sekrets 1.9.1 → 1.10.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. checksums.yaml +7 -0
  2. data/Gemfile +2 -0
  3. data/Gemfile.lock +34 -0
  4. data/LICENSE +22 -0
  5. data/README.md +109 -0
  6. data/Rakefile +21 -16
  7. data/lib/sekrets.rb +15 -16
  8. data/sekrets.gemspec +18 -11
  9. metadata +34 -43
  10. data/README +0 -144
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: eae5557799ee5e82130f9e7a15a298f166b10f49
4
+ data.tar.gz: 3d9e87c57cbb35dfb8826fece73e93eeee51cb3d
5
+ SHA512:
6
+ metadata.gz: c81545e69ac61d60c5bb36bc5f4f99596c554fdc5c34e97f908458fd6e38a47c7ca1c072d3ceb7313acae958a78d73506c02a18ca525d7b2a7e71baa1d2e7a93
7
+ data.tar.gz: 4b35556bd48a4183f3c8e9e232553201e03d55f0b5baa8494d50d6e16f610bfae6d70b78cde456165c7a9dec0f7010221e2cc6a66ec09a1f38ab2ae246dd6e2c
data/Gemfile ADDED
@@ -0,0 +1,2 @@
1
+ source "https://rubygems.org/"
2
+ gemspec
@@ -0,0 +1,34 @@
1
+ PATH
2
+ remote: .
3
+ specs:
4
+ sekrets (1.10.0)
5
+ coerce (>= 0.0.3)
6
+ fattr (~> 2.2)
7
+ highline (~> 1.6)
8
+ main (~> 6.1)
9
+ map (~> 6.3)
10
+
11
+ GEM
12
+ remote: https://rubygems.org/
13
+ specs:
14
+ arrayfields (4.9.2)
15
+ chronic (0.10.2)
16
+ coerce (0.0.8)
17
+ chronic (>= 0.6.2)
18
+ fattr (2.3.0)
19
+ highline (1.7.8)
20
+ main (6.2.2)
21
+ arrayfields (~> 4.7, >= 4.7.4)
22
+ chronic (~> 0.6, >= 0.6.2)
23
+ fattr (~> 2.2, >= 2.2.0)
24
+ map (~> 6.1, >= 6.1.0)
25
+ map (6.6.0)
26
+
27
+ PLATFORMS
28
+ ruby
29
+
30
+ DEPENDENCIES
31
+ sekrets!
32
+
33
+ BUNDLED WITH
34
+ 1.14.6
data/LICENSE ADDED
@@ -0,0 +1,22 @@
1
+ Copyright 2013 Ara T. Howard
2
+
3
+ Redistribution and use in source and binary forms, with or without modification,
4
+ are permitted provided that the following conditions are met:
5
+
6
+ 1. Redistributions of source code must retain the above copyright notice, this
7
+ list of conditions and the following disclaimer.
8
+
9
+ 2. Redistributions in binary form must reproduce the above copyright notice,
10
+ this list of conditions and the following disclaimer in the documentation
11
+ and/or other materials provided with the distribution.
12
+
13
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
14
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
15
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
16
+ DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
17
+ ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
18
+ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
19
+ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
20
+ ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
22
+ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@@ -0,0 +1,109 @@
1
+ # NAME
2
+
3
+ sekrets.rb
4
+
5
+ ## SYNOPSIS
6
+
7
+ sekrets is a command line tool and library used to securely manage encrypted files and settings in your rails' applications and git repositories.
8
+
9
+ ## INSTALL
10
+
11
+ gem install sekrets
12
+
13
+ ## DESCRIPTION
14
+
15
+ sekrets provides commandline tools and a library to manage and access encrypted files in your code base.
16
+
17
+ It allows one to check encrypted infomation into a repository and to manage it alongside the rest of the code base. It elimnates the need to check in unencrypted information, keys, or other sensitive infomation.
18
+
19
+ sekrets provides both a general mechanism for managing arbitrary encrypted files and a specific mechanism for managing encrypted config files.
20
+
21
+ ## USAGE
22
+
23
+ create an encrypted config file
24
+
25
+ ruby -r yaml -e'puts({:api_key => 1234}.to_yaml)' | sekrets write config/settings.yml.enc --key 42
26
+
27
+ display it
28
+
29
+ sekrets read config/settings.yml.enc --key 42
30
+
31
+ edit it
32
+
33
+ sekrets edit config/settings.yml.enc --key 42
34
