dotgpg 0.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f409c5254611c493af247f83c3edcdebe6ea3c64
+  data.tar.gz: 227a926742f05d41470c4cb8c7d1062df192b92f
+SHA512:
+  metadata.gz: a7f1b699d3358e4cc9b2cbcc3a48a4980162faa9e1e771aafeef33147bc98b6aaba66d47bc47e4b8e9f1b019aacecf4f2bcdb8e132c53e5f3d625e7ca4e4b97f
+  data.tar.gz: 6f8cf2b0445cee120efba7fbe90966ace4932e59dfe607bf0709f106a93f3ed8ff8f3ad0d9016205e6404b9b359b7a803a1dea86c0a748bee8294e238dc87548

data/.gitignore

@@ -0,0 +1 @@
+*.gem

data/Gemfile

@@ -0,0 +1,2 @@
+source "https://rubygems.org/"
+gemspec

data/Gemfile.lock

@@ -0,0 +1,33 @@
+PATH
+  remote: .
+  specs:
+    dotenv-gpg (0.2)
+      gpgme
+      thor
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    binding_of_caller (0.7.2)
+      debug_inspector (>= 0.0.1)
+    coderay (1.0.9)
+    debug_inspector (0.0.2)
+    gpgme (2.0.2)
+    method_source (0.8.2)
+    pry (0.9.12.2)
+      coderay (~> 1.0.5)
+      method_source (~> 0.8)
+      slop (~> 3.4)
+    pry-stack_explorer (0.4.9.1)
+      binding_of_caller (>= 0.7)
+      pry (>= 0.9.11)
+    slop (3.4.6)
+    thor (0.18.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  dotenv-gpg!
+  pry
+  pry-stack_explorer

