secrets-cipher-base64 1.2.1

data/.travis.yml

@@ -0,0 +1,13 @@
+language: ruby
+env:
+  - CODECLIMATE_REPO_TOKEN=be1a1a266b0ffc81fa0bd1e432a229f2a4ab420dcb9e9e15c1e75e2acad573b7 
+rvm:
+  - 2.2.5
+  - 2.3.1
+script: "bundle exec rspec"
+notifications:
+  email:
+    recipients:
+      - kigster@gmail.com
+    on_success: change
+    on_failure: always

data/Gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in secrets-cipher-base64.gemspec
+gemspec
+
+gem 'ffi', :platforms => [:mswin, :mingw]

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright © 2016 Konstantin Gredeskoul, all rights reserved.
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/MANAGING-KEYS.md

@@ -0,0 +1,67 @@
+# Managing Private Keys
+
+In this document we discuss several methods of keeping the private keys safe and yet conveniently available when needed. We also note the possible security implications of each method.
+
+We assume that you have some data or files that have been previously encrypted with a 32-byte key using this library, and that you want to be able to access the data easily with your private key, but at the same time not make it too easy for an attacker to find the keys.
+
+## Method 1.<br>Keychain Access on Mac OS-X
+
+How you store the secret, is up to you, but here is one way that leverages Mac OS-X Keychain. In fact you can store multiple keys if you like. In the example below we'll store two separate keys, one for staging and one for production:
+
+In your terminal, type these two commands. Note that the `-s` parameter is something you might want to customize, and make it easy to find. For example, instead of using `production` you could use `big-corp-django-secret-production`. The name should be such that it's easy to find once you open KeyChain Editor later.
+
+```bash
+security add-generic-password -a $USER -D "secret-cipher-base64" -s "staging"
+security add-generic-password -a $USER -D "secret-cipher-base64" -s "production"
+```
+
+This step does not actually store any key, it simply creates a KeyChain placeholder for it. We'll generate and add the key next.
+
+Finally, to make this a bit more efficient, I recommend listing the key names in an array-type environment variable set in your `~/.bashrc` file, for example:
+
+```bash
+# ~/.bashrc
+declare -a secret_names=(production staging)
+```
+
+After declaring this array, you can even rewrite the above command as a loop, which could be handy if you are storing not 2 or 3 but 10+ keys.
+
+```bash
+for secret_name in ${secret_names[@]}; do
+  security add-generic-password -a $USER \ 
+      -D "secret-cipher-base64" -s $secret_name
+done
+```
+ 
+### Saving the Secret to KeyChain
+
+* Open `KeyChain Access` application 
+* Search for the token you specified, for example `production`
+* Double-click on the matching entry
+* Click "Show password"
+* Paste the copied value in that field
+* Click "Save Changes"
+* Repeat for `staging` or any other key you want to save.
+
+### Retrieving Secret from the KeyChain
+
+Using the below bash function, you can retrieve and export the secrets as environment variables, which can later be read by your code:
+
+```bash
+# append this function to your ~/.bashrc or ~/.bash_profile
+function load_keys() {
+  declare -a secret_names=(production staging)
+  for secret_name in ${secret_names[@]}; do
+    varname="secret_${secret_name}"  # eg, $secret_production 
+    secret=`security find-generic-password -g -a $USER -w -D "secret-cipher-base64" -s "$secret_name"`
+    eval "export $varname=$secret"
+  done
+}  
+```
+
+With this out of the way, we just need to type `load_keys` in Terminal to get our keys automatically exported.
+
+### Security
+
+In this model, an attacker who obtains login access to your account will be able to quickly examine the local environment to discover one or more private keys already exported.
+