+
35
+ see that it's encrypted
36
+
37
+ cat config/settings.yml.enc
38
+
39
+ commit it
40
+
41
+ git add config/settings.yml.enc
42
+
43
+ put the decryption key in a file
44
+
45
+ echo 42 > .sekrets.key
46
+
47
+ ignore this file in git
48
+
49
+ echo .sekrets.key >> .gitignore
50
+
51
+ you now no longer need to provide the `--key` argument to commands
52
+
53
+ sekrets read config/settings.yml.enc
54
+ sekrets edit config/settings.yml.enc
55
+
56
+ make sure this file gets deployed on your server
57
+
58
+ echo " require 'sekrets/capistrano' " >> Capfile
59
+
60
+ commit and deploy
61
+
62
+ git add config/settings.yml.enc
63
+ git commit -am'encrypted settings yo'
64
+ git pull && git push && cap staging deploy
65
+
66
+ access these settings in your application code
67
+
68
+ settings = Sekrets.settings_for('./config/settings.yml.enc')
69
+
70
+ ## RAILS
71
+
72
+ gem 'sekrets' # Gemfile
73
+
74
+ bundle install
75
+
76
+ rake sekrets:generate:key
77
+ rake sekrets:generate:editor
78
+ rake sekrets:generate:config
79
+
80
+
81
+ ## KEY LOOKUP
82
+
83
+ for *all* operations, from the command line or otherwise, sekrets uses the following algorithm to search for a decryption key:
84
+
85
+ - any key passed directly as a parameter to a library call will be preferred
86
+ - otherwise the code looks for a companion key file. for example, given the file `config/sekrets.yml.enc` sekrets will look for a key at `config/.sekrets.yml.enc.key`
87
+ - If either of these is found to be non-empty the contents of the file will be used as the decryption key for that file. You should **never** commit these key files and also add them to your `.gitignore` - or similar.
88
+ - Next a project key file is looked for. The path of this file is `./.sekrets.key` normally and, in a rails' application `RAILS_ROOT/.sekrets.key`
89
+ - If that is not found sekrets looks for the key in the environment under the env var `SEKRETS_KEY` (the env var used is configurable in the library)
90
+ - Next the global key file is search for, the path of this file is `~/.sekrets.key`
91
+ - Finally, if no key has yet been specified or found, the user is prompted to input the key. Prompt only occurs if the user us attached to a tty. So, for example, no prompt will hang an application being started in the background (such as a rails' application being managed by passenger).
92
+
93
+ see `Sekrets.key_for` for explicit details
94
+
95
+ ## KEY DISTRIBUTION
96
+
97
+ sekrets does *not* attempt to solve the key distribution problem for you,with one exception:
98
+
99
+ If you are using capistrano to do a *vanilla* ssh based deploy, a simple recipe is provided which will detect a local keyfile and scp it onto the remote server(s) on deploy.
100
+
101
+ sekrets assumes that the local keyfile, if it exists, is correct.
102
+
103
+ In plain english the capistrano recipe does:
104
+
105
+ scp ./sekrets.key deploy@remote.host.com:/rails_root/current/sekrets.key
106
+
107
+ It goes without saying that the local keyfile should *never* be checked in and also should be in `.gitignore`.
108
+
109
+ Distribution of this key among developers is outside the scope of the library. Encrypted email is likely the best mechanism for distribution, but you've still got to solve this problem for yourself ;-/
data/Rakefile CHANGED
@@ -90,6 +90,7 @@ task :gemspec do
90
90
  test_files = test(?e, "test/#{ lib }.rb") ? "test/#{ lib }.rb" : nil
91
91
  summary = object.respond_to?(:summary) ? object.summary : "summary: #{ lib } kicks the ass"
92
92
  description = object.respond_to?(:description) ? object.description : "description: #{ lib } kicks the ass"
93
+ license = object.respond_to?(:license) ? object.license : "BSD-2-Clause"
93
94
 
