{"id":18140853,"url":"https://github.com/gui/secret_keys_rails","last_synced_at":"2025-07-21T06:33:22.122Z","repository":{"id":42153646,"uuid":"262929329","full_name":"GUI/secret_keys_rails","owner":"GUI","description":"Git-friendly encrypted secrets for Rails.","archived":false,"fork":false,"pushed_at":"2022-12-14T11:34:31.000Z","size":57,"stargazers_count":2,"open_issues_count":6,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-07-06T11:49:53.581Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GUI.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-05-11T03:28:47.000Z","updated_at":"2020-09-11T20:27:40.000Z","dependencies_parsed_at":"2023-01-28T22:45:40.442Z","dependency_job_id":null,"html_url":"https://github.com/GUI/secret_keys_rails","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/GUI/secret_keys_rails","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GUI%2Fsecret_keys_rails","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GUI%2Fsecret_keys_rails/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GUI%2Fsecret_keys_rails/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GUI%2Fsecret_keys_rails/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GUI","download_url":"https://codeload.github.com/GUI/secret_keys_rails/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GUI%2Fsecret_keys_rails/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266253702,"owners_count":23900054,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-01T16:07:08.996Z","updated_at":"2025-07-21T06:33:17.115Z","avatar_url":"https://github.com/GUI.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SecretKeysRails\n\n[![CI](https://github.com/GUI/secret_keys_rails/workflows/CI/badge.svg)](https://github.com/GUI/secret_keys_rails/actions?workflow=CI)\n\nAn alternative to Rails encrypted credentials that uses the [SecretKeys](https://github.com/bdurand/secret_keys) library. The primary difference this offers versus the default Rails encrypted credentials strategy is that this uses an encrypted file format that only encrypts the values of the file (the hash keys are unencrypted). This allows for easier git diffs/merges while still keeping the secret values encrypted (but the overall structure of the file will not be encrypted). This gem provides some convenience wrappers on top of the SecretKeys library for integration with Rails applications.\n\nAs an example, the encrypted version of:\n\n```yml\nfoo: bar\nbaz: qux\n```\n\nMight be encrypted as:\n\n```yml\n\".encrypted\":\n  \".salt\": 82acce8beeeb422f\n  \".key\": \"$AES$:AJedc/6fDmjRHyh8Ln3K5y/WDzmbQVAsPWkDOFMLpaERVpKPS4I\"\n  foo: \"$AES$:d3mPCOkdfcWAD6BJGjvZT00BtKqAtLVKNvrlE191qg\"\n  baz: \"$AES$:t05Yel2BwiacEnsIXnnVoqTyXLsXU6oWZbSG7kOIDQ\"\n```\n\n## Installation\n\nAdd this line to your application's Gemfile:\n\n```ruby\ngem \"secret_keys_rails\"\n```\n\nAnd then execute:\n\n```\nbundle install\n```\n\n## Usage\n\n### Creating or Editing Secrets\n\nTo open an interactive editor to create or edit the default encrypted `config/secret_keys.yml` file:\n\n```\nrake secret_keys:edit\n```\n\nAll string values you enter will be encrypted after saving and closing this editing session.\n\nIf editing the file for the first time, an encryption key will be generated for you and saved to `config/secret_keys.yml.key`. This encryption key should be kept private and only shared to users that need to decrypt the encrypted values.\n\n### Showing Secrets\n\nTo view all the encrypted secrets in unencrypted form for the default `config/secret_keys.yml` file:\n\n```\nrake secret_keys:show\n```\n\n### Using Secrets\n\nUnencrypted secrets are available in your application via the `SecretKeysRails.secrets` hash. This hash is an instance of [`ActiveSupport::HashWithIndifferentAccess`](https://api.rubyonrails.org/classes/ActiveSupport/HashWithIndifferentAccess.html), so keys can be accessed as either symbols or strings.\n\n```ruby\n# Symbol or strings can be used for accessing keys.\nSecretKeysRails.secrets[:some_api_key]\nSecretKeysRails.secrets[\"some_api_key\"]\n\n# Use fetch to raise an error if the key isn't present.