on your tasks defined in config/secret-keeper.yml

irb> SecretKeeper.encrypt_files
# Encrypting...
#   * example/database.yml --> example/database.yml.enc, ok
#   * example/secrets.yml --> example/secrets.yml.enc, ok
# Done!

decrypt files based on your tasks defined in config/secret-keeper.yml

irb> SecretKeeper.decrypt_files
# Decrypting...
#   * example/database.yml.enc --> example/database.yml, ok
#   * example/secrets.yml.enc --> example/secrets.yml, ok
# Done!

Available Ciphers

irb> require 'openssl'
irb> OpenSSL::Cipher.ciphers

Options

  • slience When this option set to true, the tasks will run in slience mode. Messages will not show no screen. Default is false.

  • remove_production When this option set to true, the production settings in the decrypted files will be removed after the decryption task. Default is false.

  • remove_source When this option set to true, the source file will be removed after either encrypt or decrypt tasks. Default is false.