secret_keys 1.0.0.pre

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: db4d05a36d5a69f053949e6be11cdedde1203d87d57e41b4609ffbea7118e3b6
+  data.tar.gz: f753189aaed3cae64ef13029a47ee68616a7ca95d309f2607c5427450f7ba63c
+SHA512:
+  metadata.gz: 73b58cba572869c1e9a399620ee56b6acdc5b288a1f95337e611bd84ae7231417bbeeaaf3217bc28daec006cec304c79ed62ad6c86ee5acd25513689bfcd8f22
+  data.tar.gz: 9f0c00479cbbfad0d14695f6b446c7427e74865a47f9f05d26e16ad45179405bf82452fc54b283ff73433d93f268998b148eac050fb0583ea0ab58c98f2cf26e

data/.editorconfig

@@ -0,0 +1,8 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

data/.github/workflows/style.yml

@@ -0,0 +1,11 @@
+name: Style checks
+on: [push, pull_request]
+jobs:
+  style:
+    name: Standard RB style check
+    runs-on: ubuntu-latest
+    steps:
+      - name: standardrb
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: amoeba/standardrb-action@v3

data/.github/workflows/test.yml

@@ -0,0 +1,42 @@
+# Test runner copied from R167/backblaze
+name: Run tests
+on: [push, pull_request]
+jobs:
+  rspec:
+    name: rspec ruby-${{ matrix.ruby }} (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ ubuntu-latest ]
+        ruby: [ 2.4, 2.5, 2.6, 2.7 ]
+        include: # define single matrix case that performs upload
+          - os: ubuntu-latest
+            ruby: 2.7
+            upload: "true"
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+      - name: set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      # Caching makes life better
+      - name: build lockfile
+        run: |
+          bundle config path vendor/bundle
+          bundle lock
+      - uses: actions/cache@v1
+        with:
+          path: vendor/bundle
+          key: bundle-use-ruby-${{ matrix.os }}-${{ matrix.ruby }}-${{ hashFiles('**/Gemfile.lock') }}
+          restore-keys: |
+            bundle-use-ruby-${{ matrix.os }}-${{ matrix.ruby }}-
+            bundle-use-ruby-${{ matrix.os }}-
+      - name: install dependencies
+        run: |
+          bundle install --jobs 3 --retry 3
+          bundle clean
+      # Okay, back to what we really care about...
+      - name: spec
+        run:  bundle exec rake spec

data/.standard.yml

@@ -0,0 +1,7 @@
+# I really just have issues with the automatic "semantic blocks"
+
+format: progress
+
+ignore:
+  - '**/*':
+    - Standard/SemanticBlocks