94
95
  if This.extensions.nil?
95
96
  This.extensions = []
@@ -118,34 +119,38 @@ task :gemspec do
118
119
  else
119
120
  Template {
120
121
  <<-__
121
- ## <%= lib %>.gemspec
122
+ # DO NOT EDIT - This file is automatically generated
123
+ # Make changes to Rakefile and regenerate with `rake gemspec`
124
+ ## #{ lib }.gemspec
122
125
  #
123
126
 
124
127
  Gem::Specification::new do |spec|
125
- spec.name = <%= lib.inspect %>
126
- spec.version = <%= version.inspect %>
128
+ spec.name = #{ lib.inspect }
129
+ spec.version = #{ version.inspect }
127
130
  spec.platform = Gem::Platform::RUBY
128
- spec.summary = <%= lib.inspect %>
129
- spec.description = <%= description.inspect %>
130
- spec.license = "Same as Ruby's"
131
+ spec.summary = #{ summary.inspect }
132
+ spec.description = #{ description.inspect }
133
+ spec.license = #{ license.inspect }
134
+
135
+ spec.files =\n#{ files.sort.pretty_inspect }
136
+ spec.executables = #{ executables.inspect }
131
137
 
132
- spec.files =\n<%= files.sort.pretty_inspect %>
133
- spec.executables = <%= executables.inspect %>
134
-
135
138
  spec.require_path = "lib"
136
139
 
137
- spec.test_files = <%= test_files.inspect %>
140
+ spec.test_files = #{ test_files.inspect }
138
141
 
139
142
  <% dependencies.each do |lib_version| %>
140
143
  spec.add_dependency(*<%= Array(lib_version).flatten.inspect %>)
141
144
  <% end %>
142
145
 
143
- spec.extensions.push(*<%= extensions.inspect %>)
146
+ spec.extensions.push(*#{ extensions.inspect })
147
+
148
+ spec.rubyforge_project = #{ This.rubyforge_project.inspect }
149
+ spec.author = #{ This.author.inspect }
150
+ spec.email = #{ This.email.inspect }
151
+ spec.homepage = #{ This.homepage.inspect }
144
152
 
145
- spec.rubyforge_project = <%= This.rubyforge_project.inspect %>
146
- spec.author = <%= This.author.inspect %>
147
- spec.email = <%= This.email.inspect %>
148
- spec.homepage = <%= This.homepage.inspect %>
153
+ spec.required_ruby_version = '>= 1.9'
149
154
  end
150
155
  __
151
156
  }
@@ -294,7 +299,7 @@ BEGIN {
294
299
 
295
300
  # discover full path to this ruby executable
296
301
  #
297
- c = Config::CONFIG
302
+ c = RbConfig::CONFIG
298
303
  bindir = c["bindir"] || c['BINDIR']
299
304
  ruby_install_name = c['ruby_install_name'] || c['RUBY_INSTALL_NAME'] || 'ruby'
300
305
  ruby_ext = c['EXEEXT'] || ''
@@ -6,6 +6,13 @@ class Sekrets
6
6
  Fattr(:project_key){ File.join(root, '.sekrets.key') }
7
7
  Fattr(:global_key){ File.join(File.expand_path('~'), '.sekrets.key') }
8
8
 