data/README.md

@@ -0,0 +1,132 @@
+dotgpg is a tool for backing up and versioning your production secrets securely and easily.
+
+Production secrets are things like your cookie encryption keys, database passwords and AWS access keys. All of them have two things in common: your app needs them to runs and no-one else should be able to get to them.
+
+Most people do not look after their production secrets well. If you've got them in your source-code, or unencrypted in Dropbox or Google docs you are betraying your users trust. It's too easy for someone else to get at them.
+
+Dotgpg aims to be as easy to use as your current solution, but with added encryption. It manages a shared directory of GPG-encrypted files that you can check into git or put in Dropbox. When you deploy the secrets to your servers they are decrypted so that your app can boot without intervention.
+
+Getting started
+---------------
+
+If you're a ruby developer, you know the drill. Either `gem install dotgpg` or add `gem "dotgpg"` to your Gemfile.
+
+There are also instructions for [use without ruby](#use-without-ruby).
+
+#### Mac OS X
+
+1. `brew install gpg`
+2. `sudo gem install dotgpg`
+
+#### Ubuntu
+
+1. `sudo apt-get install ruby1.9`
+2. `sudo gem install dotgpg`
+
+## Usage
+
+#### dotgpg init
+
+To get started run `dotgpg init`. Unless you've used GPG before, it will prompt you for a new passphrase. You should make this passphrase as [secure as your SSH passphrase](#security), i.e. 12-20 characters and not just letters.
+
+```
+$ dotgpg init
+Creating a new GPG key: Conrad Irwin <conrad.irwin@gmail.com>
+Passphrase:
+Passphrase confirmation:
+```
+
+#### dotgpg edit
+
+To create or edit files, just use `dotgpg edit`. I recommend you use the `.gpg` suffix so that other tools know what these files contain.
+
+```
+$ dotgpg edit production.env.gpg
+[ opens your $EDITOR ]
+```
+
+#### dotgpg cat
+
+To read encrypted files, `dotgpg cat` them.
+
+```
+$ dotgpg cat prodution.env.gpg
+GPG passphrase for conrad.irwin@gmail.com:
+```
+
+#### dotgpg add
+
+To add other people to your team, you need to `dotgpg add` them. To run this command you need their public key (see `dotgpg key`).
+
+```
+$ dotgpg add
+Paste a public key, then hit <ctrl-d> twice.
+<paste>
+<ctrl-d><ctrl-d>
+```
+
+Once you've added them run `git commit` or let Dropbox work its syncing magic and they'll be able to access the files just like you.
+
+#### dotgpg key
+
+To be added to a dotgpg directory, you just need to send your GPG public key to someone who already has access. Getting the key is as easy as running `dotgpg key`. Then email/IM someone who already has access (you can see the list with `ls .gpg`).
+
+```
+$ dotgpg key
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.15 (Darwin)
+
+mQENBFK2JfMBCAC8wX7dsWiNX2Ov9akPlz+54Y7n8a3gtdP63CiabW9Ao4614ZDu
+vZWI8GIr1QaqMQOcUnhVe9BU3u3y4TX5ei1rHp4ykKoum606R7oFKS5Q4viob/6W
+rfVND/o/Sh8twY9ZIpOxRq1zqfGmJk/wSTMuM047hhPUDZVf1BNU+lkURTh2qqnL
+...snip...
+ZQPcmlBEEI4zq+4GzLTTHHM3/rcHHZmi5p9JAK8OxM/Xyc2otF+N/+iGtIIHjD4a
+0FJjy4jQzl7FsvLbDf0VDbcw6RZkJ5dGXIyaEcNiOkF3UGwDcfg6oLsA7d5lo+3a
+leJCaaNJQBbIOj4QOjFWiZ8ATqLH9nkgawSwOV3xp0MWayCJ3MVnibt4CaI=
+=Vzb6
+-----END PGP PUBLIC KEY BLOCK-----
+```
+
+## Use without ruby
+