data/.yardopts

@@ -0,0 +1,3 @@
+--markup markdown
+--protected
+--no-private

data/CHANGE_LOG.md

@@ -0,0 +1,3 @@
+# 1.0.0
+
+Initial release

data/MIT_LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Brian Durand
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,126 @@
+# SecretKeys
+
+This ruby gem handles encrypting values in a JSON or YAML file. It is yet another solution for storing secrets in a ruby project.
+
+The main advantage offered by this gem is that it stores the files in standard JSON format and it can easily store both encrypted and non-encrypted values side-by-side, so easily track all your configurations in one place. After providing your secret key, all values can be easily accessed regardless of whether they were encrypted or plaintext.
+
+Encrypted values are stored using aes-256-gcm, and the key is derived from your password secret and salt using PBKDF2. All security primitives are provided by openssl, based on recommendations put forth in the libsodium crypto suite.
+
+## Usage
+
+You can load the JSON/YAML from a file
+
+```ruby
+secrets = SecretKeys.new("/path/to/file.json", "mysecretkey")
+```
+
+or a stream
+
+```ruby
+secrets = SecretKeys.new(File.open("/path/to/file.json"), "mysecretkey")
+```
+
+If you don't supply the encryption key in the constructor, by default it will be read from the `SECRET_KEYS_ENCRYPTION_KEY` environment variable. If that value is not present, then it will attempted to be read from the file path in the `SECRET_KEYS_ENCRYPTION_KEY_FILE` environment variable. As a side note, the empty string (`""`) is not considered a valid secret, so encryption **will** fail if ther is no explicitly passed secret and no ENV variable.
+
+The `SecretKeys` object delegates to `Hash` and can be treated as a hash for most purposes.
+
+```ruby
+password = secrets["password"]
+```
+
+You can add values to the hash as well and move keys between being encrypted/unencrypted at rest. The values are always stored unencrypted in memory, but you can save them to a JSON file.
+
+```ruby
+# api_key is plaintext by default
+secrets["api_key"] = "1234567890"
+
+# mark api_key as a secret to encrypt
+secrets.encrypt!("api_key")
+
+# now, when we save, the value for api_key is encrypted
+secrets.save("/path/to/file.json")
+```
+
+Note that since the hash must be serialized to JSON, only JSON compatible keys and values (string, number, boolean, null, array, hash) can be used. The same holds for YAML.
+
+Only string values can be encrypted. The encryption is recusive, so all strings in an array or hash in the encrypted keys will be encrypted. See the example below.
+
+```json
+{
+  ".encrypted": {
+    "enc_key1": {
+      "num": 1,
+      "rec": ["<encrypted-val>", true],
+      "thing": "<encrypted-val>"
+    },
+    "enc_key2": "<encrypted-val>"
+  },
+  "unenc_key": "plaintext"
+}
+```
+
+## Command Line Tool
+
+You can use the `secret_keys` command line tool to manage your JSON files.
+
+You can initialize a new file with the encrypt command.
+
+```bash
+secret_keys encrypt --key mysecret /path/to/file.json
+```
+
+If you don't specify the `--key` argument, the encryption key will either be read from the STDIN stream or from the `SECRET_KEYS_ENCRYPTION_KEY` environment variable.
+
+You can then use your favorite text editor to edit the values in the JSON file. When you are done, you can run the same command again to encrypt the file.
+
+You can add or modify keys through the command line as well.
+
+```bash
+# add an encrypted key
+secret_keys encrypt --key mysecret --set password /path/to/file.json
+
+# add an encrypted key with a value
+secret_keys encrypt --key mysecret --set password=value /path/to/file.json
+
+# encrypt all keys in the file
+secret_keys encrypt --key mysecret --all /path/to/file.json
+```
+
+You can also decrypt or delete keys.
+
+```bash
+secret_keys encrypt --key mysecret --decrypt username --delete password /path/to/file.json
+```
+
+You can change the encryption key used in the file.
+
+```bash
+secret_keys encrypt --key mysecret --new-key newsecret /path/to/file.json
+```
+
+Finally, you can print the unencrypted file to STDOUT.
+
+```bash
+secret_keys decrypt --key mysecret /path/to/file.json
+```
+
+## File Format
+
+The data can be stored in a plain old JSON file. Any unencrypted keys will appear under in the special `".encrypted"` key in the hash. The encryption key itself is also stored in the `".key"` key along with the encrypted values. This is used to confirm that the correct key is being used when decrypting the file.
+
+In this example, `key_1` is stored in plain text while `key_2` has been encrypted.
+
+```json
+{
+  ".encrypted": {
+    ".salt": "aecdfdb296983ec0",
+    ".key": "$AES$:LNkaWu/g7gM7zu4qC/4FAGOANOLWcY86uqxQfFiHRVSvXSA23pY",
+    "foo": "$AES$:XcbGIW9ABbfcMv79+YK0MC8P7WWtEAfE2Y8S/MMN5Q",
+    "array": [
+      "$AES$:1WPr25fkbVbQWvTCiEHJOPT50970Z+D8qkYTnTk",
+      "$AES$:FgSCK3pG8RBtYFqzO/WmNwus2SABI5zGGmfkPEw"
+    ],
+  },
+  "not_encrypted": "plain text value"
+}
+```

