{"id":16681454,"url":"https://github.com/printercu/secure_credentials","last_synced_at":"2025-03-21T18:32:38.822Z","repository":{"id":56904195,"uuid":"135568225","full_name":"printercu/secure_credentials","owner":"printercu","description":"Rails credentials without security issues. With environments support.","archived":false,"fork":false,"pushed_at":"2019-12-11T06:37:23.000Z","size":23,"stargazers_count":28,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-04-24T19:11:47.665Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/printercu.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-05-31T10:20:14.000Z","updated_at":"2019-12-24T18:42:21.000Z","dependencies_parsed_at":"2022-08-21T02:50:16.153Z","dependency_job_id":null,"html_url":"https://github.com/printercu/secure_credentials","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/printercu%2Fsecure_credentials","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/printercu%2Fsecure_credentials/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/printercu%2Fsecure_credentials/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/printercu%2Fsecure_credentials/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/printercu","download_url":"https://codeload.github.com/printercu/secure_credentials/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244849011,"owners_count":20520626,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-12T14:04:16.296Z","updated_at":"2025-03-21T18:32:38.546Z","avatar_url":"https://github.com/printercu.png","language":"Ruby","readme":"# SecureCredentials\n\n[![Gem Version](https://badge.fury.io/rb/secure_credentials.svg)](http://badge.fury.io/rb/secure_credentials)\n[![Code Climate](https://codeclimate.com/github/printercu/secure_credentials/badges/gpa.svg)](https://codeclimate.com/github/printercu/secure_credentials)\n[![Build Status](https://travis-ci.org/printercu/secure_credentials.svg)](https://travis-ci.org/printercu/secure_credentials)\n\n## Rationale\n\nRails 5.2 brings good idea of storing encrypted credentials in the repo:\ncredentials are securely tracked in version control, less chance to face an issue\nduring deployment, etc. However there are several drawbacks in current implementation:\n\n- It's hard to manage environment-specific credentials.\n  For example, to use different browser api keys in development and production,\n  one is whitelisted for `locahost` and other one for app's domain.\n- In most cases it's required to share `master.key` with every developer.\n  This is not acceptable for a lot of teams, and framework must serve their needs too.\n\nThere are a couple ways to workaround this issues, but all of them brings\nunnecessary complexity. This gem takes best from new encrypted credentials (`credentials.yml.enc`)\nand multi-environmental secrets (`secrets.yml`). It allows to use combination\nof encrypted and plain files for same configuration in different environments.\nFor example, having encrypted `credentials.production.yml.enc` for production\nand multi-environmental `credentials.yml` for all other environments.\n\nThere are some other issues caused by storing `master.key` in local repo.\nSee this wiki page for details:\u003cbr\u003e\n[Rails 5.2 credentials are not secure](https://github.com/printercu/secure_credentials/wiki/Rails-5.2-credentials-are-not-secure).\n\n## Installation\n\nAdd this line to your application's Gemfile:\n\n```ruby\ngem 'secure_credentials'\n```\n\nAnd then execute:\n\n    $ bundle\n\n## Usage\n\nBy default this gem patches Rails::Application to make `#credentials`, `#secrets` and `#encrypted`\nuse Rails-compatible wrapper around SecureCredentials::Store.\n\nSecureCredentials::Store provides read-write access to YAML configuration files. It supports:\n\n  - both encrypted and plain files,\n  - both file-per-environment and multi-environment files.\n\nIt takes base path of configuration file (for example, `config/secrets`)\nand environment value. Then it tries to find the most appropriate file\nfor this configuration in following order:\n\n    \"#{base}.#{env}.yml.enc\"\n    \"#{base}.#{env}.yml\"\n    \"#{base}.yml.enc\"\n    \"#{base}.yml\"\n\nIf environment specific file is present, it's whole content is returned.\nOtherwise `env` is used to fetch appropriate section.\n\nKey for decoding encoded files can be passed:\n\n  - in `key` argument;\n  - in envvar identified by `env_key`, default is to upcased basename appended with `_KEY`\n    (ex., `SECRETS_KEY`);\n  - in file found at `key_path`,\n    by default it uses filename and replaces `.yml.enc` with `.key`\n    (`secrets.production.key` for `secrets.production.yml.enc`);\n  - `SecureCredentials.master_key` which is read from `config/master.key` in Rails apps.\n\nTo edit encrypted files use `rails encrypted:edit path/to/file.yml.enc -k path/to/key.key`.\nMissing `.key` and `.yml` files are automatically created when you edit them for the first time.\n\n## Best practices\n\n- __Don't keep master.key in local working directory!__\n\n  It's like a PIN-code written on backside of credit card.\n  Keep it in secure place and use it when you need to modify credentials.\n\n- Don't share production credentials with those team members who don't need to access them.\n\n  Secrets get less secret every time they are shared.\n  It's better to share some particular keys to selected developers,\n  instead of giving everybody access to all keys.\n\n## Development\n\nAfter checking out the repo, run `bin/setup` to install dependencies.\nThen, run `rake spec` to run the tests.\nYou can also run `bin/console` for an interactive prompt that will allow you to experiment.\n\nTo install this gem onto your local machine, run `bundle exec rake install`.\nTo release a new version, update the version number in `version.rb`,\nand then run `bundle exec rake release`, which will create a git tag for the version,\npush git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).\n\n## Contributing\n\nBug reports and pull requests are welcome on GitHub at\nhttps://github.com/printercu/secure_credentials.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprintercu%2Fsecure_credentials","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprintercu%2Fsecure_credentials","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprintercu%2Fsecure_credentials/lists"}