9
+ Fattr(:summary){ "securely manage encrypted files and settings" }
10
+
11
+ Fattr(:description){
12
+ "sekrets is a command line tool and library used to securely manage encrypted files and settings in your rails' applications and git repositories."
13
+ }
14
+
15
+
9
16
  #
10
17
  def Sekrets.key_for(*args)
11
18
  options = Map.options_for!(args)
@@ -292,8 +299,8 @@ class Sekrets
292
299
  #
293
300
  module Blowfish
294
301
  def cipher(mode, key, data)
295
- cipher = OpenSSL::Cipher::Cipher.new('bf-cbc').send(mode)
296
- cipher.key = Digest::SHA256.digest(key.to_s)
302
+ cipher = OpenSSL::Cipher.new('bf-cbc').send(mode)
303
+ cipher.key = Digest::SHA256.digest(key.to_s).slice(0,16)
297
304
  cipher.update(data) << cipher.final
298
305
  end
299
306
 
@@ -333,7 +340,7 @@ BEGIN {
333
340
  require 'tmpdir'
334
341
 
335
342
  class Sekrets < ::String
336
- Version = '1.9.1' unless defined?(Version)
343
+ Version = '1.10.0' unless defined?(Version)
337
344
 
338
345
  class << Sekrets
339
346
  def version
@@ -342,11 +349,11 @@ BEGIN {
342
349
 
343
350
  def dependencies
344
351
  {
345
- 'highline' => [ 'highline' , ' >= 1.6.15' ] ,
346
- 'map' => [ 'map' , ' >= 6.3.0' ] ,
347
- 'fattr' => [ 'fattr' , ' >= 2.2.1' ] ,
348
- 'coerce' => [ 'coerce' , ' >= 0.0.3' ] ,
349
- 'main' => [ 'main' , ' >= 5.1.1' ] ,
352
+ 'highline' => [ 'highline' , ' ~> 1.6' ] ,
353
+ 'map' => [ 'map' , ' ~> 6.3' ] ,
354
+ 'fattr' => [ 'fattr' , ' ~> 2.2' ] ,
355
+ 'coerce' => [ 'coerce' , ' ~> 0.0.3' ] ,
356
+ 'main' => [ 'main' , ' ~> 6.1' ] ,
350
357
  }
351
358
  end
352
359
 
@@ -382,14 +389,6 @@ BEGIN {
382
389
  require(lib)
383
390
  end
384
391
 
385
- Sekrets.fattr(:description){
386
- <<-__
387
-
388
- foobar
389
-
390
- __
391
- }
392
-
393
392
  if defined?(Rails)
394
393
 
395
394
  class Sekrets
@@ -1,16 +1,21 @@
1
+ # DO NOT EDIT - This file is automatically generated
2
+ # Make changes to Rakefile and regenerate with `rake gemspec`
1
3
  ## sekrets.gemspec
2
4
  #
3
5
 
4
6
  Gem::Specification::new do |spec|
5
7
  spec.name = "sekrets"
6
- spec.version = "1.9.1"
8
+ spec.version = "1.10.0"
7
9
  spec.platform = Gem::Platform::RUBY
8
- spec.summary = "sekrets"
9
- spec.description = "description: sekrets kicks the ass"
10
- spec.license = "Same as Ruby's"
10
+ spec.summary = "securely manage encrypted files and settings"
11
+ spec.description = "sekrets is a command line tool and library used to securely manage encrypted files and settings in your rails' applications and git repositories."
12
+ spec.license = "BSD-2-Clause"
11
13
 
12
14
  spec.files =
13
- ["README",
15
+ ["Gemfile",
16
+ "Gemfile.lock",
17
+ "LICENSE",
18
+ "README.md",
14
19
  "Rakefile",
15
20
  "bin",
16
21
  "bin/sekrets",
@@ -28,21 +33,21 @@ Gem::Specification::new do |spec|
28
33
  "test/sekrets_test.rb"]
29
34
 
30
35
  spec.executables = ["sekrets"]
31
-
36
+
32
37
  spec.require_path = "lib"
33
38
 