data/VERSION

@@ -0,0 +1 @@
+1.0.0.pre

data/bin/secret_keys

@@ -0,0 +1,128 @@
+#!/usr/bin/env ruby
+
+# TODO this command tool will be rewritten with better, more consistent options.
+
+require 'optparse'
+require_relative "../lib/secret_keys"
+
+# Load enironment variables from .env file in current working directory if available.
+if File.exist?(File.expand_path(".env"))
+  begin
+    require 'dotenv/load'
+  rescue LoadError
+    # Ignore; dotenv gem not available.
+  end
+end
+
+encryption_key = nil
+new_encryption_key = nil
+add_keys = []
+decrypt_keys = []
+delete_keys = []
+add_all = false
+
+options = ARGV.dup
+action = options.shift
+
+parser = OptionParser.new do |opts|
+  opts.banner = "Usage: secret_keys encrypt|decrypt [options] file_path"
+
+  opts.on('--key ENCRYPTION_KEY', String, "Encryption key used to encrypt strings in the JSON file. This value can also be passed in the SECRET_KEYS_ENCRYPTION_KEY environment variable or via STDIN.") do |value|
+    encryption_key = value
+  end
+
+  opts.on('--set JSON_KEY', String, "Add a key to the encrypted elements. You can specify the value as well by using key=value.") do |value|
+    add_keys << value
+  end
+
+  opts.on('--all', "Add all keys to the encrypted elements.") do
+    add_all = true
+  end
+
+  opts.on('--decrypt JSON_KEY', String, "Move a key to the decrypted elements. You can specify the value as well by using key=value.") do |value|
+    decrypt_keys << value
+  end
+
+  opts.on('--delete JSON_KEY', String, "Remove a key.") do |value|
+    delete_keys << value
+  end
+
+  opts.on('--new-key ENCRYPTION_KEY', String, "Set a new encryption key for the file.") do |value|
+    new_encryption_key = value
+  end
+
+  opts.on("--help", "Prints this help") do
+    puts opts.help
+    exit
+  end
+end
+parser.parse!(options)
+
+unless ["encrypt", "decrypt"].include?(action)
+  STDERR.puts parser.banner
+  exit 1
+end
+
+file_path = options[0]
+unless file_path
+  STDERR.puts parser.banner
+  exit 1
+end
+
+unless encryption_key
+  encryption_key = STDIN.read.chomp if STDIN.ready?
+end
+
+secrets = nil
+if File.exist?(file_path)
+  secrets = SecretKeys.new(file_path, encryption_key)
+else
+  secrets = SecretKeys.new(nil, encryption_key)
+end
+
+if action == "encrypt"
+  secrets.encryption_key = new_encryption_key if new_encryption_key
+
+  if add_all
+    secrets.keys.each do |key|
+      secrets.encrypt!(key)
+    end
+  end
+
+  add_keys.each do |key|
+    if key.include?("=")
+      key, value = key.split("=", 2)
+      secrets[key] = value
+    end
+    secrets[key] = nil unless secrets.include?(key)
+    secrets.encrypt!(key)
+  end
+
+  decrypt_keys.each do |key|
+    if key.include?("=")
+      key, value = key.split("=", 2)
+      secrets[key] = value
+    end
+    secrets[key] = nil unless secrets.include?(key)
+    secrets.decrypt!(key)
+  end
+
+  delete_keys.each do |key|
+    secrets.delete(key)
+  end
+
+  secrets.save(file_path)
+elsif action == "decrypt"
+  if File.exist?(file_path)
+    if file_path.end_with?(".yaml") || file_path.end_with?(".yml")
+      STDOUT.write(YAML.dump(secrets.to_h))
+    else
+      STDOUT.puts(JSON.pretty_generate(secrets.to_h))
+    end
+  else
+    STDERR.puts("File not found: #{file_path}")
+    exit 1
+  end
+else
+  exit 1
+end

