0.0
No commit activity in last 3 years
No release in over 3 years
Allows for reading and writing to the ENV in an encrypted way
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
 Dependencies

Development

~> 2.0

Runtime

 Project Readme

EncryptedEnv

Allows you to read from and write to the ENV in an encrypted way. This is useful if you are running an app on a server that do you not have complete control over (Heroku). You can place an encryption key in your code, or in the database. You can then place your various API tokens in the ENV encrypted.

If you also use attr_encypted to encrypt database columns and store the ENV decryption key in an encrypted column then a hacker would have to get your code, your database, and your running ENV to get your API keys. Not 100% fool proof but a lot more secure.

Build Status

Installation

Add this line to your application's Gemfile:

gem 'encrypted_env', :git => 'git@github.com:WaterfallFMS/encrypted_env.git'

And then execute:

$ bundle install

Usage

Decypting ENV variables (programatically)

If the gem is in your Gemfile then you can just start using it. Otherwise require 'encrypted_env' should be in your boot script. Also in the boot script, set the default encryption key EncryptedEnv.default_options = {:key => 'default key'}. If you have a different :algorithm you can set that too.

Anywhere you use ENV['KEY'] change it to ENV.decrypt('KEY').

If you decrypt variables using different keys and algorithms you can pass those in as options to decrypt: `Env.decrypt('KEY',:key => 'other encryption key')

Example:

# rails config/initializers/asset_sync.rb
require 'encrypted_env'

EncryptedEnv.default_options = {:key => 'super secret', :algorithm => 'aes-256-ecb'}

AssetSync.configure do |config|
  config.fog_provider          = 'AWS'
  config.aws_access_key_id     = ENV.decrypt('AWS_ACCESS_KEY')
  config.aws_secret_access_key = ENV.decrypt('AWS_SECRET_ACCESS_KEY')
  config.fog_directory         = ENV.decrypt('AWS_DIRECTORY')
end

Decrypting ENV Variables (from shell)

encrypt_env actually has a decrypt option as well. It will only read values in the ENV.

$ encrypted_env decrypt key -k ENCRYPTION_KEY
key: value

Full flow might be something like this.

$ encrypted_env bash KEY=test OTHER=good -k FOOBAR > output.txt ; source output.txt
$ encrypted_env decrypt KEY OTHER -k foobar
# Encryption is case sensitive, hence no output
$ encrypted_env decrypt KEY OTHER -k FOOBAR
KEY: test
OTHER: good

Encrypting ENV Variables

Ruby provides no way to write environment variables, without some serious hacks. However, it is pretty often that ENV is used to pass information into a ruby program at start (RAILS_ENV for example). Often times this will include API keys so that they do not have been stored in sources or HD.

encrypt_env provides output that can be used to print assignment commands that can be used to set up an env with the data already encyrpted.

Bash

Bash is the default output.

Print something that bash will understand.

$ ecrypted_env bash var=value var1="value1" etc...

Why not just execute set the ENV from it.

$ encrypt_env bash var=value > output.txt ; source output.txt

Heroku

Print something that heorku will understand.

$ ecrypted_env heroku var=value var1="value1" etc...

If you already have heroku installed, why not just execute it directly.

$ `encrypt_env heroku var=value`

If you have more then one heroku app for the repo you can specify it with -r.

$ `encrypt_env heroku -r staging var=value`

Custom Algorithms

Run openssl list-cipher-commands to view a list of algorithms supported on your platform. See http://github.com/shuber/encryptor for more information.

aes-128-cbc
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc
aes-256-ecb
base64
bf
bf-cbc
bf-cfb
bf-ecb
bf-ofb
cast
cast-cbc
cast5-cbc
cast5-cfb
cast5-ecb
cast5-ofb
des
des-cbc
des-cfb
des-ecb
des-ede
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-ofb
des-ofb
des3
desx
idea
idea-cbc
idea-cfb
idea-ecb
idea-ofb
rc2
rc2-40-cbc
rc2-64-cbc
rc2-cbc
rc2-cfb
rc2-ecb
rc2-ofb
rc4
rc4-40

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Added some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request