{"id":22218569,"url":"https://github.com/megahertz/secrypt","last_synced_at":"2026-01-05T04:55:21.239Z","repository":{"id":245253183,"uuid":"817800683","full_name":"megahertz/secrypt","owner":"megahertz","description":"Tool for keeping repository secrets encrypted","archived":false,"fork":false,"pushed_at":"2024-07-18T11:31:47.000Z","size":76,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-16T19:55:25.567Z","etag":null,"topics":["credentials","decrypt","encrypt","environment","javascript","nodejs","repository","secrets"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/megahertz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-20T13:18:18.000Z","updated_at":"2024-07-18T11:31:48.000Z","dependencies_parsed_at":"2024-06-20T23:17:34.615Z","dependency_job_id":"bee76895-8f70-43ac-8e0c-ed6341952e32","html_url":"https://github.com/megahertz/secrypt","commit_stats":null,"previous_names":["megahertz/secrypt"],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/megahertz%2Fsecrypt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/megahertz%2Fsecrypt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/megahertz%2Fsecrypt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/megahertz%2Fsecrypt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/megahertz","download_url":"https://codeload.github.com/megahertz/secrypt/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245052649,"owners_count":20553162,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["credentials","decrypt","encrypt","environment","javascript","nodejs","repository","secrets"],"created_at":"2024-12-02T22:27:10.178Z","updated_at":"2026-01-05T04:55:21.234Z","avatar_url":"https://github.com/megahertz.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# secrypt\n[![Tests](https://github.com/megahertz/secrypt/workflows/Tests/badge.svg)](https://github.com/megahertz/secrypt/actions?query=workflow%3ATests)\n[![npm version](https://img.shields.io/npm/v/secrypt?color=brightgreen)](https://www.npmjs.com/package/secrypt)\n\nSecrypt is a tiny tool for keeping repository secrets encrypted. \nIt is designed to be fast, easy to use and highly secure.\n\nKey features:\n\n- Encrypted data is saved close to the original file with `.enc` extension.\n- AES-256-CBC is used for encryption and PBKDF2 SHA-512 to derive the encryption \n  key\n- Pretty small, a bit less than 400 lines of code. So it can be analyzed easily.\n- It can be used as a standalone \n  [script](https://raw.githubusercontent.com/megahertz/secrypt/master/src/index.js)\n  . It's helpful when you don't trust a third-party package to manage your\n  secrets.\n- No dependencies\n- Supports multiple environments with different secret keys.\n- Notify when local secrets are outdated (encrypted secrets changed remotely)\n\nIs it safe to keep encrypted credentials in the git repository? Well, this is a\nwidely used approach at least in Ruby on Rails and in Fastlane.\n\n## Installation\n\n`npm install -D secrypt`\n\n## Usage\n\n### TLDR\n\n```\nsecrypt init\necho '{ \"files\": { \"dev\": [\"secrets.json\"] } }' \u003e secrypt.config.json\nsecrypt encrypt\n\necho secrypt.keys \u003e\u003e .gitignore\necho .env.dev \u003e\u003e .gitignore\ngit add .gitignore secrypt.config.json .env.dev.enc\ngit commit -m 'chore: Add encrypted secrets'\n```\n\n### Explanation\n\n1. Run `secrypt init` command that creates two files:\n- default `secrypt.config.json` config\n- a random key for the dev (default) environment in the `secrypt.keys` file.\n\n2. Add your secret file list to the `secrypt.config.json`:\n\n```json\n{\n  \"files\": {\n    \"dev\": [\"secrets.json\"]\n  }\n}\n```\n\n3. Run `secrypt encrypt` to encrypt all files from the list.\n\nRemember to add `secrypt.keys` and `secrets.json` to `.gitignore`.