@drawohara
published on: 2013-02-21

ref: https://github.com/ahoward/sekrets


NAME
  sekrets.rb

SYNOPSIS
  sekrets is a command line tool and library used to securely manage encrypted
  files and settings in your rails' applications and git repositories.

INSTALL
  gem install sekrets
  gem 'sekrets'

DESCRIPTION
  TL;DR
    # create an encrypted config file
    
      ruby -r yaml -e'puts({:api_key => 1234}.to_yaml)' | sekrets write config/settings.yml.enc --key 42

    # display it

      sekrets read config/settings.yml.enc --key 42

    # edit it

      sekrets edit config/settings.yml.enc --key 42

    # see that it's encrypted

      cat config/settings.yml.enc

    # commit it

      git add config/settings.yml.enc

    # put the decryption key in a file
      
      echo 42 > .sekrets.key

    # ignore this file in git

      echo .sekrets.key >> .gitgnore

    # you now no longer need to provide the --key argument to commands

      sekrets read config/settings.yml.enc

      sekrets edit config/settings.yml.enc

    # make sure this file gets deployed on your server

      echo " require 'sekrets/capistrano' " >> Capfile

    # commit and deploy

      git add config/settings.yml.enc
      git commit -am'encrypted settings yo'
      git pull && git push && cap staging deploy

    # access these settings in your application code

      settings = Sekrets.settings_for('./config/settings.yml.enc')
      

  DESCRIPTION
    sekrets provides commandline tools and a library to manage and access
    encrypted files in your code base.

    it allows one to check encrypted infomation into a repository and to manage
    it alongside the rest of the code base.  it elimnates the need to check in
    unencrypted information, keys, or other sensitive infomation.

    sekrets provides both a general mechanism for managing arbitrary encrypted
    files and a specific mechanism for managing encrypted config files.


  KEY LOOKUP
    for *all* operations, from the command line or otherwise, sekrets uses the
    following algorithm to search for a decryption key:

    - any key passed directly as a parameter to a library call will be preferred

    - otherwise the code looks for a companion key file.  for example, given the
      file 'config/sekrets.yml.enc' sekrets will look for a key at
      
        config/.sekrets.yml.enc.key
        
      if either of these is found to be non-empty the contents of the file will
      be used as the decryption key for that file.  you should *never* commit
      these key files and also add them to your .gitignore - or similar.

    - next a project key file is looked for.  the path of this file is
      
        ./.sekrets.key
        
      normally and, in a rails' application

        RAILS_ROOT/.sekrets.key

    - if that is not found sekrets looks for the key in the environment under
      the env var

        SEKRETS_KEY

      the env var used is configurable in the library

    - next the global key file is search for, the path of this file is

        ~/.sekrets.key

    - finally, if no key has yet been specified or found, the user is prompted
      to input the key.  prompt only occurs if the user us attached to a tty.
      so, for example, no prompt will hang and application being started in the
      background such as a rails' application being managed by passenger.
   

    see Sekrets.key_for for more details

  KEY DISTRIBUTION
    sekrets does *not* attempt to solve the key distribution problem for you,
    with one exception:
    
    if you are using capistrano to do a 'vanilla' ssh based deploy a simple
    recipe is provided which will detect a local keyfile and scp it onto the
    remote server(s) on deploy.

    sekrets assumes that the local keyfile, if it exists, is correct.

    in plain english the capistrano recipe does:

      scp ./sekrets.key deploy@remote.host.com:/rails_root/current/sekrets.key

    it goes without saying that the local keyfile should *never* be checked in
    and also should be in .gitignore

    distribution of this key among developers is outside the scope of the
    library.  likely unencrypted email is the best mechanism for distribution
    ;-/