+The only person who really needs to use the `dotgpg` executable is the one responsible for adding and removing users from the directory. If you want to use `dotgpg` without requiring everyone to install ruby you can give them these instructions:
+
+To export your GPG key, use: `gpg --armor --export EMAIL_ADDRESS`. (If you get an error 'nothing exported', you can generate a new key using the default settings of `gpg --gen-key`.)
+
+To read the encrypted files use `gpg --decrypt FILE`.
+
+To edit the encrypted files, you'll want to use [vim-gnupg](https://github.com/jamessan/vim-gnupgnumber) and add `autocmd User GnuPG let b:GPGOptions += ["sign"]` to your `~/.vimrc`. Every time a new user is added to the directory, you'll need to sync GPG's public key store with `gpg --import .gpg/*` or you won't be able to save changes.
+
+## Security
+
+I'm not a security professional, so please [email me](conrad.irwin@gmail.com) if you have feedback on anything in this section.
+
+The files stored in `dotgpg` are unreadable to an attacker provided:
+
+1. A file encrypted by GnuPG cannot be decrypted except by someone with access to a recipient's private key.
+2. No-one has access to your GPG private key.
+
+The former assumption is reasonably strong. I'm willing to accept the tiny risk that there's a bug in GnuPG because it'll make headline news.
+
+The latter assumption is reasonably weak. GPG private keys are stored encrypted on your laptop, and the encryption key is based on a passphrase.
+
+This means that if someone gets access to your laptop (or a backup) they can easily get your GPG key unless you've chosen a [secure passphrase](https://howsecureismypassword.net/). I consider this acceptable risk because, by default, SSH passwords are easier to crack than GPG passphrases (GPG uses 65536 rounds of SHA-1 while SSH uses a [single round of MD5](http://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html)) and if they can decrypt your SSH key they can read the secrets directly off your production servers.
+
+### Change passphrase
+
+If you didn't choose a secure passphrase, you can change it with:
+
+```
+gpg --edit-keys conrad.irwin@gmail.com passwd
+```
+
+If you can't remember your passphrase then you generate a new key with `dotgpg key -n` and ask someone on your team to overwrite your existing key with `dotgpg add -f`.
+
+### Revoking access
+
+Occasionally people leave, or stop needing access to dotgpg. To remove them use `dotgpg rm`.
+
+```
+dotgpg rm conrad.irwin@gmail.com
+```
+

data/Rakefile

@@ -0,0 +1,7 @@
+task :test do
+  Dir['./spec/**/*_spec.rb'].each do |f|
+    require f
+  end
+end
+
+task :default => :test

data/bin/dotgpg

@@ -0,0 +1,5 @@
+#!/usr/bin/env bundle exec ruby
+require "dotgpg"
+
+Dotgpg.interactive = true
+Dotgpg::Cli.start(ARGV)

data/dotgpg.gemspec

@@ -0,0 +1,22 @@
+Gem::Specification.new do |gem|
+  gem.name = 'dotgpg'
+  gem.version = '0.3'
+
+  gem.summary = 'gpg-encrypted backup for your dotenv files'
+  gem.description = "Easy management of gpg-encrypted backup files"
+
+  gem.authors = ['Conrad Irwin']
+  gem.email = %w(conrad@bugsnag.com)
+  gem.homepage = 'http://github.com/ConradIrwin/dotenv-gpg'
+
+  gem.license = 'MIT'
+
+  gem.add_dependency 'thor'
+  gem.add_dependency 'gpgme'
+
+  gem.add_development_dependency 'pry'
+  gem.add_development_dependency 'pry-stack_explorer'
+
+  gem.executables = 'dotgpg'
+  gem.files = `git ls-files`.split("\n")
+end

