SecretBroker
See the usage section for more details
Installation
Add this line to your application's Gemfile:
gem 'secret_broker'
And then execute:
$ bundle
Or install it yourself as:
$ gem install secret_broker
After installing the gem you can run the installation rake task which sets up
staging and production ejson files with public keys. Command:
$ bundle exec rake secret_broker:install_secrets
Working with Secrets/Usage
Overview
We use EJSON to store secrets for remote environments in the git repo.
EJSON encrypts secrets so they
are not stored in plaintext. EJSON files are stored in
config/secrets/environment.ejson
. EJSON is only used in remote environments.
Secrets from EJSON are decrypted when the app boots.
Accessing Secrets in the Application
All application secrets should come from Rails.application.secrets.secret_key
which is loaded from config/secrets/yml
. Since
Rails.application.secrets.secret_key
is cumbersome to write, you can also
write Secrets.secret_key
.
Modifying Secrets
Local Environment
Open up config/secrets.yml
and change the secret you want to change.
Remote Environment
Open up the EJSON file for the environment you want to change the secret for.
Find the key for the secret you want to change. Replace the encrypted value
with the plaintext value. Run ejson encrypt environment.ejson
. Then add and
commit the file.
Example scenario: I want to change the production database password.
Open config/secrets/production.ejson
. It looks like:
{
"_public_key": "some_value",
"some_secret_key: "ENCRYPTED_VALUE",
"database_password": "ENCRYPTED_OLD_PASSWORD",
"some_other_secret_key: "ENCRYPTED_VALUE"
}
Modify the file with the new password. It looks like:
{
"_public_key": "some_value",
"some_secret_key: "ENCRYPTED_VALUE",
"database_password": "new_plaintext_pa$$w0rd",
"some_other_secret_key: "ENCRYPTED_VALUE"
}
Run ejson encrypt production.ejson
. It looks like:
{
"_public_key": "some_value",
"some_secret_key: "ENCRYPTED_VALUE",
"database_password": "ENCRYPTED_NEW_PASSWORD",
"some_other_secret_key: "ENCRYPTED_VALUE"
}
Run git add config/secrets/production.ejson && git commit -m "Updated production database password
.
References
EJSON gem on Github
Development
After checking out the repo, run bin/setup
to install dependencies. Then, run rake spec
to run the tests. You can also run bin/console
for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install
. To release a new version, update the version number in version.rb
, and then run bundle exec rake release
, which will create a git tag for the version, push git commits and tags, and push the .gem
file to rubygems.org.