envcrypt 0.0.0 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7670f789a389fdc05ec8478eeb4072aea8de5b01
-  data.tar.gz: cbd4f2c8a1c0a10f7b3be10bc7f9a9f9efa1faee
+  metadata.gz: 04c0530b0a65f7f72d719fd7c6caf06935b13fef
+  data.tar.gz: e9f9b03c19787d5079c1309c72fc45afd9d16509
 SHA512:
-  metadata.gz: 9a09fd0621123f10b47f68103b0ab5a2b7fba8700a8f3ebda98f549d893dc092946da69f8a9f6b579ad9c0d52f93764be333b6229ad96ac4f73a8f8acc88f548
-  data.tar.gz: 5f86edbfb5f91ed7fea2eadb629761e048e705c198357d23676190c85023efa2fb7120a78ef972543034b42007365885dd2e24fd2e941d58d5fe4863f4da04e9
+  metadata.gz: ff8940058084df79cd6b99aaf77db8d4031269b7bce2d7d2694744f4990a8c3a29008f11f74e91cceff693df2825fa6cad45e23a50a2168201b48fdee5e4fd1a
+  data.tar.gz: 3105d2ad9e7483e506a3091a65e89a820f70cdcc1624cfc2b949b909a6369bd1e28903d44fa0dbb2edc5bcbbd1077af9537ad91814f12a028de02c863976c007

data/.bundle/config

@@ -0,0 +1,2 @@
+---
+BUNDLE_DISABLE_SHARED_GEMS: '1'

data/.gitignore

@@ -0,0 +1,4 @@
+*~
+/vendor
+/.yardoc
+/doc

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format documentation

data/.ruby-version

@@ -0,0 +1 @@
+2.0.0-p353

data/Gemfile

@@ -1,2 +1,9 @@
+# -*- mode: ruby -*-
 source 'https://rubygems.org'
 ruby '2.0.0'
+
+group :development do
+  gem 'rspec', '~> 2.14'
+  gem 'yard'
+  gem 'yard-tomdoc'
+end

data/Gemfile.lock

@@ -0,0 +1,25 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    diff-lcs (1.2.5)
+    rspec (2.14.1)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
+    rspec-core (2.14.8)
+    rspec-expectations (2.14.5)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.14.6)
+    tomparse (0.4.2)
+    yard (0.8.7.4)
+    yard-tomdoc (0.7.1)
+      tomparse (>= 0.4.0)
+      yard
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  rspec (~> 2.14)
+  yard
+  yard-tomdoc

data/README.md

@@ -1,50 +1,53 @@
 Envcrypt
 =========
 
-Encryptor provides an easy way to securely encrypt and decrypt secrets
+Envcrypt provides an easy way to securely encrypt and decrypt secrets
 (passwords) that need to be stored for use in automated processes.
 
 **Status:** Just have a README!  Working on the rest.
 
 ## Use
 
-Encrypt a secret
-````ruby
-$ envcrypt -p mypassword
+Encrypt a secret via
 
-encrypted: xxx
-key: xxx
+````ruby
+$ envcrypt -s Orange
+Encrypted Secret: zTbH59gpFIIuXGYRuK9pHQ==
+ENVCRYPT_KEY='eWa7QqyF6eE/bEthGO4BgA==$9OZzJ6xIgEcovfEOHIhVb9Gaw5/FeSgDmTErws1+API=$ccRiLqJjyL6MypWHOGfpcQ=='
+WARNING: It is critical that the key and encryption password be stored separately!
 ````
 
 Set the key as an environment variable (bash example)
+
 ````bash
-export ENVCRYPT_KEY=xxx
+$ export ENVCRYPT_KEY='eWa7QqyF6eE/bEthGO4BgA==$9OZzJ6xIgEcovfEOHIhVb9Gaw5/FeSgDmTErws1+API=$ccRiLqJjyL6MypWHOGfpcQ=='
 ````
 
-Decrypt the password in Ruby code
+Go ahead and test decryption from the command line
 ````ruby
-require 'envcrypt'
-
-encrypted_pwd = "xxx"
-decrypted_pwd = Envcrypt::decrypt(encrypted_pwd, key: ENV['ENVCRYPT_KEY'])
+$ envcrypt -d 'zTbH59gpFIIuXGYRuK9pHQ=='
+Decrypted: Orange
 ````
 
-The second argument to decrypt is **optional**.  The default `key` is
-`ENV['ENVCRYPT_KEY']`, but you have to option to set it explicitly if you want to
-get it from somewhere else.
 
-##### Optional
+Decrypt the password in Ruby code
 
-**Need to be able to set a mode so we can use this with Heroku's version of OpenSSL.
-Not sure exactly how this will work**
+````ruby
+require 'envcrypt'
+
+encrypted_pwd = "zTbH59gpFIIuXGYRuK9pHQ=="
+crypt = Envcrypter.new(key: ENV['ENVCRYPT_KEY']) #key is optional (default: ENV['ENVCRYPT_KEY'])
+decrypted_pwd = crypt.decrypt(encrypted_pwd)
+````
 
 ##### Using existing keys to encrypt secrets
 
-Secrets can also be encrypted using existing keys if you want to use
-one key to encrypt multiple secrets.
+By default a new encryption key is created for each use command line
+`envcrypt` tool.  Secrets can also be encrypted using existing keys if
+you want to use one key to encrypt multiple secrets.
 