data/lib/secret_keys.rb

@@ -0,0 +1,427 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "json"
+require "yaml"
+require "securerandom"
+require "delegate"
+require "set"
+require "pathname"
+require "base64"
+
+# Load a JSON file with encrypted values. This value can be used as a hash.
+class SecretKeys < DelegateClass(Hash)
+  class EncryptionKeyError < ArgumentError; end
+
+  class << self
+    # Encrypt a string with the encryption key. Encrypted values are also salted so
+    # calling this function multiple times will result in different values. Only strings
+    # can be encrypted. Any other object type will be returned the value passed in.
+    #
+    # @param [String] str string to encrypt (assumes UTF-8)
+    # @param [String] secret_key 32 byte ASCII-8BIT encryption key
+    # @return [String] Base64 encoded encrypted string with all aes parameters
+    def encrypt(str, secret_key)
+      return str unless str.is_a?(String) && secret_key
+      return "" if str == ""
+
+      cipher = OpenSSL::Cipher.new(CIPHER).encrypt
+
+      # Technically, this is a "bad" way to do things since we could theoretically
+      # get a repeat nonce, compromising the algorithm. That said, it should be safe
+      # from repeats as long as we don't use this key for more than 2^32 encryptions
+      # so... rotate your keys/salt ever 4 billion encryption calls
+      nonce = cipher.random_iv
+      cipher.key = secret_key
+      cipher.auth_data = ""
+
+      # Make sure the string is encoded as UTF-8. JSON/YAML only support string types
+      # anyways, so if you passed in binary data, it was gonna fail anyways. This ensures
+      # that we can easily decode the string later. If you have UTF-16 or something, deal with it.
+      utf8_str = str.encode(Encoding::UTF_8)
+      encrypted_data = cipher.update(utf8_str) + cipher.final
+      auth_tag = cipher.auth_tag
+
+      params = CipherParams.new(nonce, auth_tag, encrypted_data)
+
+      encode_aes(params).prepend(ENCRYPTED_PREFIX)
+    end
+
+    # Decrypt a string with the encryption key. If the value is not a string or it was
+    # not encrypted with the encryption key, the value itself will be returned.
+    #
+    # @param [String] encrypted_str Base64 encoded encrypted string with aes params (from `.encrypt`)
+    # @param [String] secret_key 32 byte ASCII-8BIT encryption key
+    # @return [String] decrypted string value
+    def decrypt(encrypted_str, secret_key)
+      return encrypted_str unless encrypted_str.is_a?(String) && secret_key
+      return encrypted_str unless encrypted_str.start_with?(ENCRYPTED_PREFIX)
+
+      decrypt_str = encrypted_str[ENCRYPTED_PREFIX.length..-1]
+      params = decode_aes(decrypt_str)
+
+      cipher = OpenSSL::Cipher.new(CIPHER).decrypt
+
+      cipher.key = secret_key
+      cipher.iv = params.nonce
+      cipher.auth_tag = params.auth_tag
+      cipher.auth_data = ""
+
+      decoded_str = cipher.update(params.data) + cipher.final
+
+      # force to utf-8 encoding. We already ensured this when we encoded in the first place
+      decoded_str.force_encoding(Encoding::UTF_8)
+    end
+
+    private
+
+    # format: <nonce:12>, <auth_tag:16>, <data:*>
+    ENCODING_FORMAT = "a12 a16 a*"
+    ENCRYPTED_PREFIX = "$AES$:"
+    CIPHER = "aes-256-gcm"
+
+    # Basic struct to contain nonce, auth_tag, and data for passing around. Thought
+    # it was better than just passing an Array with positional params.
+    # @private
+    CipherParams = Struct.new(:nonce, :auth_tag, :data)
+
+    # Receive a cipher object (initialized with key) and data
+    def encode_aes(params)
+      encoded = params.values.pack(ENCODING_FORMAT)
+      # encode base64 and get rid of trailing newline and unnecessary =
+      Base64.encode64(encoded).chomp.tr("=", "")
+    end
+
+    # Passed in an aes encoded string and returns a cipher object
+    def decode_aes(str)
+      unpacked_data = Base64.decode64(str).unpack(ENCODING_FORMAT)
+      # Splat the data array apart
+      # nonce, auth_tag, encrypted_data = unpacked_data
+      CipherParams.new(*unpacked_data)
+    end
+  end
+
+  # Parse a JSON stream or file with encrypted values. Any values in the ".encrypted" key
+  # in the JSON document will be decrypted with the provided encryption key. If values
+  # were put into the ".encrypted" key manually and are not yet encrypted, they will be used
+  # as is without any decryption.
+  #
+  # @param [String, #read, Hash] path_or_stream path to a json/yaml file to load, an IO object, or a Hash (mostly for testing purposes)
+  # @param [String] encryption_key secret to use for encryption/decryption
+  #
+  # @note If no encryption key is passed, this will defautl to env var SECRET_KEYS_ENCRYPTION_KEY
+  # or (if that is empty) the value read from the file path in SECRET_KEYS_ENCRYPTION_KEY_FILE.
+  def initialize(path_or_stream, encryption_key = nil)
+    encryption_key = read_encryption_key(encryption_key)
+    update_secret(key: encryption_key)
