Project

secret_store

0.0
No commit activity in last 3 years
No release in over 3 years
secret_storebemurphy/secret_storeDocumentationSource CodeBug TrackerWiki
Store secrets for your app in a encrypted in a yaml file.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
12,825
Stars
0
Forks
0
Watchers
1
 Releases
Current version
0.0.4
Total releases
4
First release
2012-08-11
Latest release
2012-08-12
 Issues
Open Issues
1
Closed Issues
1
Total Issues
2
Issue Closure Rate
50%
 Development
Primary Language
Ruby
Average date of last 50 commits
2012-08-12
Reverse Dependencies
0

 Dependencies

Development

rake
>= 0
rspec
>= 0

Runtime

gibberish
>= 0
 Project Readme

SecretStore

Store secrets for your app AES encrypted in a yaml file.

Often when working on a web application, you have the need for storing a variety of API keys or secrets to 3rd party services. However, it's not desireable to check those secrets in as plain text to the code respository. This means that any 3rd party access to your repository provides that info. With SecretStore, parties without knowledge of the master password (this can include your own team members!) will not have direct access to such secrets.

One common way around this is to set such keys in the environment. This is, for example, what Heroku recommends for use on their platform. While it works, it can end up cumbersome, is not easily replicatable, and can require additional restarts in addition to a code deploy depending on the architecture.

Instead, SecretStore encrypts all secrets with one master password, so there's only one key to inject into the environment.

Installation

install it via rubygems:

gem install secret_store

or put it in your Gemfile:

# Gemfile
gem 'secret_store'

Usage

require "secret_store"

secret_store = SecretStore.new("master_password", "/path/to/data.yml")
secret_store.store("some_api_key", "c7dd199")
secret_store.get("some_api_key") # => "c7dd199"
secret_store.get("unknown_key") # => nil
secret_store.get!("unknown_key") # => raises IndexError

secret_store.store("secret", "b123fa") # => stores
secret_store.store("secret", "new_val")  # => raises error
secret_store.store!("secret", "new_val") # => overwrites stored

For a typical application, it could be desirable to define a single SecretStore instance; for example, in a rails initializer.

For a production server with a static set of data, you should initialize a read only SecretStore

secret_store = SecretStore.new_read_only("master_password", "/path/to/data.yml")

This will prevent changing the data and cut back some implementation checks, so reads should be faster.

In development mode, using a normal SecretStore allows you to update store information from the console without restarting the server.

How

SecretStore uses Gibberish under the hood to AES encrypt secrets in a YAML file. Gibbersh currently has only stdlib and core ruby dependencies, so it makes this code easier to read without any extra requirements.

Caveats

SecretStore code is not recommended for high security (ex: PCI compliance required) use. For your Todos webapp, it's fine!

Credits

This was inspired by the passw3rd gem.

Copyright

Copyright (c) (2012) Brendon Murphy. See license.txt for details.