Just an FYI, this library promotes "bad crypto". I'm not a cryptographer so you'll see a lot of "maybes" and "probably"s. The potential problem lies in the fact that the IV is reused for all values. I'm under the impression that IV reuse can lead to the key being revealed. The possibility of this attack rises with each encrypted value encountered. ActiveSupport's encryptor supports per-value IVs, but that's probably still not enough as the values aren't authenticated in any way.
There is an issue open to fix this (#32), but I just haven't had the time. Even worse, there will need to be a migration path from the old to the new.
If you are using this to store 5-20 passwords, you're probably OK. It's better than nothing in this case.
If you are using this to store a ton of records, you probably should use another encryption method.
This is a collection of encryption libraries intended to encrypt and store passwords outside of source code.
Some advantages of keeping credentials out of source code are:
This project is IN PROGRESS. File bugs and feature requests.
Command line use Generate key/iv in current directory by default
$ passw3rd -g
generated keys in /Users/user
$ passw3rd -g ~/Desktop/
generated keys in /Users/user/Desktop/
Create a password file
$ passw3rd -e foobar_app
Enter the password:
Wrote password to /Users/neilmatatall/foobar_app
$ passw3rd -e foobar_app -p ~/Desktop/
Enter the password:
Wrote password to /Users/neilmatatall/Desktop/foobar_app
Read a password file
$ passw3rd -d foobar_app
The password is: asdf
$ passw3rd -d foobar_app -p ~/Desktop/
The password is: asdf
Common options per read/write operation
-d, --decrypt PATH_TO_PASSWORD Path to password file
-e, --encrypt PASSWORD_FILE Write the password to this location
-k, --key-dir KEY_PATH Use the keys specificed in this directory for encryption or decryption (default is current directory)
-p, --password-dir PATH Read and write password files to this directory (default is current directory)
Only used when generating keys
-g, --generate-key [PATH] generate key/iv and store in PATH, defaults to the current directory
$ rake rotate_keys[~/passwords,~/passwords,aes-256-cbc]
Ruby on Rails config/database.yml
Example configuration in boot.rb:
ENV['passw3rd-cipher_name'] = 'aes-256-cbc'
if %w{production staging}.include? ENV['RAILS_ENV']
ENV['passw3rd-password_file_dir'] = File.expand_path('../../passwords/production', __FILE__)
ENV['passw3rd-key_file_dir'] = File.expand_path('../../passwords/production', __FILE__)
else
ENV['passw3rd-password_file_dir'] = File.expand_path('../../passwords', __FILE__)
ENV['passw3rd-key_file_dir'] = File.expand_path('../../passwords', __FILE__)
end
Then remove passwords from config files and source code
Before:
development:
adapter: mysql
database: rails_development
username: root
password: my super secret password
After:
development:
adapter: mysql
database: rails_development
username: root
password: <%= Passw3rd::PasswordService.get_password('foobar_app') %>
OpenSSL command line
$ openssl enc -e -aes-256-cbc -K `cat ~/.passw3rd-encryptionKey` -iv `cat ~/.passw3rd-encryptionIV` -in README.md -out test.out
$ openssl enc -d -aes-256-cbc -K `cat ~/.passw3rd-encryptionKey` -iv `cat ~/.passw3rd-encryptionIV` -out README.md -in test.out
License: MIT (see LICENSE file)
Copyright 2010, YELLOWPAGES.COM LLC Development by Neil Matatall neil.matatall@gmail.com
FAQs
Unknown package
We found that passw3rd demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
CISA’s 2025 draft SBOM guidance adds new fields like hashes, licenses, and tool metadata to make software inventories more actionable.
Security News
A clarification on our recent research investigating 60 malicious Ruby gems.
Security News
ESLint now supports parallel linting with a new --concurrency flag, delivering major speed gains and closing a 10-year-old feature request.