 ````ruby
-$ envcrypt -p mypassword -k xxx
+$ envcrypt -p Orange -k $ENVCRYPT_KEY
 ````
 
 
@@ -56,10 +59,9 @@ automate an interface with the web API.  If an attacker somehow gains
 access to the database or file, I'm screwed if I store the password as
 plaintext or use some simple obfuscation.  Envcrypt allows me to store
 an encrypted version of the password and decrypt it only when needed.
-The trick is to access the decryption key from an environment
-variable.  These can be set from the command line before launching the
-automated process, in a locked down .bashrc file, or as Heroku config
-variables.
+The trick is to store the decryption key in an environment variable.
+These can be set from the command line before launching the automated
+process, in a locked down .bashrc file, or as Heroku config variables.
 
 Of course, if an attacker was able to get a hold of *both* the password
 and the decryption keys, you're screwed, but security is all about making

data/bin/envcrypt

@@ -0,0 +1,60 @@
+#!/usr/bin/env ruby
+
+require "envcrypt"
+require "optparse"
+
+module EnvcryptCL
+  extend self
+
+  def run
+    set_options
+
+    if @options[:pwd]
+      ENV['ENVCRYPT_KEY'] = @options[:key]
+      crypt = Envcrypt::Envcrypter.new
+      encrypted = crypt.encrypt(@options[:pwd])
+
+      puts "Encrypted Secret: #{encrypted}"
+      puts "ENVCRYPT_KEY=\'#{crypt.key}\'"
+      puts "WARNING: It is critical that the key and encryption password be stored separately!"
+    end
+
+    if @options[:encrypted_pwd]
+      crypt = Envcrypt::Envcrypter.new
+      decrypted = crypt.decrypt(@options[:encrypted_pwd])
+
+      puts "Decrypted: #{decrypted}"
+    end
+  end
+
+
+  def set_options
+    @options = {}
+
+    OptionParser.new do |opts|
+      opts.banner = "Usage: envcrypt -s <SECRET>"
+
+      opts.on("-h","--help", "Show this message") do
+        puts opts
+        exit
+      end
+
+      @options[:pwd] = nil
+      opts.on("-s","--secret <SECRET>","Generates an encrypted version of SECRET") do |opt|
+        @options[:pwd] = opt
+      end
+
+      @options[:encrypted_pwd] = nil
+      opts.on("-d","--decrypt <ENCRYPTED SECRET>","Decrypts the encrypted secret using the ENVCRYPT_KEY environment variable") do |opt|
+        @options[:encrypted_pwd] = opt
+      end
+
+      @options[:key] = nil
+      opts.on("-k","--key <KEY>","Uses the specified key to encrypt; e.g., -k $ENVCRYPT_KEY") do |opt|
+        @options[:key] = opt
+      end
+    end.parse!
+  end
+end
+
+EnvcryptCL.run

data/envcrypt.gemspec

@@ -1,11 +1,11 @@
 # -*- encoding: utf-8 -*-
 $:.push File.expand_path("../lib", __FILE__)
 
-#require 'envcrypt/version'
+require 'envcrypt/version'
 
 Gem::Specification.new do |s|
   s.name        = "envcrypt"
-  s.version     = "0.0.0" #Birst_Command::VERSION
+  s.version     = Envcrypt::VERSION
   s.authors     = ["Sterling Paramore"]
   s.email       = ["gnilrets@gmail.com"]
   s.homepage    = "https://github.com/gnilrets"

data/lib/envcrypt/envcrypt.rb

@@ -0,0 +1,125 @@
+# Public: Envcrypt module contains all of the methods/classes to
+# perform encryption and decryption of passwords
+#
+# Examples
+#
+#   mypassword = "secret"
+#   crypt = Envcrypter.new
+#   encrypted_pwd = crypt.encrypt(mypassword)
+#   decrypted_pwd = crypt.decrypt(encrypted_pwd)
+module Envcrypt
+  class Envcrypter
+
+    # Public: Returns the key used to encrypt/decrypt secrets