\nSecretKeysRails.secrets.fetch(:some_api_key)\n\n# Other standard Hash methods can be used for access, lig dig.\nSecretKeysRails.secrets.dig(:some_api_key)\n```\n\n### Encryption Key\n\nIn order to decrypt the secrets, the encryption key must be set. The encryption key may either be stored in the `config/secret_keys.yml.key` file or set in the `SECRET_KEYS_ENCRYPTION_KEY` environment variable.\n\nBy default, if the encryption key is not set, then `SecretKeysRails.secrets` will return an empty hash. If you want to require the encryption key be set, then you can change the [`SecretKeysRails.require_encryption_key`](#secretkeysrailsrequire_encryption_key) setting to raise an error if the encryption key is not set.\n\n### Environment Specific Secrets\n\nThe commands support passing an `--environment` option to create an environment specific override. That override will take precedence over the global `config/secret_keys.yml` file when running in that environment. So:\n\n```\nrake secret_keys:edit -- --environment development\n```\n\nwill create `config/secret_keys/development.yml` with the corresponding encryption key in `config/secret_keys/development.yml.key` if the credentials file doesn't exist.\n\nThe encryption key can also be put in `ENV[\"SECRET_KEYS_ENCRYPTION_KEY\"]`, which takes precedence over the file encryption key.\n\nIn addition to that, the default credentials lookup paths can be overridden through the [`SecretKeysRails.secrets_path`](#secretkeysrailssecrets_path) and [`SecretKeysRails.key_path`](#secretkeysrailskey_path) settings.\n\n## Configuration\n\nYou may adjust RailsSecretKeys configuration by adding a `config/initializers/secret_keys_rails.rb` file with setting changes. Note that the initializer must exist at this path to be properly loaded (this ensures that RailsSecretKeys is available early on in the Rails load process, so other parts of Rails and other gems can integrate with it).\n\n#### `SecretKeysRails.require_encryption_key`\n\nRaise an error if the encryption key isn't set.\n\n```ruby\nSecretKeysRails.require_encryption_key = true # Defaults to `false`\n```\n\n#### `SecretKeysRails.secrets_path`\n\nSet a custom path to the secret keys encrypted file.\n\n```ruby\nSecretKeysRails.secret_path = \"config/my_keys.yml\" # Defaults to `config/secret_keys/\u003cENV\u003e.yml` or `config/secret_keys.yml`\n```\n\n#### `SecretKeysRails.key_path`\n\nSet a custom path to the encryption key path.\n\n```ruby\nSecretKeysRails.key_path = \"config/my_keys.yml.key\" # Defaults to `config/secret_keys/\u003cENV\u003e.yml.key` or `config/secret_keys.yml.key`\n```\n\n## Design\n\nThe underlying [SecretKeys](https://github.com/bdurand/secret_keys) library is more flexible in a few ways. This gem is slightly more opinionated for integration with Rails, and we attempt to more closely match the behavior of the default Rails encrypted credentials experience. The primary differences are:\n\n- The secret keys files are always stored as YAML.\n- The secret keys files exist at specific paths (`config/secret_keys.yml` or `config/secrets_keys/\u003cENV\u003e.yml`).\n- The encryption key can be read from a specific path (`config/secret_keys.yml.key` or `config/secrets_keys/\u003cENV\u003e.yml.key`).\n- All values in the file will be encrypted.\n- An interactive edit command is supplied for editing the decrypted file.\n- Keys are returned as a deeply frozen `ActiveSupport::HashWithIndifferentAccess`.\n\n## Known Limitations\n\n- Only string values will be encrypted. Numbers, booleans, and null values will not be encrypted.\n- Comments in the YAML file will be stripped.\n\n## Development\n\nAfter checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.\n\nTo install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).\n\n## Contributing\n\nBug reports and pull requests are welcome on GitHub at https://github.com/GUI/secret_keys_rails.\n\n## License\n\nThe gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgui%2Fsecret_keys_rails","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgui%2Fsecret_keys_rails","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgui%2Fsecret_keys_rails/lists"}