+    path_or_stream = Pathname.new(path_or_stream) if path_or_stream.is_a?(String)
+    load_secrets!(path_or_stream)
+    # if no salt exists, create one.
+    update_secret(salt: SecureRandom.hex(8)) if @salt.nil?
+    super(@values)
+  end
+
+  # Convert the value into an actual Hash object.
+  #
+  # @return [Hash]
+  def to_h
+    @values
+  end
+  alias to_hash to_h
+
+  # Mark the key as being encrypted when the JSON is saved.
+  #
+  # @param [String] key key to mark as needing encryption
+  # @return [void]
+  def encrypt!(key)
+    @secret_keys << key
+    nil
+  end
+
+  # Mark the key as no longer being decrypted when the JSON is saved.
+  #
+  # @param [String] key key to mark as not needing encryption
+  # @return [void]
+  def decrypt!(key)
+    @secret_keys.delete(key)
+    nil
+  end
+
+  # Return true if the key is encrypted.
+  #
+  # @param [String] key key to check
+  # @return [Boolean]
+  def encrypted?(key)
+    @secret_keys.include?(key)
+  end
+
+  # Save the JSON to a file at the specified path. Encrypted values in the file
+  # will not be updated if the values have not changed (since each call uses a
+  # different initialization vector).
+  #
+  # @param [String] path Filepath to save to. Supports yaml and json format as the extension
+  # @param [Boolean] update: check to see if values have been changed before overwriting
+  # @return [void]
+  def save(path, update: true)
+    # create a copy of the encrypted hash for working on
+    encrypted = encrypted_hash
+
+    if File.exist?(path) && update
+      original_data = File.read(path)
+      original_hash = parse_data(original_data)
+      original_encrypted = original_hash[ENCRYPTED] if original_hash
+      # only check for unchanged keys if the original had encryption with the same key
+      if original_encrypted && encryption_key_matches?(original_encrypted[ENCRYPTION_KEY])
+        restore_unchanged_keys!(encrypted[ENCRYPTED], original_encrypted)
+      end
+    end
+
+    output = (yaml_file?(path) ? YAML.dump(encrypted) : "#{JSON.pretty_generate(encrypted)}#{$/}")
+    File.open(path, "w") do |file|
+      file.write(output)
+    end
+    nil
+  end
+
+  # Output the keys as a hash that matches the structure that can be loaded by the initalizer.
+  # Note that all encrypted values will be re-salted when they are encrypted.
+  #
+  # @return [Hash] An encrypted hash that can be saved/parsed by a new instance of {SecretKeys}
+  def encrypted_hash
+    raise EncryptionKeyError.new("Encryption key not specified") if @encryption_key.nil? || @encryption_key.empty?
+
+    hash = {}
+    encrypted = {}
+    @values.each do |key, value|
+      if @secret_keys.include?(key)
+        encrypted[key] = value
+      else
+        hash[key] = value
+      end
+    end
+    encrypted = {
+      SALT => @salt,
+      ENCRYPTION_KEY => key_dummy_value
+    }.merge(encrypt_values(encrypted))
+
+    hash[ENCRYPTED] = encrypted
+    hash
+  end
+
+  # Change the encryption key in the document. When saving later, this key will be used.
+  #
+  # @param [String] new_encryption_key encryption key to use for future {#save} calls
+  # @return [void]
+  def encryption_key=(new_encryption_key)
+    update_secret(key: new_encryption_key)
+  end
+
+  private
+
+  ENCRYPTED = ".encrypted"
+  ENCRYPTION_KEY = ".key"
+  SALT = ".salt"
+
+  # Used as a known dummy value for verifying we have the correct key
+  # DO NOT CHANGE!!!
+  KNOWN_DUMMY_VALUE = "SECRET_KEY"
+
+  KDF_ITERATIONS = 20_000
+  HASH_FUNC = "sha256"
+  KEY_LENGTH = 32
+
+  # Load the JSON data in a file path or stream into a hash, decrypting all the encrypted values.
+  #
+  # @return [void]
+  def load_secrets!(path_or_stream)
+    @secret_keys = Set.new
+    @values = {}
+
+    hash = nil
+    if path_or_stream.is_a?(Hash)
+      # HACK: Perform a marshal dump/load operation to get a deep copy of the hash.
+      #       Otherwise, we can end up using destructive `#delete` operations and mess
+      #       up deeply nested values for external code (esp. when loading key: .encrypted)
+      hash = Marshal.load(Marshal.dump(path_or_stream))
+    elsif path_or_stream
+      data = path_or_stream.read
+      hash = parse_data(data)
+    end
+    return if hash.nil? || hash.empty?
+
+    encrypted_values = hash.delete(ENCRYPTED)
+    if encrypted_values
+      file_key = encrypted_values.delete(ENCRYPTION_KEY)
+      update_secret(salt: encrypted_values.delete(SALT))
+
+      # Check that we are using the right key
+      if file_key && !encryption_key_matches?(file_key)
+        raise EncryptionKeyError.new("Incorrect encryption key")
+      end
+      @secret_keys = encrypted_values.keys
+      hash.merge!(decrypt_values(encrypted_values))
+    end
+
+    @values = hash
+  end
+
+  # Attempt to parse the file first using JSON and fallback to YAML
+  # @param [String] data file data to parse
+  # @return [Hash] data parsed to a hash
+  def parse_data(data)
+    JSON.parse(data)
+  rescue JSON::JSONError
+    YAML.safe_load(data)
+  end
+
+  # Recursively encrypt all values.