34
39
  spec.test_files = nil
35
40
 
36
41
 
37
- spec.add_dependency(*["highline", " >= 1.6.15"])
42
+ spec.add_dependency(*["highline", " ~> 1.6"])
38
43
 
39
- spec.add_dependency(*["map", " >= 6.3.0"])
44
+ spec.add_dependency(*["map", " ~> 6.3"])
40
45
 
41
- spec.add_dependency(*["fattr", " >= 2.2.1"])
46
+ spec.add_dependency(*["fattr", " ~> 2.2"])
42
47
 
43
- spec.add_dependency(*["coerce", " >= 0.0.3"])
48
+ spec.add_dependency(*["coerce", " ~> 0.0.3"])
44
49
 
45
- spec.add_dependency(*["main", " >= 5.1.1"])
50
+ spec.add_dependency(*["main", " ~> 6.1"])
46
51
 
47
52
 
48
53
  spec.extensions.push(*[])
@@ -51,4 +56,6 @@ Gem::Specification::new do |spec|
51
56
  spec.author = "Ara T. Howard"
52
57
  spec.email = "ara.t.howard@gmail.com"
53
58
  spec.homepage = "https://github.com/ahoward/sekrets"
59
+
60
+ spec.required_ruby_version = '>= 1.9'
54
61
  end
metadata CHANGED
@@ -1,104 +1,97 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sekrets
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.9.1
5
- prerelease:
4
+ version: 1.10.0
6
5
  platform: ruby
7
6
  authors:
8
7
  - Ara T. Howard
9
8
  autorequire:
10
9
  bindir: bin
11
10
  cert_chain: []
12
- date: 2016-04-01 00:00:00.000000000 Z
11
+ date: 2017-04-05 00:00:00.000000000 Z
13
12
  dependencies:
14
13
  - !ruby/object:Gem::Dependency
15
14
  name: highline
16
15
  requirement: !ruby/object:Gem::Requirement
17
- none: false
18
16
  requirements:
19
- - - ! '>='
17
+ - - "~>"
20
18
  - !ruby/object:Gem::Version
21
- version: 1.6.15
19
+ version: '1.6'
22
20
  type: :runtime
23
21
  prerelease: false
24
22
  version_requirements: !ruby/object:Gem::Requirement
25
- none: false
26
23
  requirements:
27
- - - ! '>='
24
+ - - "~>"
28
25
  - !ruby/object:Gem::Version
29
- version: 1.6.15
26
+ version: '1.6'
30
27
  - !ruby/object:Gem::Dependency
31
28
  name: map
32
29
  requirement: !ruby/object:Gem::Requirement
33
- none: false
34
30
  requirements:
35
- - - ! '>='
31
+ - - "~>"
36
32
  - !ruby/object:Gem::Version
37
- version: 6.3.0
33
+ version: '6.3'
38
34
  type: :runtime
39
35
  prerelease: false
40
36
  version_requirements: !ruby/object:Gem::Requirement
41
- none: false
42
37
  requirements:
43
- - - ! '>='
38
+ - - "~>"
44
39
  - !ruby/object:Gem::Version
45
- version: 6.3.0
40
+ version: '6.3'
46
41
  - !ruby/object:Gem::Dependency
47
42
  name: fattr
48
43
  requirement: !ruby/object:Gem::Requirement
49
- none: false
50
44
  requirements:
51
- - - ! '>='
45
+ - - "~>"
52
46
  - !ruby/object:Gem::Version
53
- version: 2.2.1
47
+ version: '2.2'
54
48
  type: :runtime
55
49
  prerelease: false
56
50
  version_requirements: !ruby/object:Gem::Requirement
57
- none: false
58
51
  requirements:
59
- - - ! '>='
52
+ - - "~>"
60
53
  - !ruby/object:Gem::Version
61
- version: 2.2.1
54
+ version: '2.2'
62
55
  - !ruby/object:Gem::Dependency
63
56
  name: coerce
64
57
  requirement: !ruby/object:Gem::Requirement
65
- none: false
66
58
  requirements:
67
- - - ! '>='
59
+ - - "~>"
68
60
  - !ruby/object:Gem::Version
69
61
  version: 0.0.3
70
62
  type: :runtime
71
63
  prerelease: false
72
64
  version_requirements: !ruby/object:Gem::Requirement
73
- none: false
74
65
  requirements:
75
- - - ! '>='
66
+ - - "~>"
76
67
  - !ruby/object:Gem::Version
77
68
  version: 0.0.3
78
69
  - !ruby/object:Gem::Dependency
79
