{"id":17598952,"url":"https://github.com/pik-9/schluessel","last_synced_at":"2026-02-24T00:04:31.914Z","repository":{"id":37691150,"uuid":"238816391","full_name":"Pik-9/schluessel","owner":"Pik-9","description":"Node.js package for storing application credentials (API keys, database passwords, etc.) encrypted in your repository.","archived":false,"fork":false,"pushed_at":"2023-07-18T21:01:06.000Z","size":281,"stargazers_count":30,"open_issues_count":3,"forks_count":3,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-18T21:31:21.846Z","etag":null,"topics":["credentials","database-passwords","keyfile","rails","vault"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Pik-9.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-02-07T00:56:40.000Z","updated_at":"2025-03-17T16:28:42.000Z","dependencies_parsed_at":"2024-10-22T15:23:55.028Z","dependency_job_id":null,"html_url":"https://github.com/Pik-9/schluessel","commit_stats":{"total_commits":52,"total_committers":2,"mean_commits":26.0,"dds":"0.038461538461538436","last_synced_commit":"9cfe3a9f4cf3303c3faf78849ea12c6ac8b96ad5"},"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Pik-9%2Fschluessel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Pik-9%2Fschluessel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Pik-9%2Fschluessel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Pik-9%2Fschluessel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Pik-9","download_url":"https://codeload.github.com/Pik-9/schluessel/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251653666,"owners_count":21622170,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["credentials","database-passwords","keyfile","rails","vault"],"created_at":"2024-10-22T10:08:26.276Z","updated_at":"2026-02-24T00:04:31.870Z","avatar_url":"https://github.com/Pik-9.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# schluessel\n![Node.js CI](https://github.com/Pik-9/schluessel/workflows/Node.js%20CI/badge.svg?branch=master\u0026event=push)\n![npm](https://img.shields.io/npm/v/schluessel)\n![GitHub](https://img.shields.io/github/license/Pik-9/schluessel)  \n\nNode.js package for storing application credentials (API keys, database passwords, etc.) encrypted in your repository.\n\n## Introduction\nIn complex applications you often have several credentials like database passwords, API keys, etc. you need to store\nsomehow without accidentally checking them into your git repo or publishing them with your npm package.  \nThe popular framework _Ruby on Rails_ has a\n[very neat solution](https://medium.com/craft-academy/encrypted-credentials-in-ruby-on-rails-9db1f36d8570)\nfor this dilemma:\nThe credentials get enciphered and written to a file that can be checked into the repository.\nIn order for the application to access them, you need to hand over the master key to decipher them.\n\n### Where does the name come from?\n\"Schlüssel\" is the German  word for **key(s)**. _The singular and plural forms are identical here_.  \n:de: :key:\n\n## How it works\n`schluessel` will store your credentials in a JSON formatted file and create a respective keyfile\nfor every environment (`NODE_ENV`).\nIt is safe to check in your credentials file (`credentials.\u003cNODE_ENV\u003e.json.enc`) into your\nversion control, but make sure to **never publish** the key file!  \nThe default environment - if not specified otherwise - is _development_.\n\n### Install `schluessel`\nJust install `schluessel` by typing from your project root directory:\n```bash\nnpm install --save schluessel\n```\n\n### Accessing the credentials\nCredentials are stored in JSON format.\nLet's assume you have the following credentials:\n```json\n{\n  \"_description\": \"Put your credentials here...\",\n  \"database\": {\n    \"username\": \"admin\",\n    \"password\": \"topsecret\"\n  }\n}\n```\n\n#### CommonJS\nFrom within your application do:\n```javascript\nconst myCredentials = require('schluessel');\n\n// myCredentials will be the object you defined above in JSON format.\nconst dbConnection = connectToDatabase(\n  myCredentials.database.username,\n  myCredentials.database.password\n);\n```\n\n#### ECMA Modules\nFrom within your application do:\n```javascript\nimport myCredentials from 'schluessel';\n\n// myCredentials will be the object you defined above in JSON format.\nconst dbConnection = connectToDatabase(\n  myCredentials.database.username,\n  myCredentials.database.password\n);\n```\n\n#### TypeScript\nIn a [TypeScript](https://www.typescriptlang.org/) project you need to install `@types/schluessel` first:\n```bash\nnpm install --save-dev @types/schluessel\n```\n\nThen you can access your credentials like this:\n```typescript\nimport myCredentials = require('schluessel');\n```\nThe resulting object `myCredentials` is of type `any` since it's structure is completely up to you\nand cannot be predicted.\n\n\nThat's it! :sparkles:\n\n### Creating a vault and key file\n`schluessel` has a CLI that can be invoked with `npx`:\n```bash\nnpx schluessel new\n```\nThis will create a new vault and keyfile in your project root directory for the _development_ environment.  \n\n**ATTENTION: It is important to `cd /path/to/your/project/root` before you execute the code above!**\nThe CLI script cannot determine your project root on its own, so it's just using the _current working directory_.\n\nThis command will also add the line `credentials.*.key` to your `.gitignore` (and `.npmignore` if it exists)\nto make sure that you really will never check in the keyfile.\n\n### Editing the credentials\nJust type:\n```bash\nnpx schluessel edit\n```\nThis will decipher the vault file and let you edit it with your favorite text editor.\nIt will be enciphered again as soon as you close the editor.\n\n## Security considerations\nThe encryption algorithm used is AES with a 256 bit key in [Galois/Counter Mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).\n\n### Environments\nYou often have totally different credentials during development, testing and the final deployment.\nYou can (and should) create a credentials and key file pair for every single node environment you're about\nto use. The default is _development_.\n\nIf you want to create a vault and key file for another environment, just do:\n```bash\nNODE_ENV=\u003cyour environment\u003e npx schluessel new\n```\n\nAnd respectively to edit the credentials:\n```bash\nNODE_ENV=\u003cyour environment\u003e npx schluessel edit\n```\n\n### Key handling\nI cannot stress enough how crucial it is that you never upload the key file anywhere.\nFor deploying I would recommend creating a separate `NODE_ENV` (e.g. `production`) and place the key file for\nthis environment (and only for this one) on your server manually.  \nIf you cannot or don't want to place a file on your server, you can also _pass it via an environment variable_:\n```bash\nNODE_ENV=\u003cyour environment\u003e NODE_MASTER_KEY=\"mqkMGRLfY+GwjnlXOlIzJw+tlip/SBny/QOlDHQltEM=\" node my_awesome_app.js\n```\n:four_leaf_clover:\n\nThis should be obvious, but if you loose your key file, the respective credentials will be lost forever! :fire:\n\nNote: All binary data is encoded in _base64_.\n\n### Changing IVs\nEvery time you edit the credentials, a new _Initialisation Vector_ will be used resulting in completely differnt\nciphertexts even for very small changes. This will prevent attackers from searching for patterns in your\n`credentials.\u003cNODE_ENV\u003e.json.enc` across several save states.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpik-9%2Fschluessel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpik-9%2Fschluessel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpik-9%2Fschluessel/lists"}