RubyGems - ecfg - Versions diffs - 0.2.0 → 0.3.0 - Mend

ecfg 0.2.0 → 0.3.0

Files changed (10) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6bb9a708a95302516cba1dff3737cbcc5358508b
-  data.tar.gz: da7ca7da4e029ddda6e7c1b087c9df349df6983f
+  metadata.gz: 0549b12acc4a5455eab8b0ea68f6842f60db304d
+  data.tar.gz: e801695b9fd88dd4c2067ccac42b13da7aa15b33
 SHA512:
-  metadata.gz: d5ed502bf614baf9920f5b768fe1c9421348955227ca85b6fdd96a98629927b049fa68274f8f7f16ee44c7472595e0c562cdd2511ac55e10d6e33b5481767e3b
-  data.tar.gz: 455dd4d7f1077f913a40b19ee4f69b47a2735ac2873f6cdee46f6d8fe4ddd29ad768b7f3089799bde0705c63e878b9b838924750a0087a3fe4ab60a8820a2471
+  metadata.gz: 43c148d8d42d3e540de16f4cc50d860e90c692cad41b7e10dd1a73873a005315ffdc11f0cbe4c5e659c467d835bf41bdab10e0714875465afc995d32242dd00a
+  data.tar.gz: 6b94f754af12c0457ef1fc690c8c4b97b639a0b17fa774575844f078343c378f536b153ee7c5e5d089b1a55dcb52bde0d6e2c641dff0e6aa35d34c66831d9311

data/build/darwin-amd64/ecfg CHANGED

Binary file

data/build/linux-amd64/ecfg CHANGED

Binary file

data/lib/ecfg/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Ecfg
-  VERSION = "0.2.0"
+  VERSION = "0.3.0"
 end

data/man/man1/ecfg-decrypt.1 CHANGED

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "ECFG\-DECRYPT" "1" "July 2016" "Shopify" "Version 0.2.0"
+.TH "ECFG\-DECRYPT" "1" "July 2016" "Shopify" "Version 0.3.0"
 .
 .SH "NAME"
 \fBecfg\-decrypt\fR \- decrypt an ecfg file

data/man/man1/ecfg-encrypt.1 CHANGED

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "ECFG\-ENCRYPT" "1" "July 2016" "Shopify" "Version 0.2.0"
+.TH "ECFG\-ENCRYPT" "1" "July 2016" "Shopify" "Version 0.3.0"
 .
 .SH "NAME"
 \fBecfg\-encrypt\fR \- encrypt an ecfg file

data/man/man1/ecfg-keygen.1 CHANGED

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "ECFG\-KEYGEN" "1" "July 2016" "Shopify" "Version 0.2.0"
+.TH "ECFG\-KEYGEN" "1" "July 2016" "Shopify" "Version 0.3.0"
 .
 .SH "NAME"
 \fBecfg\-keygen\fR \- generate a new keypair for use with ecfg
@@ -16,7 +16,7 @@ Generates a new keypair suitable for use with ecfg(1) and prints the resulting p
 .
 .TP
 \fB\-w\fR, \fB\-\-write\fR
-Rather than printing the keypair to the screen, write it directly to the keydir\. The public key will still be printed, but the private key will be inserted into the keydir
+Rather than printing the keypair to the screen, write it directly to the keydir\. The public key will still be printed, but the private key will be inserted into the first writable path listed in the key paths, decribed in more detail in ecfg(1)\.
 .
 .SH "SEE ALSO"
 ecfg(1), ecfg\-encrypt(1), ecfg\-decrypt(1), ecfg(5)