data/README.md

@@ -0,0 +1,314 @@
+# Secrets-Cipher-Base64 
+
+[![Gem Version](https://badge.fury.io/rb/secrets-cipher-base64.svg)](https://badge.fury.io/rb/secrets-cipher-base64)
+[![Downloads](http://ruby-gem-downloads-badge.herokuapp.com/secrets-cipher-base64?type=total)](https://rubygems.org/gems/secrets-cipher-base64)
+
+<br />
+
+[![Build Status](https://travis-ci.org/kigster/secrets-cipher-base64.svg?branch=master)](https://travis-ci.org/kigster/secrets-cipher-base64)
+[![Code Climate](https://codeclimate.com/github/kigster/secrets-cipher-base64/badges/gpa.svg)](https://codeclimate.com/github/kigster/secrets-cipher-base64)
+[![Test Coverage](https://codeclimate.com/github/kigster/secrets-cipher-base64/badges/coverage.svg)](https://codeclimate.com/github/kigster/secrets-cipher-base64/coverage)
+[![Issue Count](https://codeclimate.com/github/kigster/secrets-cipher-base64/badges/issue_count.svg)](https://codeclimate.com/github/kigster/secrets-cipher-base64)
+
+## Summary
+
+What? *Another security gem?* —— Well, funny you should ask! 
+
+You see, security is an incredibly wide topic. The tools around security tend to fall into two classes: swiss army knife wrappers around `OpenSSL`, and more specialized tools. This gem falls in the second category. It wraps a very small part of `OpenSSL` library. 
+
+> __Namely, `secrets-cipher-base64` provides:__
+>
+> * Symmetric data encryption with: 
+>   * the cipher `AES-256-CBC` 
+>   * 256-bit private key
+>   * which can be optionally password-encrypted.
+> * Rich command line interface with some innovative features, such as inline encrypted file editing using your current `$EDITOR`
+> * Automatic compression of the data
+> * Rich Ruby API and highly extensible approach to encryption/decryption
+> * Automatic detection of password-protected keys, 
+> * and more...
+
+The main point behind this gem is to allow you to store sensitive application secrets in your source code repo as `AES-256-CBC`-encrypted files or strings (this is the same encryption algorithm that US Government uses internally). The output of the encryption is always a (urlsafe) `base64`-encoded string, without the linebreaks.
+ 
+The private key (encrypted or not) is also a base64-encoded string, typically 45 characters long (unless it's password encrypted, in which case it is considerably longer). 
+ 
+Using a single-line string that `urlsafe_encode64()` generates, makes this gem well suited for encrypting specific fields in the YAML file, or simply the entire file.  This also means that the private key can be easily exported as an environment variable (as it's value is a single-line string).  
+ 
+> NOTE: The library leverages the code shown in the following discussion: http://stuff-things.net/2015/02/12/symmetric-encryption-with-ruby-and-rails/ I'd like to acknowledge the the author of the above thread for providing clear examples of a simple symmetric encryption with `OpenSSL`.
+
+## Symmetric Encryption
+
+Symmetric encryption simply means that we are using the same private key to encrypt and decrypt. The secret can be generated by the tool and is a *base64-encoded* string which is 45 characters long. The *decoded* secret is always 32 characters long (or 256 bytes long).
+
+In addition to the private key, the encryption uses an IV vector. The library completely hides `iv` from the user, generates one random `iv` per encryption, and stores it together with the field itself (*base64-encoded*).
+
+## Installation
+
+If you plan on using the library in your ruby project with Bundler managing its dependencies, just include the following line in your `Gemfile`:
+
+```ruby
+gem 'secrets-cipher-base64'
+```
+And then run `bundle`.
+
+Or install it into the global namespace with `gem install` command:
+
+    $ gem install secrets-cipher-base64
+    $ secrets -h
+    $ secrets -E # see examples
+
+## Usage
+
+### Private Keys
+
+This library relies on the existance of the 32-byte private key (aka, *a secret*), that must be stored somewhere safely if your encrypted data is to be persisted, for example it can be saved into the keychain on Mac OSX. 
+
+> In fact, we put together a separate file that discusses strategies for protecting your encryption keys, for example you can read about [how to use Mac OS-X Keychain Access application](https://github.com/kigster/secrets-cipher-base64/blob/master/MANAGING-KEYS.md) and other methods. Additions and discussion are welcome. Please contribute!
+
+You can use one key for all encrypted fields, or many keys – perhaps one per deployment environment, etc. While you can have per-field secrets, it seems like an overkill.
+
+__NOTE: it is considered a bad practice to check in the private key into the version control.__  If you keep your secret out of your repo, you can check-in encrypted secrets file directly into the repo. As long as the private key itself is safe, the data in your encrypted  will be next to impossible to extract. 
+
+### Command Line (CLI)
+ 