+    attr_reader :key
+
+    # Public: Initialize an Envcrypter object
+    #
+    # key - A string representing the key to be used for encryption
+    #       and decryption (default: ENV['ENVCRYPT_KEY'])
+    def initialize(key: ENV['ENVCRYPT_KEY'])
+      @key = key == nil ? generate_key : key
+      @de_cipher = nil
+      @en_cipher = nil
+    end
+
+    # Public: Generates a random key
+    #
+    # Returns the key
+    def generate_key
+      @key = "#{SecureRandom.base64}$#{SecureRandom.base64(32)}$#{SecureRandom.base64}"
+    end
+
+
+    # Public: Encrypts a secret
+    #
+    # secret - the secret string to be encrypted
+    #
+    # Returns the encrypted string
+    def encrypt(secret)
+      cipher = create_cipher(:encrypt)
+
+      encrypted = cipher.update secret
+      encrypted << cipher.final
+      Base64.encode64(encrypted).chomp
+    end
+
+    # Public: Decrypts a secret
+    #
+    # secret - the encrypted string to be decrypted
+    #
+    # Returns the plain text decrypted string
+    def decrypt(encrypted)
+      cipher = create_cipher(:decrypt)
+      plaintxt = cipher.update Base64.decode64(encrypted)
+      plaintxt << cipher.final
+    end
+
+
+
+    private
+
+      # Internal: Parses a key string into three components used by the
+      # encryption ciphers.  The components are stored as private
+      # instance variables.  Keeping it all in a single string
+      # simplifies storing the key in environment variables.
+      #
+      # key - the key to be parsed
+      #
+      # Returns the key parsed into three components (iv,pwd,salt)
+      def parse_key(key)
+        parsed = key.split('$')
+        if parsed.length != 3
+          raise "Bad key format - generate a new one"
+        else
+          parsed
+        end
+      end
+
+
+      # Internal: Create an encryption cipher
+      #
+      # mode - Set the mode to either :encrypt or :decrypt
+      #
+      # Returns a cipher to be used for encryption or decryption
+      def create_cipher(mode)
+        create_cipher_simple(mode)
+      end
+
+      # Internal: Create a simple encryption cipher
+      #
+      # mode - Set the mode to either :encrypt or :decrypt
+      #
+      # Returns a cipher to be used for encryption or decryption
+      def create_cipher_simple(mode)
+        iv,pwd,salt = parse_key(@key)
+
+        cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+        cipher.send(mode)
+
+        cipher.iv = iv
+        cipher.key = pwd
+        cipher
+      end
+
+
+      # Future: Create a cipher using the more secure pbkdf2_mac method
+      #
+      # This one is more secure but doesn't work on Heroku
+      # Would like to optionally detect OpenSSL version 
+      # and use this if possible 
+      def create_cipher_pbkdf2(mode)
+        iv,pwd,salt = parse_key(@key)
+
+        cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+        cipher.send(mode)
+        cipher.iv = iv
+
+        digest = OpenSSL::Digest::SHA256.new
+        key_len = cipher.key_len
+        iter = 20000
+        cipher.key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
+        cipher
+      end
+  end
+end

data/lib/envcrypt/version.rb

@@ -0,0 +1,3 @@
+module Envcrypt
+  VERSION = "0.1.0"
+end

data/lib/envcrypt.rb

@@ -0,0 +1,5 @@
+require 'openssl'
+require 'securerandom'
+require 'base64'
+
+require 'envcrypt/envcrypt'

data/spec/envcrypt_spec.rb