data/man/man1/ecfg.1 CHANGED

@@ -1,13 +1,13 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "ECFG" "1" "July 2016" "Shopify" "Version 0.2.0"
+.TH "ECFG" "1" "July 2016" "Shopify" "Version 0.3.0"
 .
 .SH "NAME"
 \fBecfg\fR \- manage application secrets via encrypted config
 .
 .SH "SYNOPSIS"
-\fBecfg\fR \fBcommand\fR [\fBargs\fR]
+\fBecfg\fR [\fB\-k\fR|\fB\-\-keydir\fR \fIdir\fR] \fBcommand\fR [\fBargs\fR]
 .
 .SH "DESCRIPTION"
 \fBecfg\fR is a utility for managing a collection of secrets, typically to be committed to source control\. The secrets are encrypted using public key, elliptic curve cryptography\. Secrets are collected in a JSON, YAML, or TOML file, in which all the string values are encrypted\. Public keys are embedded in the file, and the decrypter looks up the corresponding private key from its local filesystem or process environment\.
@@ -33,17 +33,144 @@ Decrypt an \fBecfg\fR file (alias: \fBecfg d\fR)
 \fBecfg keygen\fR : ecfg\-keygen(1)
 Generate an \fBecfg\fR keypair (alias: \fBecfg g\fR)
 .
+.SH "GLOBAL OPTIONS"
+.
+.TP
+\fB\-k\fR, \fB\-\-keydir\fR=\fI\fR
+Use the provided directory instead of the default key paths (decribed in the KEY MANAGEMENT section)
+.
 .SH "ENVIRONMENT"
 .
 .TP
 \fBECFG_KEYDIR\fR
-Override the default key lookup directory of /opt/ecfg/keys\.
+Use a custom directory instead of the default key lookup path decribed in the KEY MANAGEMENT section\.
 .
 .TP
 \fBECFG_PRIVATE_KEY\fR
 When decrypting, instead of looking up the matching private key for the public key given in the input file, assume the file was encrypted to the provided private key\. This option is useful when running in environments such as heroku where obtaining keys from disk is impractical\.
 .
+.SH "KEY MANAGEMENT"
+\fBecfg\fR keypairs are stored as individual files in a key directory\. The file name is the public key and the file content is the private key\. \fBecfg\fR has a default lookup path for key directories:
+.
+.IP "\(bu" 4
+\fB$XDG_CONFIG_HOME/ecfg/keys\fR (if \fB$XDG_CONFIG_HOME\fR is set and running as non\-root user)
+.
+.IP "\(bu" 4
+\fB$HOME/\.ecfg/keys\fR (if running as non\-root user)
+.
+.IP "\(bu" 4
+\fB/etc/ecfg/keys\fR
+.
+.IP "\(bu" 4
+\fB/opt/ejson/keys\fR (for backwards\-compatibility with \fBejson\fR)
+.
+.IP "" 0
+.
+.P
+When passing \fB\-k\fR or \fB\-\-keydir\fR to \fBecfg\fR, or when invoked with \fBECFG_KEYDIR\fR in the environment, this lookup path is completely ignored and the key is instead retrieved from or stored to the provided path\.
+.
+.P
+If \fBECFG_PRIVATE_KEY\fR is set for decryption, the key directories aren\'t even touched; instead, we just assume the provided private key is the correct one, failing if it\'s not\.
+.
 .SH "WORKFLOW"
+.
+.SS "1: Create the Keydir"
+By default, \fBecfg\fR looks for keys in \fB/opt/ecfg/keys\fR\. You can change this by setting \fBECFG_KEYDIR\fR or passing the \fB\-keydir\fR option\.
+.
+.IP "" 4
+.
+.nf
+$ mkdir \-p /opt/ecfg/keys
+.
+.fi
+.
+.IP "" 0
+.
+.SS "2: Generate a keypair"
+When called with \fB\-w\fR, \fBecfg keygen\fR will write the keypair into the \fBkeydir\fR and print the public key\. Without \fB\-w\fR, it will print both keys to stdout\. This is useful if you have to distribute the key to multiple servers via configuration management, etc\.
+.
+.IP "" 4
+.
+.nf
+$ ecfg keygen
+Public Key:
+63ccf05a9492e68e12eeb1c705888aebdcc0080af7e594fc402beb24cce9d14f
+Private Key:
+75b80b4a693156eb435f4ed2fe397e583f461f09fd99ec2bd1bdef0a56cf6e64
+$ \./ecfg keygen \-w
+53393332c6c7c474af603c078f5696c8fe16677a09a711bba299a6c1c1676a59
+$ cat /opt/ecfg/keys/5339*
+888a4291bef9135729357b8c70e5a62b0bbe104a679d829cdbe56d46a4481aaf
+.
+.fi
+.
+.IP "" 0
+.
+.SS "3: Create an ecfg file"
+The format is described in more detail in ecfg(5)\. For now, create a file that looks something like this\. Fill in the \fB<key>\fR with whatever you got back in step 2\.
+.
+.P
+Create this file as \fBtest\.ecfg\.json\fR:
+.
+.IP "" 4
+.
+.nf
+{
+  "_public_key": "<key>",
+  "database_password": "1234password"
+}
+.
+.fi
+.
+.IP "" 0
+.
+.P
+You can also use YAML or TOML if you\'d prefer, as long as there\'s a \fB_public_key\fR element at the top\-level\.
+.
+.SS "4: Encrypt the file"
+Running \fBecfg encrypt test\.ecfg\.json\fR will encrypt any new plaintext keys in the file, and leave any existing encrypted keys untouched:
+.
+.IP "" 4
+.
+.nf
+{
+  "_public_key": "63ccf05a9492e68e12eeb1c705888aebdcc0080af7e594fc402beb24cce9d14f",
+  "database_password": "EJ[1:WGj2t4znULHT1IRveMEdvvNXqZzNBNMsJ5iZVy6Dvxs=:kA6ekF8ViYR5ZLeSmMXWsdLfWr7wn9qS:fcHQtdt6nqcNOXa97/M278RX6w==]"
+}
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Try adding another plaintext secret to the file and run \fBecfg encrypt test\.ecfg\.json\fR again\. The \fBdatabase_password\fR field will not be changed, but the new secret will be encrypted\.
+.
+.SS "5: Decrypt the file"
+To decrypt the file, you must have a file present in the \fBkeydir\fR whose name is the 64\-byte hex\-encoded public key exactly as embedded in the ecfg(5) document\. The contents of that file must be the similarly\-encoded private key\. If you used \fBecfg keygen \-w\fR, you\'ve already got this covered\.
+.
+.P
+Unlike ecfg\-encrypt(1), which overwrites the specified files, ecfg\-decrypt(1) only takes one file parameter, and prints the output to \fBstdout\fR:
+.
+.IP "" 4
+.
+.nf
+$ ecfg decrypt foo\.ecfg\.json
+{
+  "_public_key": "63ccf05a9492e68e12eeb1c705888aebdcc0080af7e594fc402beb24cce9d14f",
+  "database_password": "1234password"
+}
+.
+.fi
+.
+.IP "" 0
+.
+.P
 TODO
 .
 .SH "BUGS"

data/man/man5/ecfg.5 CHANGED

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "ECFG" "5" "July 2016" "Shopify" "Version 0.2.0"
+.TH "ECFG" "5" "July 2016" "Shopify" "Version 0.3.0"
 .
 .SH "NAME"
 \fBecfg\fR \- JSON, YAML, or TOML file with asymmetric\-key\-encrypted values

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ecfg
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Burke Libbey
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-07-14 00:00:00.000000000 Z
+date: 2016-07-19 00:00:00.000000000 Z
 dependencies: []
 description: Secret management by encrypting values in a JSON or YAML file with a
   public/private keypair