data/lib/dotgpg/cli.rb

@@ -0,0 +1,194 @@
+class Dotgpg
+  class Cli < Thor
+    include Thor::Actions
+
+    class_option "help", type: :boolean, desc: "Show help", aliases: ["-h"]
+
+    desc "init [DIRECTORY]", "create a new dotgpg directory"
+    option :"new-key", type: :boolean, desc: "Force creating a new key", aliases: ["-n"]
+    option :email, type: :string, desc: "Use a specific email address", aliases: ["-e"]
+    def init(directory=".")
+      return if helped?
+
+      dir = Dotgpg::Dir.new directory
+
+      if dir.dotgpg.exist?
+        fail "#{directory}/.gpg already exists"
+      end
+
+      key = Dotgpg::Key.secret_key(options[:email], options[:"new-key"])
+
+      info "Initializing new dotgpg directory"
+      info "  #{directory}/README.md"
+      info "  #{directory}/.gpg/#{key.email}"
+
+      FileUtils.mkdir_p(dir.dotgpg)
+      FileUtils.cp Pathname.new(__FILE__).dirname.join("template/README.md"), dir.path.join("README.md")
+      dir.add_key(key)
+    end
+
+    desc "key", "export your GPG public key in a format that `dotgpg add` will understand"
+    option :"new-key", type: :boolean, desc: "Force creating a new key", aliases: ["-n"]
+    option :email, type: :string, desc: "Use a specific email address", aliases: ["-e"]
+    def key
+      return if helped?
+
+      key = Dotgpg::Key.secret_key(options[:email], options[:"new-key"])
+      $stdout.print key.export(armor: true).to_s
+    end
+
+    desc "add [PUBLIC_KEY]", "add a user's public key", aliases: ["-f"]
+    option :force, type: :boolean, desc: "Overwrite an existing key with the same email address", aliases: ["-f"]
+    def add(file=nil)
+      return if helped?
+
+      dir = Dotgpg::Dir.closest
+      fail "not in a dotgpg directory" unless dir
+
+      key = read_key_file_for_add(file)
+      fail "#{file || "<stdin>"}: not a valid GPG key" unless key
+
+      if dir.has_key?(key) && !options[:force]
+        fail "#{dir.key_path(key)}: already exists"
+      end
+
+      info "Adding #{key.name} to #{dir.path}"
+      info "  #{dir.key_path(key).relative_path_from(dir.path)}"
+
+      dir.add_key(key)
+    rescue GPGME::Error::BadPassphrase => e
+      fail e.message
+    end
+
+    desc "rm KEY", "remove a user's public key"
+    option :force, type: :boolean, desc: "Succeed silently if the key doesn't exist or is your own secret key", aliases: ["-f"]
+    def rm(file=nil)
+      return if helped?(file.nil?)
+
+      dir = Dotgpg::Dir.closest
+      fail "not in a dotgpg directory" unless dir
+
+      key = read_key_file_for_rm(file)
+      fail "#{file}: not a valid GPG key" if !key && !options[:force]
+
+      if key
+        if GPGME::Key.find(:secret).include?(key) && !options[:force]
+          fail "#{file}: refusing to remove your own secret key"
+        end
+
+        info "Removing #{key.name} from #{dir.path}"
+        info "D #{dir.key_path(key).relative_path_from(dir.path)}"
+        dir.remove_key(key)
+      end
+    rescue GPGME::Error::BadPassphrase => e
+      fail e.message
+    end
+
+    desc "cat FILES...", "decrypt and print files"
+    def cat(*files)
+      return if helped?
+
+      dir = Dotgpg::Dir.closest(*files)
+      fail "not in a dotgpg directory" unless dir
+
+      files.each do |f|
+        dir.decrypt f, $stdout
+      end
+    rescue GPGME::Error::BadPassphrase => e
+      fail e.message
+    end
+
+    desc "edit FILES...", "edit and re-encrypt files"
+    def edit(*files)
+      return if helped?
+
+      dir = Dotgpg::Dir.closest(*files)
+      fail "not in a dotgpg directory" unless dir
+
+      dir.reencrypt files do |tempfiles|
+        if tempfiles.any?
+          to_edit = tempfiles.values.map do |temp|
+            Shellwords.escape(temp.path)
+          end
+
+          system "#{Dotgpg.editor} #{to_edit.join(" ")}"
+          fail "Problem with editor. Not saving changes" unless $?.success?
+        end
+      end
+
+    rescue GPGME::Error::BadPassphrase => e
+      fail e.message
+    end
+
+    private
+
+    # If the global --help or -h flag is passed, show help.
+    #
+    # Should be invoked at the start of every command.
+    #
+    # @param [Boolean] force  force showing help
+    # @return [Boolean]  help was shown
+    def helped?(force=false)
+      if options[:help] || force
+        invoke :help, @_invocations[self.class]
+        true
+      end
+    end
+
+    # Print an informational message in interactive mode.
+    #
+    # @param [String] msg  The message to show
+    def info(msg)
+      if Dotgpg.interactive?
+        $stdout.puts msg
+      end
+    end
+
+    # Fail with a message.
+    #
+    # In interactive mode, exits the program with status 1.
+    # Otherwise raises a Dotgpg::Failure.
+    #
+    # @param [String] msg
+    def fail(msg)
+      if Dotgpg.interactive?
+        $stderr.puts msg
+        exit 1
+      else
+        raise Dotgpg::Failure, msg, caller[1]
+      end
+    end
+
+    # Read a key from a given file or stdin.
+    #
+    # @param [nil, String]  the file the user specified.
+    # @return [nil, GPGME::Key]
+    def read_key_file_for_add(file)
+      if file.nil?
+        if $stdin.tty?
+          info "Paste a public key, then hit <ctrl+d> twice."
+          key = Dotgpg::Key.read($stdin)
+        else
+          key = Dotgpg::Key.read($stdin)
+          $stdin.reopen "/dev/tty"
+        end
+      elsif File.readable?(file)
+        key = Dotgpg::Key.read(File.read(file))
+      end
+    end
+
+    # Read a key from a given file or from the .gpg directory
+    #
+    # @param [String]  the file the user specified
+    # @return [nil, GPGME::Key]
+    def read_key_file_for_rm(file)
+      if !File.exist?(file) && File.exist?(".gpg/" + file)
+        file = ".gpg/" + file
+      end
+
+      if File.readable?(file)
+        Dotgpg::Key.read(File.read(file))
+      end
+    end
+  end
+end

