kryptos 1.0.0 → 2.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 142fc66be80d6e4a602c0478ca358379c56e2b9b
+  data.tar.gz: de4806b2f1035b65a1090e6c82b4b41e7fa4dbbe
+SHA512:
+  metadata.gz: b9b6cb688dd09e6a06bd24c1e84a4d5d8559406067f8250a743ec49262c7ffde51c39e239e163fab6a072c32ab2ef61cfc7ffc3a223cc0ca3269802e6d34583e
+  data.tar.gz: b7504adfff38e829d45407709b0d67c5846c755aeb8de31ee3085a0f918a0f26b322995fb174d3a71fb11d6177d3d85e7d6596a026fa800b530e3a2d17121e7a

data/README.md

@@ -1,11 +1,15 @@
 # Kryptos
 
-Kryptos provides a way to avoid checking in unencrypted application secrets such as API keys.  The secrets will be encrypted using a key stored in the database.  The assumption is that if an attacker can get to your database, you're in big trouble anyway.  But at least we can avoid giving away our API keys to people with access to the repository.  We still have to check in database access configuration, so you should use a firewall or equivalent to protect that.
+Kryptos provides a way to avoid checking in unencrypted application secrets such as
+API keys.  The secrets will be encrypted using a file based key stored on your
+development machine.
 
-Your typical workflow should be unaffected, as Kryptos handles decryption and encryption automatically.  The encrypted file will be version controlled and deployed.  There is a one time cost to set up the db secret, but after that, Kryptos should be out of your way.
+Your typical workflow should be unaffected, as Kryptos handles decryption and
+encryption automatically.  The encrypted file will be version controlled and deployed.
 
-Kryptos depends on Rails and has one gem dependency - the 'gibberish' library, which has no other dependencies. Kryptos itself is less than 100 lines of code and does not do any weird
-monkeypatching.  So overhead should be quite light.
+Kryptos depends on Rails and has one gem dependency - the 'gibberish' library, which
+has no other dependencies. Kryptos itself is less than 100 lines of code and does
+not do any weird monkeypatching.  So overhead should be quite light.
 
 
 ## Installation
@@ -16,59 +20,33 @@ Add this line to your application's Gemfile:
 
 And then execute:
 
-    $ bundle
+    $ bundle install
 
 Or install it yourself as:
 
     $ gem install kryptos
 
+Next, remove config/secrets.yml from git and add the following entries to your .gitignore:
 
-Next, add config/kryptos.rb to your .gitignore.  That's the main point of all this.  The gem checks that this file is ignored, so do that step now before even creating the file itself.
-
-Add a migration for the KryptosSecrets table.  This table will contain one row with your randomly generated secret.  The migration should look like:
-
-    class AddKryptosSecrets < ActiveRecord::Migration
-      def change
-        create_table :kryptos_secrets do |t|
-          t.string :secret
-        end
-      end
-    end
+    config/secrets.yml
+    config/kryptos.key
 
 You can use OpenSSL or an equivalent tool to generate a random password.
 
-    $ openssl rand -base64 32
-    RANDOMSECRET
+    $ openssl rand -base64 48 > config/kryptos.key
 
-Then use the console to add your secret to the database.  Do not use 'RANDOMSECRET' literally; I hope that is obvious...
-
-    $ rails console
-    > KryptosSecret.create({ :secret => 'RANDOMSECRET'}, :without_protection => true)
+Now put your secrets into config/secrets.yml (which should not be tracked by git any more).
 
-Now create a file config/kryptos.rb that will contain the actual secrets.  This file can be any ruby code, for example:
+    development:
+      secret_key_base: 3b7cd727aa24e8444053437c36cc66c3
+      sample_api_key: DUMMY
 
-    module AppSecrets
-  
-      AWS = Struct.new(:public_key, :private_key).new.tap do |s|
-        s.public_key = "foo"
-        s.private_key = "bar"
-      end
-
-    end
 
 ## Usage
 
 Fire up the console again.  You should be able to access the config data:
 
     $ rails console
-    > AppSecrets::AWS.public_key
-    => "foo"
-
-
-## Contributing
+    > Rails.application.secrets.sample_api_key
+    => "DUMMY"
 
