{"id":19889536,"url":"https://github.com/tsmx/secure-config-tool","last_synced_at":"2025-05-02T17:33:41.047Z","repository":{"id":42500098,"uuid":"283017732","full_name":"tsmx/secure-config-tool","owner":"tsmx","description":"Supporting command-line tool for secure-config.","archived":false,"fork":false,"pushed_at":"2024-08-08T19:38:54.000Z","size":513,"stargazers_count":3,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-08-09T21:39:36.508Z","etag":null,"topics":["aes","cli","command-line-tool","configuration","configuration-management","credentials","crypto","encryption-at-rest","environment","hmac","json","key","multi-environment","nodejs","secret"],"latest_commit_sha":null,"homepage":"https://tsmx.net/secure-config/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tsmx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-07-27T21:12:47.000Z","updated_at":"2024-08-08T19:38:57.000Z","dependencies_parsed_at":"2024-08-08T21:39:24.848Z","dependency_job_id":null,"html_url":"https://github.com/tsmx/secure-config-tool","commit_stats":{"total_commits":101,"total_committers":2,"mean_commits":50.5,"dds":"0.20792079207920788","last_synced_commit":"f046ae657e6474fcdc0ccef3290cb1dfc805539a"},"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tsmx%2Fsecure-config-tool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tsmx%2Fsecure-config-tool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tsmx%2Fsecure-config-tool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tsmx%2Fsecure-config-tool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tsmx","download_url":"https://codeload.github.com/tsmx/secure-config-tool/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224324404,"owners_count":17292521,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aes","cli","command-line-tool","configuration","configuration-management","credentials","crypto","encryption-at-rest","environment","hmac","json","key","multi-environment","nodejs","secret"],"created_at":"2024-11-12T18:10:39.322Z","updated_at":"2025-05-02T17:33:41.039Z","avatar_url":"https://github.com/tsmx.png","language":"JavaScript","readme":"# [**@tsmx/secure-config-tool**](https://github.com/tsmx/secure-config-tool)\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)\n![npm (scoped)](https://img.shields.io/npm/v/@tsmx/secure-config-tool)\n![node-current (scoped)](https://img.shields.io/node/v/@tsmx/secure-config-tool)\n[![Build Status](https://img.shields.io/github/actions/workflow/status/tsmx/secure-config-tool/git-build.yml?branch=master)](https://img.shields.io/github/actions/workflow/status/tsmx/secure-config-tool/git-build.yml?branch=master)\n[![Coverage Status](https://coveralls.io/repos/github/tsmx/secure-config-tool/badge.svg?branch=master)](https://coveralls.io/github/tsmx/secure-config-tool?branch=master)\n\n\u003e Supporting command-line tool for [@tsmx/secure-config](https://www.npmjs.com/package/@tsmx/secure-config).\n\n**Features:**\n- [create secure configurations](#create) with encrypted secrets and a HMAC out of existing JSON files\n- [key rotation](#rotate-key) of an existing secure configuration\n- [update HMAC](#update-hmac) values of existing secure configuration files after they have changed\n- [test](#test) existing secure configuration JSON files (HMAC validation \u0026 decryption)\n- [generate keys](#genkey) \n- [encrypt single secrets](#encrypt) for copy \u0026 paste into existing configurations\n- [decrypt single secrets](#decrypt) for testing purposes\n\nTo get more information please also check out the [secure-config documentation](https://tsmx.net/secure-config/).\n\n## Basic usage\n\n![Usage GIF](https://tsmx.net/wp-content/uploads/2021/08/secure-config-tool-2-usage.gif)\n\n## Installation\n\n```\n[tsmx@localhost ]$ npm i -g @tsmx/secure-config-tool\n```\n\nFor better convenience the installation as a global package is recommended. Though local installation and use is also possible.\n\n## Arguments\n\n### create\n\nRead an existing JSON configuration file and encrypt the values according to specified key-patterns. Also adds a HMAC property to the JSON configuration for enabling validation against illegal tampering.\n\nThe result is printed to stdout. Use `\u003e` to save it in a new file.\n\nThe key used to create the secure configuration has to be set as environment variable `CONFIG_ENCRYPTION_KEY`. See [genkey option](#genkey) on how to create and export a secure key.\n\n```\n[tsmx@localhost ]$ secure-config-tool create config.json \u003e config-production.json\n```\n\n#### -p, --patterns\n\nA comma-separated list of patterns for the keys of the configuration file that should be encrypted. Pattern matching is done for every key of the provided JSON input with a case-insensitive RegEx validation. If the match succeeds, the value of the key is encrypted.\n\n```\n[tsmx@localhost ]$ secure-config-tool create -p \"Username,Password\" config.json \u003e config-production.json\n```\n\nIn the example stated above every key is tested case-insensitive against the two regex expressions `/Username/` and `/Password/`.