+  def encrypt_values(values)
+    if values.is_a?(Hash)
+      encrypted_hash = {}
+      values.keys.each do |key|
+        encrypted_hash[key.to_s] = encrypt_values(values[key])
+      end
+      encrypted_hash
+    elsif values.is_a?(Enumerable)
+      values.collect { |value| encrypt_values(value) }
+    else
+      encrypt_value(values)
+    end
+  end
+
+  # Recursively decrypt all values.
+  def decrypt_values(values)
+    if values.is_a?(Hash)
+      decrypted_hash = {}
+      values.each do |key, value|
+        decrypted_hash[key.to_s] = decrypt_values(value)
+      end
+      decrypted_hash
+    elsif values.is_a?(Enumerable)
+      values.collect { |value| decrypt_values(value) }
+    else
+      decrypt_value(values)
+    end
+  end
+
+  # Since the encrypted values include a salt, make sure we don't overwrite values in the stored
+  # documents when the decrypted values haven't changed since this would mess up any file history
+  # in a source code repository.
+  def restore_unchanged_keys!(new_hash, old_hash)
+    if new_hash.is_a?(Hash) && old_hash.is_a?(Hash)
+      new_hash.keys.each do |key|
+        new_value = new_hash[key]
+        old_value = old_hash[key]
+        next if new_value == old_value
+
+        if new_value.is_a?(Enumerable) && old_value.is_a?(Enumerable)
+          restore_unchanged_keys!(new_value, old_value)
+        elsif equal_encrypted_values?(new_value, old_value)
+          new_hash[key] = old_value
+        end
+      end
+    elsif new_hash.is_a?(Array) && old_hash.is_a?(Array)
+      new_hash.size.times do |i|
+        new_val = new_hash[i]
+        old_val = old_hash[i]
+        if new_val != old_val
+          if new_val.is_a?(Enumerable) && old_val.is_a?(Enumerable)
+            restore_unchanged_keys!(new_val, old_val)
+          elsif equal_encrypted_values?(new_val, old_val)
+            new_hash[i] = old_val
+          end
+        end
+      end
+    end
+  end
+
+  # Helper method to encrypt a value.
+  def encrypt_value(value)
+    self.class.encrypt(value, @secret_key)
+  end
+
+  # Helper method to decrypt a value.
+  def decrypt_value(encrypted_value)
+    self.class.decrypt(encrypted_value, @secret_key)
+  end
+
+  # Helper method to test if two values are both encrypted, but result in the same decrypted value.
+  def equal_encrypted_values?(value_1, value_2)
+    return true if value_1 == value_2
+
+    decrypt_val_1 = decrypt_value(value_1)
+    decrypt_val_2 = decrypt_value(value_2)
+    if decrypt_val_1 == decrypt_val_2
+      if value_1 == decrypt_val_1 || value_2 == decrypt_val_2
+        false
+      else
+        true
+      end
+    else
+      false
+    end
+  end
+
+  # Derive a key of given length from a password and salt value.
+  def derive_key(password, salt:, length:)
+    if defined?(OpenSSL::KDF)
+      OpenSSL::KDF.pbkdf2_hmac(password, salt: salt, iterations: KDF_ITERATIONS, length: length, hash: HASH_FUNC)
+    else
+      OpenSSL::PKCS5.pbkdf2_hmac(password, salt, KDF_ITERATIONS, length, HASH_FUNC)
+    end
+  end
+
+  # This is a
+  def key_dummy_value
+    encrypt_value(KNOWN_DUMMY_VALUE)
+  end
+
+  # Helper to check if our encryption key is correct
+  def encryption_key_matches?(encrypted_key)
+    decrypt_value(encrypted_key) == KNOWN_DUMMY_VALUE
+  rescue OpenSSL::Cipher::CipherError
+    # If the key fails to decrypt, then it cannot be correct
+    false
+  end
+
+  def yaml_file?(path)
+    ext = path.split(".").last.to_s.downcase
+    ext == "yaml" || ext == "yml"
+  end
+
+  # Update the secret key by updating the salt
+  #
+  # @param key: new encryption key
+  # @param salt: salt to use for secret
+  # @return [void]
+  def update_secret(key: nil, salt: nil)
+    @encryption_key = key unless key.nil? || key.empty?
+    @salt = salt unless salt.nil? || salt.empty?
+
+    # Only update the secret if encryption key and salt are present
+    if !@encryption_key.nil? && !@salt.nil?
+      # Convert the salt to raw byte string
+      salt_bytes = [@salt].pack("H*")
+      @secret_key = derive_key(@encryption_key, salt: salt_bytes, length: KEY_LENGTH)
+    end
+    # Don't accidentally return the secret, dammit
+    nil
+  end
+  
+  # Logic to read an encryption key from environment variables if it is not explicitly supplied.
+  # If it isn't specified, the value will be read from the SECRET_KEYS_ENCRYPTION_KEY environment
+  # variable. Otherwise, it will be tried to read from the file specified by the
+  # SECRET_KEYS_ENCRYPTION_KEY_FILE environment variable.
+  def read_encryption_key(encryption_key)
+    return encryption_key if encryption_key && !encryption_key.empty?
+    encryption_key = ENV['SECRET_KEYS_ENCRYPTION_KEY']
+    return encryption_key if encryption_key && !encryption_key.empty?
+    encryption_key_file = ENV['SECRET_KEYS_ENCRYPTION_KEY_FILE']
+    if encryption_key_file && !encryption_key_file.empty? && File.exist?(encryption_key_file)
+      File.read(encryption_key_file).chomp
+    else
+      nil
+    end
+  end
+
+end