-1. Fork it
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request

data/kryptos.gemspec

@@ -8,8 +8,8 @@ Gem::Specification.new do |gem|
   gem.version       = Kryptos::VERSION
   gem.authors       = ["wlipa"]
   gem.email         = ["dojo@masterleep.com"]
-  gem.description   = %q{Supports keeping your application configuration secrets in source control, but encrypted using a key from the database.}
-  gem.summary       = %q{Encrypt app secrets in source control using a db based key}
+  gem.description   = %q{Supports keeping your secrets.yml in source control, but encrypted using a key from the file system.}
+  gem.summary       = %q{Encrypt app secrets in source control using a file based key that is not version controlled}
   gem.homepage      = ""
 
   gem.files         = `git ls-files`.split($/)

data/lib/kryptos/secret.rb

@@ -1,18 +1,38 @@
-class KryptosSecret < ActiveRecord::Base
-  
+class KryptosSecret
+
+  def initialize
+  end
+
   def gitignore_path
     "#{Rails.root}/.gitignore"
   end
-  
+
+  def relative_cleartext_path
+    "config/secrets.yml"
+  end
+
+  def relative_key_path
+    "config/kryptos.key"
+  end
+
   def cleartext_path
-    "#{Rails.root}/config/kryptos.rb"
+    "#{Rails.root}/#{relative_cleartext_path}"
   end
-  
+
   def encrypted_path
     "#{cleartext_path}.enc"
   end
-  
+
+  def key_path
+    "#{Rails.root}/#{relative_key_path}"
+  end
+
+  def secret
+    @secret ||= IO.read(key_path).strip
+  end
+
   def clandestine_operations
+    raise "#{relative_key_path} does not exist" unless File.exists? key_path
     check_gitignore
     if File.exists? cleartext_path
       # If the encrypted version is out of date, regenerate it
@@ -21,23 +41,22 @@ class KryptosSecret < ActiveRecord::Base
     else
       decrypt_secrets
     end
-    require cleartext_path
   end
-  
+
   def check_gitignore
     return unless Rails.env.development?
-    to_ignore = "config/kryptos.rb"
     ignores = IO.read(gitignore_path)
-    raise "gitignore must ignore #{to_ignore}" unless ignores =~ /^#{to_ignore}$/
+    raise "gitignore must ignore #{relative_cleartext_path}" unless ignores =~ /^#{relative_cleartext_path}$/
+    raise "gitignore must ignore #{relative_key_path}" unless ignores =~ /^#{relative_key_path}$/
   end
-  
+
   def encrypt_secrets
     return unless Rails.env.development?
     Rails.logger.info "kryptos encrypt_secrets"
     cipher = Gibberish::AES.new(secret)
     IO.write(encrypted_path, cipher.encrypt(IO.read(cleartext_path)))
   end
-  
+
   def decrypt_secrets
     Rails.logger.info "kryptos decrypt_secrets"
     cipher = Gibberish::AES.new(secret)

data/lib/kryptos/version.rb

@@ -1,3 +1,3 @@
 module Kryptos
-  VERSION = "1.0.0"
+  VERSION = "2.0.0"
 end

data/lib/kryptos.rb

@@ -7,12 +7,7 @@ module Kryptos
   # Hook Rails init process
   class Railtie < Rails::Railtie
     initializer 'kryptos', :before => 'load_environment_config' do |app|
-      ks = KryptosSecret.last rescue nil
-      if ks
-        ks.clandestine_operations
-      else
-        Rails.logger.info "no kryptos secret defined -- skipping"
-      end
+      KryptosSecret.new.clandestine_operations
     end
   end
   

metadata

@@ -1,41 +1,38 @@
 --- !ruby/object:Gem::Specification
 name: kryptos
 version: !ruby/object:Gem::Version
-  version: 1.0.0
-  prerelease: 
+  version: 2.0.0
 platform: ruby
 authors:
 - wlipa
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-15 00:00:00.000000000 Z
+date: 2016-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gibberish
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: Supports keeping your application configuration secrets in source control,
-  but encrypted using a key from the database.
+description: Supports keeping your secrets.yml in source control, but encrypted using
+  a key from the file system.
 email:
 - dojo@masterleep.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
+- ".gitignore"
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -46,26 +43,26 @@ files:
 - lib/kryptos/version.rb
 homepage: ''
 licenses: []
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.25
+rubygems_version: 2.6.6
 signing_key: 
-specification_version: 3
-summary: Encrypt app secrets in source control using a db based key
+specification_version: 4
+summary: Encrypt app secrets in source control using a file based key that is not
+  version controlled
 test_files: []