Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/dirkschumacher/encryptedCredentials

Small, opinionated package to manage encrypted credentials in R
https://github.com/dirkschumacher/encryptedCredentials

credentials encryption r

Last synced: 4 months ago
JSON representation

Small, opinionated package to manage encrypted credentials in R

Awesome Lists containing this project

README 

        
---

output: github_document

---



```{r setup, include = FALSE}

knitr::opts_chunk$set(

  collapse = TRUE,

  comment = "#>",

  fig.path = "man/figures/README-",

  out.width = "100%"

)

knitr::opts_knit$set(root.dir = tempdir())

unlink("master.key")

unlink("credentials.yml.enc")

```



# Opinionated encrypted credentials in R



[![CRAN status](https://www.r-pkg.org/badges/version/encryptedCredentials)](https://cran.r-project.org/package=encryptedCredentials)

[![lifecycle](https://img.shields.io/badge/lifecycle-experimental-orange.svg)](https://www.tidyverse.org/lifecycle/#experimental)

[![Travis build status](https://travis-ci.org/dirkschumacher/encryptedCredentials.svg?branch=master)](https://travis-ci.org/dirkschumacher/encryptedCredentials)

[![Coverage status](https://codecov.io/gh/dirkschumacher/encryptedCredentials/branch/master/graph/badge.svg)](https://codecov.io/github/dirkschumacher/encryptedCredentials?branch=master)



_WORK IN PROGRESS: use at your own risk_



The goal of `encryptedCredentials` is to provide a simple, secure way to store credentials (e.g. API keys) and other sensitive data in your R project, in particular shiny applications or analyses.



It follows the approach of [Rails](https://medium.com/cedarcode/rails-5-2-credentials-9b3324851336) by creating a single, encrypted yml file that contains all your credentials. The file is secured by a master key, which is either saved (but not checked in) to disk or is available using environment variables.



## Installation



You can install the released version of encryptedCredentials from [CRAN](https://CRAN.R-project.org) with:



``` r

install.packages("encryptedCredentials")

```



``` r

remotes::install_github("dirkschumacher/encryptedCredentials")

```



## Example



### Setup your environment



The following code generates a new, random master key and stores it in `master.key`. It also uses the `usethis` package to git-ignore the `master.key` file (in case you use git).



You run this function when setting up your project.



NEVER share this file with anyone.



```{r example}

library(encryptedCredentials)

use_encrypted_credentials()

```



The command above creates a key stored in `master.key`.



There are generally two options to supply a master key:



1. Having a `master.key` file in your working directory

2. Having an environment variable `R_ENCRYPTED_CRED_MASTER_KEY` with your key



### Store credentials



You can use `write_encrypted_credentials` to replace/update the content in your encrypted yml file.



```{r}

write_encrypted_credentials(

  list(

    databases = list(

      postgres_url = "postgres://...",

      redis_url = "..."

    ),

    aws = list(

      access_key_id = "abcded",

      secret_access_key = "abcded"

    )

  )

)

```



Everytime you call it, the key is read from the `master.key` file or from the environment. Then the data is converted to yml, encrypted and saved to disk in the root directory of your project.



Its content looks like this:



```{r}

readLines("credentials.yml.enc")

```



### Access credentials in your script or on a server



To access the information simply run the following command:



```{r}

credentials <- read_encrypted_credentials()

credentials

```



This function looks for a valid key either in `master.key` or in the environment variable, decrypts the file in memory, converts the yml file to an R object and returns it.



## Key Management



The key is either stored in `master.key` or you can pass it using the `R_ENCRYPTED_CRED_MASTER_KEY` environment variable.



For shiny apps, the best way is probably using the environment variable, while on personal projects (like a local R project that is checked into git) the `master.key` approach is probably best suited.



Only the `credentials.yml.enc` is intented to be commited together with you source code. Never share `master.key`.



## Crypto



Currently the package uses a 32 bytes long random key, generated by `sodium::random`. It then uses `sodium::data_encrypt|decrypt` (with a new, random nonce) to secure the credentials file. All logic is stored in `crypt.R` and I am happy to hear any comments, suggestions or security concerns.