data/secret_keys.gemspec

@@ -0,0 +1,32 @@
+Gem::Specification.new do |spec|
+  spec.name = "secret_keys"
+  spec.version = File.read(File.expand_path("../VERSION", __FILE__)).strip
+  spec.authors = ["Brian Durand", "Winston Durand"]
+  spec.email = ["bbdurand@gmail.com", "me@winstondurand.com"]
+
+  spec.summary = "Simple mechanism for loading JSON file with encrypted values."
+  spec.homepage = "https://github.com/bdurand/secret_keys"
+  spec.license = "MIT"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  ignore_files = %w[
+    .gitignore
+    .travis.yml
+    Appraisals
+    Gemfile
+    Gemfile.lock
+    Rakefile
+    gemfiles/
+    spec/
+  ]
+  spec.files = Dir.chdir(File.expand_path("..", __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| ignore_files.any? { |path| f.start_with?(path) } }
+  end
+
+  spec.require_paths = ["lib"]
+  spec.bindir = "bin"
+  spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+
+  spec.add_development_dependency "bundler", "~>2.0"
+end

metadata

@@ -0,0 +1,72 @@
+--- !ruby/object:Gem::Specification
+name: secret_keys
+version: !ruby/object:Gem::Version
+  version: 1.0.0.pre
+platform: ruby
+authors:
+- Brian Durand
+- Winston Durand
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-05-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: 
+email:
+- bbdurand@gmail.com
+- me@winstondurand.com
+executables:
+- secret_keys
+extensions: []
+extra_rdoc_files: []
+files:
+- ".editorconfig"
+- ".github/workflows/style.yml"
+- ".github/workflows/test.yml"
+- ".standard.yml"
+- ".yardopts"
+- CHANGE_LOG.md
+- MIT_LICENSE.txt
+- README.md
+- VERSION
+- bin/secret_keys
+- lib/secret_keys.rb
+- secret_keys.gemspec
+homepage: https://github.com/bdurand/secret_keys
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Simple mechanism for loading JSON file with encrypted values.
+test_files: []