\n\nTo decrypt secrets, just run `secrypt decrypt`.\n\nBy default, a secret key is stored in the `secrypt.keys` file, but it can also\nbe passed using `SECRYPT_KEY` environment variable.\n\n## CLI usage\n\n```sh\nUsage: secrypt COMMAND [options]\n\nCommands:\n  encrypt [...ONLY_THESE_FILES]\n  decrypt [...ONLY_THESE_FILES]\n  init\n  keys-regenerate\n  keys-set\n\n\nOptions:\n  -c, --config PATH      Config file path (default: secrypt.config.json)\n  -e, --environment ENV  Environment name (default: dev)\n  -p, --prefix PATH      Change current working directory\n\nEnvironment variables:\n  SECRYPT_KEY    Key for encryption/decryption for the current environment\n  SECRYPT_PREFIX Change current working directory\n  NODE_ENV       Environment name\n```\n\n## Configuration\n\nA config can be stored in `secrypt.config.json`, `secrypt.config.js` or in the\n`secrypt` section of `package.json`. Also, you can specify a path to the config\nusing `--config` command line option. Simple options like `keyFile` or \n`revisionFile` can be passed as command line options.\n\n```json\n{\n  \"files\": {\n    \"dev\": [\".env.dev\"],\n    \"prod\": [\".env.prod\"]\n  }\n}\n```\n\n### Config options\n\n- `environment: string` - a name of the environment. By default, it is `dev`.\n- `files: Record\u003cstring, string[]\u003e` - a list of files to encrypt/decrypt\n- `keyFile: string` - a path to a file with secret keys. By default, it is\n  `secrypt.keys`.\n- `keys: Record\u003cstring, string\u003e` - a secret keys to use for \n  encryption/decryption. Not recommended to use in the config file.\n  Use `SECRYPT_KEY` environment variable instead.\n- `revisionFile: string` - a path to a file with a revision number. By default,\n  it is disabled. When it's defined, this file will be updated with the current\n  revision number after encryption. Next, `secrypt revision-check` checks\n  whether local unencrypted files should be updated.\n- `prefix: string` - a path to a directory where the secrets should be stored.\n  By default, it is the current working directory.\n\n### Override default behavior\n- `decryptFn: (file: SecryptFile) =\u003e Promise\u003cvoid\u003e` - it could be used to\n  decrypt a file in a custom way.\n\n  Example:\n  ```js\n  async function decryptFn({ decrypted, encryped, key }) {\n    await mycryptlib.decrypt(encryped.full, decrypted.full, key);\n  }\n  ```\n- `encryptFn: (file: SecryptFile) =\u003e Promise\u003cvoid\u003e` - it could be used to\n  encrypt a file in a custom way.\n\n  Example:\n  ```js\n  async function encryptFn({ decrypted, encryped, key }) {\n    await mycryptlib.encrypt(decrypted.full, encryped.full, key);\n  }\n  ```\n\n- `getFileListFn: (config: SecryptConfig) =\u003e Promise\u003cSecryptFile[]\u003e` - return a\n  list of files which should be encrypted.\n\n  Example:\n  ```js\n  async function getFileListFn(config) {\n    const env = config.environment === 'all' ? 'dev' : config.environment;\n    const files = await glob('secrets/*.yml');\n    return files.map((rel) =\u003e ({\n      decryped: { full: path.resolve(file), rel },\n      encrypted: { full: path.resolve(`${file}.enc`), rel: `${file}.enc` },\n      key: config.keys[env],\n    }));\n  }\n  ```\n\n- `resolveEncryptedPathFn: (filePath: string) =\u003e string` - it could be used to\n  resolve a path to an encrypted file. By default, it adds `.enc` extension.\n\n  Example:\n  ```js\n  function resolveEncryptedPathFn(filePath) {\n    return filePath + '.enc';\n  }\n  ```\n\n## License\n\nLicensed under MIT.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmegahertz%2Fsecrypt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmegahertz%2Fsecrypt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmegahertz%2Fsecrypt/lists"}