@@ -0,0 +1,92 @@
+$LOAD_PATH << '../lib'
+
+require 'rubygems'
+require 'bundler/setup'
+
+require 'envcrypt'
+
+include Envcrypt
+
+
+describe "Envcrypt" do
+  describe "generating a key" do
+    let(:encrypter) { Envcrypter.new() }
+
+    it "should have a length of 94" do
+      expect(encrypter.key.length).to eq 94
+    end
+
+    it "should parse into 3 components delimited by $" do
+      expect(encrypter.key.split("$").length).to eq 3
+    end
+  end
+
+  describe "encrypting and decrypting a password" do
+    let(:password) { "mysecret" }
+
+    describe "with a generated key" do
+      it "should encrypt and decrypt properly" do
+        crypt = Envcrypter.new()
+
+        encrypted = crypt.encrypt(password)
+        plaintxt = crypt.decrypt(encrypted)
+
+        expect(plaintxt).to eq password
+      end
+    end
+
+
+    describe "with a supplied environment variable" do
+      before do
+        ENV['ENVCRYPT_KEY'] = "UnY9w3T5Qk3Q5JshOp/2HA==$8swxKYQxgyXaCyvMb+wP2HwqalpiSc3K4MpCvOpD2QY=$RK2cUDUHNBmI7miJcd6W4g=="
+        @crypt = Envcrypter.new()
+      end
+
+      after { ENV['ENVCRYPT_KEY'] = nil }
+
+      it "should have set the correct key" do
+        expect(@crypt.key).to eq ENV['ENVCRYPT_KEY']
+      end
+
+      it "should still encrypt and decrypt properly" do
+        encrypted = @crypt.encrypt(password)
+        plaintxt = @crypt.decrypt(encrypted)
+
+        expect(plaintxt).to eq password
+      end
+    end
+
+
+    describe "with a different password" do
+      it "should encrypt to a different string" do
+        crypt = Envcrypter.new()
+
+        encrypted = crypt.encrypt(password)
+        encrypted_different = crypt.encrypt("#{password}plus")
+
+        expect(encrypted).not_to eq encrypted_different
+      end
+    end
+
+    describe "with the same password but different key" do
+      before do
+        @crypt = Envcrypter.new()
+        @crypt2 = Envcrypter.new()
+
+        @encrypted = @crypt.encrypt(password)
+        @encrypted2 = @crypt2.encrypt(password)
+      end
+
+      it "should encrypt to a different string" do
+        expect(@encrypted).not_to eq @encrypted2
+      end
+
+      it "and they should still decrypt to the same password" do
+        plaintxt = @crypt.decrypt(@encrypted)
+        plaintxt2 = @crypt2.decrypt(@encrypted2)
+
+        expect(plaintxt).to eq plaintxt2
+      end
+    end
+  end
+end

metadata

@@ -1,26 +1,37 @@
 --- !ruby/object:Gem::Specification
 name: envcrypt
 version: !ruby/object:Gem::Version
-  version: 0.0.0
+  version: 0.1.0
 platform: ruby
 authors:
 - Sterling Paramore
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-05-30 00:00:00.000000000 Z
+date: 2014-06-01 00:00:00.000000000 Z
 dependencies: []
 description: Simple secure encryption/decryption of secret data (passwords)
 email:
 - gnilrets@gmail.com
-executables: []
+executables:
+- envcrypt
 extensions: []
 extra_rdoc_files: []
 files:
+- .bundle/config
+- .gitignore
+- .rspec
+- .ruby-version
 - Gemfile
+- Gemfile.lock
 - LICENSE
 - README.md
+- bin/envcrypt
 - envcrypt.gemspec
+- lib/envcrypt.rb
+- lib/envcrypt/envcrypt.rb
+- lib/envcrypt/version.rb
+- spec/envcrypt_spec.rb
 homepage: https://github.com/gnilrets
 licenses:
 - MIT
@@ -45,4 +56,5 @@ rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Simple secure encryption/decryption of secret data
-test_files: []
+test_files:
+- spec/envcrypt_spec.rb