70
  name: main
80
71
  requirement: !ruby/object:Gem::Requirement
81
- none: false
82
72
  requirements:
83
- - - ! '>='
73
+ - - "~>"
84
74
  - !ruby/object:Gem::Version
85
- version: 5.1.1
75
+ version: '6.1'
86
76
  type: :runtime
87
77
  prerelease: false
88
78
  version_requirements: !ruby/object:Gem::Requirement
89
- none: false
90
79
  requirements:
91
- - - ! '>='
80
+ - - "~>"
92
81
  - !ruby/object:Gem::Version
93
- version: 5.1.1
94
- description: ! 'description: sekrets kicks the ass'
82
+ version: '6.1'
83
+ description: sekrets is a command line tool and library used to securely manage encrypted
84
+ files and settings in your rails' applications and git repositories.
95
85
  email: ara.t.howard@gmail.com
96
86
  executables:
97
87
  - sekrets
98
88
  extensions: []
99
89
  extra_rdoc_files: []
100
90
  files:
101
- - README
91
+ - Gemfile
92
+ - Gemfile.lock
93
+ - LICENSE
94
+ - README.md
102
95
  - Rakefile
103
96
  - bin/sekrets
104
97
  - lib/sekrets.rb
@@ -110,28 +103,26 @@ files:
110
103
  - test/sekrets_test.rb
111
104
  homepage: https://github.com/ahoward/sekrets
112
105
  licenses:
113
- - Same as Ruby's
106
+ - BSD-2-Clause
107
+ metadata: {}
114
108
  post_install_message:
115
109
  rdoc_options: []
116
110
  require_paths:
117
111
  - lib
118
112
  required_ruby_version: !ruby/object:Gem::Requirement
119
- none: false
120
113
  requirements:
121
- - - ! '>='
114
+ - - ">="
122
115
  - !ruby/object:Gem::Version
123
- version: '0'
116
+ version: '1.9'
124
117
  required_rubygems_version: !ruby/object:Gem::Requirement
125
- none: false
126
118
  requirements:
127
- - - ! '>='
119
+ - - ">="
128
120
  - !ruby/object:Gem::Version
129
121
  version: '0'
130
122
  requirements: []
131
123
  rubyforge_project: codeforpeople
132
- rubygems_version: 1.8.23.2
124
+ rubygems_version: 2.6.8
133
125
  signing_key:
134
- specification_version: 3
135
- summary: sekrets
126
+ specification_version: 4
127
+ summary: securely manage encrypted files and settings
136
128
  test_files: []
137
- has_rdoc:
data/README DELETED
@@ -1,144 +0,0 @@
1
- NAME
2
- sekrets.rb
3
-
4
- SYNOPSIS
5
- sekrets is a command line tool and library used to securely manage encrypted
6
- files and settings in your rails' applications and git repositories.
7
-
8
- INSTALL
9
- gem install sekrets
10
- gem 'sekrets'
11
-
12
- DESCRIPTION
13
- TL;DR
14
- # create an encrypted config file
15
-
16
- ruby -r yaml -e'puts({:api_key => 1234}.to_yaml)' | sekrets write config/settings.yml.enc --key 42
17
-
18
- # display it
19
-
20
- sekrets read config/settings.yml.enc --key 42
21
-
22
- # edit it
23
-
24
- sekrets edit config/settings.yml.enc --key 42
25
-
26
- # see that it's encrypted
27
-
28
- cat config/settings.yml.enc
29
-
30
- # commit it
31
-
32
- git add config/settings.yml.enc
33
-
34
- # put the decryption key in a file
35
-
36
- echo 42 > .sekrets.key
37
-
38
- # ignore this file in git
39
-
40
- echo .sekrets.key >> .gitignore
41
-
42
- # you now no longer need to provide the --key argument to commands
43
-
44
- sekrets read config/settings.yml.enc
45
-
46
- sekrets edit config/settings.yml.enc
47
-
48
- # make sure this file gets deployed on your server
49
-
50
- echo " require 'sekrets/capistrano' " >> Capfile
51
-
52
- # commit and deploy
53
-
54
- git add config/settings.yml.enc
55