+You can generate using the command line, or in a programmatic way. First we'll discuss the command line usage, and in a later section we'll discuss Ruby API provided by the gem. 
+
+#### Generating and Using Private Keys
+
+Once the gem is installed you will be able to run an executable `secrets`. Now let's generate and copy the new private key to the clipboard. Clipboard copy is activated with the -c flag:
+
+    secrets -gc
+
+Or save a new key into a bash variable
+
+    SECRET=$(secrets -g)
+
+Or save it to a file:
+
+    secrets -go ~/.key
+
+Or create a password-protected key, and save it to a file:
+
+    secrets -gcp -o ~/.secret
+    # New Password:     ••••••••••
+    # Confirm Password: •••••••••• 
+
+You can subsequently use the private key by either:
+
+  1. passing the `-k [key value]` flag 
+  2. passing the `-K [key file]` flag
+
+#### Using KeyChain Access on Mac OS-X
+
+On Mac OS-X there is a third option – using the Keychain Access Manager behind the scenes. Apple released a `security` command line tool, which this library uses to securely store a key/value pair of the key name and the actual private key in your OS-X KeyChain. The advantages of this method are numerous: 
+
+ * The private key won't be lying around your file system unencrypted, so if your Mac is ever stolen, you don't need to worry about the keys running wild.
+ * If you sync your keychain with iCloud you will have access to it on other machines
+
+To activate the KeyChain mode on the Mac, use `-x <keyname>` field instead of `-k` or `-K`, and add it to `-g` when generating a key. The `keyname` is what you name this particular key base on where it's going to be used. For example, you may call it `staging`, etc. 
+
+The following command generates the private key and immediately stores it in the KeyChain access under the name provided:
+
+    secrets -g -x staging
+
+Now, whenever you need to encrypt something, in addition to the `-k` and `-K` you can also choose `-x staging`. This will retrieve the key from the KeyChain access, and use it for encryption/decryption.
+    
+Finally, you can delete a key from KeyChain access by running:
+    
+    secrets -X staging
+    
+#### KeyChain Key Management
+    
+Another tiny executable supplied with this library is called `keychain`
+
+```bash
+Usage: keychain item [ add <contents> | find | delete ]
+```
+You can use this to add an existing key that can be used with the `secrets` later. Of course you can also use the tool to find or delete it.b
+
+3. passing the `-x [keychain access entry name]` flag
+
+####  Encryption and Decryption
+
+This may be a good time to take a look at the full help message for the `secrets` tool:
+
+```bash
+❯ exe/secrets -h
+Usage:
+    secrets [options]
+Modes:
+    -t, --edit                    decrypt, open encr. file in vim
+    -e, --encrypt                 encrypt mode
+    -d, --decrypt                 decrypt mode
+Private Key:
+    -g, --generate                generate a new private key
+    -p, --password                encrypt the key with a password
+    -c, --copy                    copy the new key to a clipboard
+    -k, --private-key  [key]      private key as a string
+    -K, --key-file     [key-file] file containing the key
+    -x, --keychain     [key-name] name of the generic password entry
+    -X, --delete-key   [key-name] delete keychain entry with that name
+Data:
+    -s, --string       [string]   specify a string to encrypt/decrypt
+    -f, --file         [file]     filename to read from
+    -o, --output       [file]     filename to write to
+Data:
+    -i, --interactive             ask for a key interactively
+    -b, --backup                  create a backup file in the edit mode
+Flags:
+    -v, --verbose                 show additional information
+    -T, --trace                   print a backtrace of any errors
+    -E, --examples                show several examples
+    -V, --version                 print library version
+    -N, --no-color                disable color output
+    -h, --help                    show help
+```
+
+### CLI Usage Examples
+
+__Generating the Key__:
+
+Generate a new private key into an environment variable:
+
+    export KEY=$(secrets -g)
+    echo $KEY
+    # => 75ngenJpB6zL47/8Wo7Ne6JN1pnOsqNEcIqblItpfg4=
+
+Generate a new password-protected key, copy to the clipboard & save to a file:
+
+    secrets -gpc -o ~/.key
+    New Password     : ••••••••••
+    Confirm Password : ••••••••••
+
+Encrypt a plain text string with a key, and save the output to a file:
+
+    secrets -e -s "secret string" -k $KEY -o file.enc
+    cat file.enc
+    # => Y09MNDUyczU1S0UvelgrLzV0RTYxZz09CkBDMEw4Q0R0TmpnTm9md1QwNUNy%T013PT0K
+
+Decrypt a previously encrypted string:
+
+    secrets -d -s $(cat file.enc) -k $KEY
+    # => secret string
+
+Encrypt a file and save it to secrets.enc:
+
+    secrets -e -f app-secrets.yml -o app-secrets.enc -k $KEY
+    
+Decrypt an encrypted file and print it to STDOUT:
+
+    secrets -df app-secrets.enc -k $KEY
+
+##### Inline Editing
+