data/lib/dotgpg/dir.rb

@@ -0,0 +1,220 @@
+class Dotgpg
+  class Dir
+
+    attr_reader :path
+
+    # Find the Dotgpg::Dir that contains the given path.
+    #
+    # If multiple are given only returns the directory if it contains all
+    # paths.
+    #
+    # If no path is given, find the Dotgpg::Dir that contains the current
+    # working directory.
+    #
+    # @param [*Array<String>] paths
+    # @return {nil|[Dotgpg::Dir]}
+    def self.closest(path=".", *others)
+      path = Pathname.new(File.absolute_path(path)).cleanpath
+
+      result = path.ascend do |parent|
+                maybe = Dotgpg::Dir.new(parent)
+                break maybe if maybe.dotgpg?
+              end
+
+      if others.any? && closest(*others) != result
+        nil
+      else
+        result
+      end
+    end
+
+    # Open a Dotgpg::Dir
+    #
+    # @param [String] path  The location of the directory
+    def initialize(path)
+      @path = Pathname.new(File.absolute_path(path)).cleanpath
+    end
+
+    # Get the keys currently associated with this directory.
+    #
+    # @return [Array<GPGME::Key>]
+    def known_keys
+      dotgpg.each_child.map do |key_file|
+        Dotgpg::Key.read key_file.open
+      end
+    end
+
+    # Decrypt the contents of path and write to output.
+    #
+    # The path should be absolute, and may point to outside
+    # this directory, though that is not recommended.
+    #
+    # @param [Pathname] path  The file to decrypt
+    # @param [IO] output  The IO to write to
+    # @return [Boolean]  false if decryption failed for an understandable reason
+    def decrypt(path, output)
+      File.open(path) do |f|
+        signature = false
+        temp = GPGME::Crypto.new.decrypt f, passphrase_callback: Dotgpg.method(:passfunc) do |s|
+          signature = s
+        end
+
+        unless ENV["DOTGPG_ALLOW_INJECTION_ATTACK"]
+          raise InvalidSignature, "file was not signed" unless signature
+          raise InvalidSignature, "signature was incorrect" unless signature.valid?
+          raise InvalidSignature, "signed by a stranger" unless known_keys.include?(signature.key)
+        end
+
+        output.write temp.read
+      end
+      true
+    rescue GPGME::Error::NoData, GPGME::Error::DecryptFailed, SystemCallError => e
+      Dotgpg.warn path, e
+      false
+    end
+
+    # Encrypt the input and write it to the given path.
+    #
+    # The path should be absolute, and may point to outside
+    # this directory, though that is not recommended.
+    #
+    # @param [Pathname] path  The desired destination
+    # @param [IO] input  The IO containing the plaintext
+    # @return [Boolean]  false if encryption failed for an understandable reason
+    def encrypt(path, input)
+      File.open(path, "w") do |f|
+        GPGME::Crypto.new.encrypt input, output: f,
+            recipients: known_keys,
+            armor: true,
+            always_trust: true,
+            sign: true,
+            passphrase_callback: Dotgpg.method(:passfunc),
+            signers: known_keys.detect{ |key| GPGME::Key.find(:secret).include?(key) }
+      end
+      true
+    rescue SystemCallError => e
+      Dotgpg.warn path, e
+      false
+    end
+
+    # Re-encrypts a set of files with the currently known keys.
+    #
+    # If a block is provided, it can be used to edit the files in
+    # their temporary un-encrypted state.
+    #
+    # @param [Array<Pathname>] files  the files to re-encrypt
+    # @yieldparam [Hash<Pathname, Tempfile>]  the unencrypted files for each param
+    def reencrypt(files, &block)
+      tempfiles = {}
+
+      files.uniq.each do |f|
+        temp = Tempfile.new([File.basename(f), ".sh"])
+        tempfiles[f] = temp
+        if File.exist? f
+          decrypted =  decrypt f, temp
+          tempfiles.delete f unless decrypted
+        end
+        temp.flush
+        temp.close(false)
+      end
+
+      yield tempfiles if block_given?
+
+      tempfiles.each_pair do |f, temp|
+        temp.open
+        temp.seek(0)
+        encrypt f, temp
+      end
+
+      nil
+    ensure
+      tempfiles.values.each do |temp|
+        temp.close(true)
+      end
+    end
+
+    # List every GPG-encrypted file in a directory recursively.
+    #
+    # Assumes the files are armored (non-armored files are hard to detect and
+    # dotgpg itself always armors)
+    #
+    # This is used to decide which files to re-encrypt when adding a user.
+    #
+    # @param [Pathname] dir
+    # @return [Array<Pathname>]
+    def all_encrypted_files(dir=path)
+      results = []
+      dir.each_child do |child|
+        if child.directory?
+          if !child.symlink? && child != dotgpg
+            results += all_encrypted_files(child)
+          end
+        elsif child.readable?
+          if child.read(1024) =~ /-----BEGIN PGP MESSAGE-----/
+            results << child
+          end
+        end
+      end
+
+      results
+    end
+
+    # Does this directory includea key for the given user yet?
+    #
+    # @param [GPGME::Key]
+    # @return [Boolean]
+    def has_key?(key)
+      File.exist? key_path(key)
+    end
+
+    # Add a given key to the directory
+    #
+    # Re-encrypts all files to add the new key as a recipient.
+    #
+    # @param [GPGME::Key]
+    def add_key(key)
+      reencrypt all_encrypted_files do
+        File.write key_path(key), key.export(armor: true).to_s
+      end
+    end
+
+    # Remove a given key from a directory
+    #
+    # Re-encrypts all files so that the removed key no-longer has access.
+    #
+    # @param [GPGME::Key]
+    def remove_key(key)
+      reencrypt all_encrypted_files do
+        key_path(key).unlink
+      end
+    end
+
+    # The path at which a key should be stored
+    #
+    # (i.e. .gpg/me@cirw.in)
+    #
+    # @param [GPGME::Key]
+    # @return [Pathname]
+    def key_path(key)
+      dotgpg + key.email
+    end
+
+    # The .gpg directory
+    #
+    # @return [Pathname]
+    def dotgpg
+      path + ".gpg"
+    end
+
+    # Does the .gpg directory exist?
+    #
+    # @return [Boolean]
+    def dotgpg?
+      dotgpg.directory?
+    end
+
+    def ==(other)
+      Dotgpg::Dir === other && other.path == self.path
+    end
+  end
+end