- git commit -am'encrypted settings yo'
56
- git pull && git push && cap staging deploy
57
-
58
- # access these settings in your application code
59
-
60
- settings = Sekrets.settings_for('./config/settings.yml.enc')
61
-
62
- RAILS
63
- gem 'sekrets' # Gemfile
64
-
65
- bundle install
66
-
67
- rake sekrets:generate:key
68
- rake sekrets:generate:editor
69
- rake sekrets:generate:config
70
-
71
- DESCRIPTION
72
- sekrets provides commandline tools and a library to manage and access
73
- encrypted files in your code base.
74
-
75
- it allows one to check encrypted infomation into a repository and to manage
76
- it alongside the rest of the code base. it elimnates the need to check in
77
- unencrypted information, keys, or other sensitive infomation.
78
-
79
- sekrets provides both a general mechanism for managing arbitrary encrypted
80
- files and a specific mechanism for managing encrypted config files.
81
-
82
-
83
- KEY LOOKUP
84
- for *all* operations, from the command line or otherwise, sekrets uses the
85
- following algorithm to search for a decryption key:
86
-
87
- - any key passed directly as a parameter to a library call will be preferred
88
-
89
- - otherwise the code looks for a companion key file. for example, given the
90
- file 'config/sekrets.yml.enc' sekrets will look for a key at
91
-
92
- config/.sekrets.yml.enc.key
93
-
94
- if either of these is found to be non-empty the contents of the file will
95
- be used as the decryption key for that file. you should *never* commit
96
- these key files and also add them to your .gitignore - or similar.
97
-
98
- - next a project key file is looked for. the path of this file is
99
-
100
- ./.sekrets.key
101
-
102
- normally and, in a rails' application
103
-
104
- RAILS_ROOT/.sekrets.key
105
-
106
- - if that is not found sekrets looks for the key in the environment under
107
- the env var
108
-
109
- SEKRETS_KEY
110
-
111
- the env var used is configurable in the library
112
-
113
- - next the global key file is search for, the path of this file is
114
-
115
- ~/.sekrets.key
116
-
117
- - finally, if no key has yet been specified or found, the user is prompted
118
- to input the key. prompt only occurs if the user us attached to a tty.
119
- so, for example, no prompt will hang and application being started in the
120
- background such as a rails' application being managed by passenger.
121
-
122
-
123
- see Sekrets.key_for for more details
124
-
125
- KEY DISTRIBUTION
126
- sekrets does *not* attempt to solve the key distribution problem for you,
127
- with one exception:
128
-
129
- if you are using capistrano to do a 'vanilla' ssh based deploy a simple
130
- recipe is provided which will detect a local keyfile and scp it onto the
131
- remote server(s) on deploy.
132
-
133
- sekrets assumes that the local keyfile, if it exists, is correct.
134
-
135
- in plain english the capistrano recipe does:
136
-
137
- scp ./sekrets.key deploy@remote.host.com:/rails_root/current/sekrets.key
138
-
139
- it goes without saying that the local keyfile should *never* be checked in
140
- and also should be in .gitignore
141
-
142
- distribution of this key among developers is outside the scope of the
143
- library. encrypted email is likely the best mechanism for distribution,
144
- but you've still got to sovle this problem for yourself ;-/