+The `secrets` CLI tool supports one interesting mode where you can open an encrypted file in an `$EDITOR`, and edit it's unencrypted version (stored temporarily in a temp file), and upon saving and exiting the gem will automatically diff the new and old content, and if different – will save encrypt it and overwrite the original file.
+
+In this mode several flags are of importance:
+
+    -b (--backup)   – will create a backup of the original file
+    -v (--verbose) - will show additional info about file sizes
+      
+Here is a full command that opens a file specified by `-f | --file`, using the key specified in `-K | --key-file`, in the editor defined by the `$EDITOR` environment variable (or if not set – defaults to `/bin/vi`)". 
+
+NOTE: while much effort has been made to ensure that the gem is bug free, the reality is that no software is bug free. Please make sure to backup your encrypted file before doing it for the first few times to get familiar with the command.
+     
+To edit an encrypted file in $EDITOR, while asking for a key (`-i | --interactive`), creating a backup file (`-b | --backup`):
+
+    secrets -tibf data.enc
+    # => Private Key: ••••••••••••••••••••••••••••••••••••••••••••
+    #
+    # => Diff:
+    # 3c3
+    # # (c) 2015 Konstantin Gredeskoul.  All rights reserved.
+    # ---
+    # # (c) 2016 Konstantin Gredeskoul.  All rights reserved.
+
+### Ruby API
+
+To use this library you must include the main `Secrets` module into your library.
+
+Any class including `Secrets` will be decorated with new class methods `#private_key` and `#create_private_key`, as well as instance methods `#encr`, and `#decr`. 
+
+`#create_private_key` will generate a new key each time it's called, while `#private_key` will either assign an existing key (if a value is passed), or generate and save a new key in the class instance variable. Therefore each class including `Secrets` will use it's own key (unless the key is assigned). 
+
+The following example illustrates this point:
+
+```ruby
+require 'secrets'
+
+class TestClass
+  include Secrets
+end
+@key = TestClass.create_private_key
+@key.eql?(TestClass.private_key)  # => false
+# A new key was created and saved in #private_key accessor.
+
+class SomeClass
+  include Secrets
+  private_key TestClass.private_key
+end
+
+@key.eql?(SomeClass.private_key)  # => true (it was assigned)
+```
+
+#### Encryption and Decryption
+
+So how would we use this library from another ruby project to encrypt and decrypt values?
+
+After including the `Secrets` module in a ruby class, the class will now have the `#encr` and `#decr` instance methods, as well as `#secret` and `#create_private_key class methods.
+
+Therefore you could write something like this below, protecting a sensitive string using a class-level secret.
+
+```ruby
+require 'secrets'
+class TestClass
+  include Secrets
+  private_key ENV['SECRET']
+  
+  def sensitive_value=(value)
+    @sensitive_value = encr(value, self.class.private_key)
+  end
+  def sensitive_value
+    decr(@sensitive_value, self.class.private_key)
+  end
+end
+```
+
+### Configuration
+
+The library offers a typical `Secrets::Configuration` class which can be used to tweak some of the internals of the gem. This is really meant for a very advanced user who knows what she is doing. The following snippet is actually part of the Configuration class itself, but can be overridden by your code that uses and initializes this library. `Configuration` is a singleton, so changes to it will propagate to any subsequent calls to the gem.
+
+```ruby
+Secrets::Configuration.configure do |config|
+  config.password_cipher = 'AES-128-CBC'  # 
+  config.data_cipher = 'AES-256-CBC'
+  config.private_key_cipher = config.data_cipher
+  config.compression_enabled = true
+  config.compression_level = Zlib::BEST_COMPRESSION
+end
+```
+
+As you can see, it's possible to change the default cipher typem, although not all ciphers will be code-compatible with the current algorithm, and may require additional code changes.
+
+## Managing Keys
+
+There is a separate discussion about ways to securely store private keys in [MANAGING-KEYS.md](https://github.com/kigster/secrets-cipher-base64/blob/master/MANAGING-KEYS.md).
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/kigster/secrets-cipher-base64.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+
+## Author
+
+This library is the work of [Konstantin Gredeskoul](http:/kig.re), &copy; 2016, distributed under the MIT license.
+

data/Rakefile

@@ -0,0 +1,13 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+#require 'guard/notifiers/terminal_notifier'
+RSpec::Core::RakeTask.new(:spec)
+
+require 'yard'
+YARD::Rake::YardocTask.new do |t|
+  t.files = %w(lib/**/*.rb exe/*.rb - README.md MANAGING-KEYS.md LICENSE)
+  t.options.unshift('--title', '"Secrets – Symmetric Key Encryption for Your Data"')
+  system('open doc/index.html')
+end
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "secrets"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start