\n\nIf no patterns are explicitly specified by using this option, the standard patterns are used: `'user', 'pass', 'token'`. \n\n#### -ne, --no-encrpytion\n\nDo not encrypt any value of the input file. Helpful if you want to use only the HMAC feature withput any encryption.\n\n#### -nh, --no-hmac\n\nDo not create and add the configurations HMAC to the output. Helpful if you only want to use encryption without HMAC.\n\n#### -hp, --hmac-prop\n\nSpecify a property name to store the generated HMAC value in. Defaults to `__hmac` if the option is not present. Doesn't have any effect if `-nh` is specified at the same time.\n\n### rotate-key\n\nRotates the key of an existing secure configuration file produced with [create](#create). Environment variables `CONFIG_ENCRYPTION_KEY` and `CONFIG_ENCRYPTION_KEY_NEW` must be set:\n- `CONFIG_ENCRYPTION_KEY`: the key for the existing secure configuration file\n- `CONFIG_ENCRYPTION_KEY_NEW`: the ney key to rotate to (Hint: you can use the [genkey option](#genkey) to generate a new one)\n\nBasic console example:\n\n```\n[tsmx@localhost ]$ export CONFIG_ENCRYPTION_KEY=...\n[tsmx@localhost ]$ export CONFIG_ENCRYPTION_KEY_NEW=...\n[tsmx@localhost ]$ secure-config-tool rotate-key config-production.json\n```\n\nThe result is printed to stdout. Use `\u003e` to save it in a new file or the `--overwrite` option. \n\nIf the source secure configuration file includes a HMAC in the default `__hmac` property, it will be updated automatically using the new key. If the source file has a HMAC in a custom named property, use the `-hp` option to provide the property name and it will be updated.\n\n#### -hp, --hmac-prop\n\nUse this option to specify the property name of an existing HMAC value to be updated in the source secure configuration file if it is deviating from the default `__hmac`.\n\n#### -o, --overwrite\n\nOverwrite the original configuration file after rotating the key instead of writing to stdout.\n\n### update-hmac\n\nUpdates the HMAC of an existing secure configuration file after it has been changed (properties added/deleted/changed...).\n\nThe result is printed to stdout. Use `\u003e` to save it in a new file or the `--overwrite` option.\n\nThe key used to update the HMAC has to be set as environment variable `CONFIG_ENCRYPTION_KEY`. Make sure to use the right key which was used to create the already existing secure-config file.\n\n```\n[tsmx@localhost ]$ secure-config-tool update-hmac -o config-production.json\n```\n\n#### -o, --overwrite\n\nOverwrite the original configuration file with the updated HMAC instead of writing to stdout.\n\n#### -hp, --hmac-prop\n\nUse this option to specify the property name of the HMAC value to be updated if it is deviating from the default `__hmac`.\n\n### test\n\nTest decryption and HMAC validation of an existing secure-configuration file. The key to test against has to be set as environment variable `CONFIG_ENCRYPTION_KEY`.\n\n```\n[tsmx@localhost ]$ export CONFIG_ENCRYPTION_KEY=9af7...\n[tsmx@localhost ]$ secure-config-tool test config-production.json \nDecryption: PASSED\nHMAC:       PASSED\n```\n\n#### -hp, --hmac-prop\n\nSpecify the property name og the HMAC value to validate against. Defaults to `__hmac` if the option is not present. Doesn't have any effect if `-sh` is specified at the same time.\n\n#### -sh, --skip-hmac\n\nSkip the HMAC validation test.\n\n#### -v, --verbose\n\nPrint out the the raw input data and the decrypted data. \n\n### genkey\n\nGenerate a cryptographic 32 byte key to be used for AES encryption/decryption as well as HMAC validation of your configuration. \n\n```\n[tsmx@localhost ]$ secure-config-tool genkey\n9af7d400be4705147dc724db25bfd2513aa11d6013d7bf7bdb2bfe050593bd0f\n[tsmx@localhost ]$ export CONFIG_ENCRYPTION_KEY=9af7d400be4705147dc724db25bfd2513aa11d6013d7bf7bdb2bfe050593bd0f\n```\n\n### encrypt\n\nEncrypt a single value string for copy \u0026 paste to a JSON configuration file.\n\n```\n[tsmx@localhost ]$ secure-config-tool encrypt \"MySecret\"\nENCRYPTED|82da1c22e867d68007d66a23b7b748b3|452a2ed1105ec5607576b820b90aa49f\n```\n\n### decrypt\n\nDecrypt a single value string for testing purposes.\n\n```\n[tsmx@localhost ]$ secure-config-tool decrypt \"ENCRYPTED|82da1c22e867d68007d66a23b7b748b3|452a2ed1105ec5607576b820b90aa49f\"\nMySecret\n```\n\n## Changelog\n\n### 2.2.0\n- Support for encrypted properties of objects in arrays added, e.g. `{  configArray: [ { key: 'ENCRYPTED|...' }, { key: 'ENCRYPTED|... ' } ] }`\n\n### 2.3.0\n- [Key rotation](#rotate-key) feature added\n\n## Test\n\n```\nnpm install\nnpm test\n```","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftsmx%2Fsecure-config-tool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftsmx%2Fsecure-config-tool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftsmx%2Fsecure-config-tool/lists"}