Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/joker1007/yaml_vault

Yaml file encryption/decryption helper.
https://github.com/joker1007/yaml_vault

Last synced: 2 days ago
JSON representation

Yaml file encryption/decryption helper.

Host: GitHub
URL: https://github.com/joker1007/yaml_vault
Owner: joker1007
License: mit
Created: 2016-03-29T09:38:38.000Z (over 8 years ago)
Default Branch: master
Last Pushed: 2023-09-07T07:02:26.000Z (about 1 year ago)
Last Synced: 2024-10-31T14:28:01.790Z (8 days ago)
Language: Ruby
Homepage:
Size: 108 KB
Stars: 158
Watchers: 6
Forks: 20
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE.txt

Awesome Lists containing this project

README

# YamlVault
[![Gem Version](https://badge.fury.io/rb/yaml_vault.svg)](https://badge.fury.io/rb/yaml_vault)
[![RSpec](https://github.com/joker1007/yaml_vault/actions/workflows/rspec.yml/badge.svg)](https://github.com/joker1007/yaml_vault/actions/workflows/rspec.yml)

Yaml file encryption/decryption helper.

## Breaking Change from 0.x to 1.0
- Output YAML file keeps alias & anchor syntax & tag info. (But empty line is trimmed)
- `--key` format is changed. (Need `$` as root document at first)
- `--key` supports new formats. (Root Doc, Wildcard, Regexp, Quote)

## Encryption Algorithm

yaml_vault uses ActiveSupport::MessageEncryptor.

Default cipher is `aes-256-cbc`.
Default sign digest is `SHA256`.

## Installation

Add this line to your application's Gemfile:

```ruby
gem 'yaml_vault'
```

And then execute:

$ bundle

Or install it yourself as:

$ gem install yaml_vault

## Usage

### Encrypt

```yml
# secrets.yml

default: &default
hoge: fuga
aaa: true
bbb: 2

foo: bar

complicated:
- 1
- ["hoge", "fuga"]
- [{key1: val1, key2: val2}, {key3: val3}]
- a:
b:
c: d
e: !ruby/range 1..10

test:
<<: *default
hoge:
- 1
- 2
- 3

vault:
secret_data: "hogehoge"
secrets:
- 0
- 1
- "two"
- true
- four: 4
- :five
- :a:
b: !ruby/range 1..10
- [{key1: val1, key2: val2}, {key3: val3}]
```

```
% yaml_vault encrypt secrets.yml -o encrypted_secrets.yml"
Enter passphrase:
```

output is ...

```yml
# encrypted_secrets.yml

default: &default
hoge: cTlEZkloUDlBS0F3VGdzL25PcXZRUT09LS1QdEFSZklJRlpGTWNVLzU5RC9IT2VnPT0=--f68324e76662ee92be4ff11faabf963bcba9b464d2a0af8cb505611755cf698c
aaa: RUNneXhXYnBVVVRod0o1aTN2ZkRRZz09LS1BYjBYQXp3OGI2dE9TMERKNVZGbzd3PT0=--81ca6f9320426bfb52e4318c209ebe9e1e0f7ff54567aed4dd6a0ae9d7dce22b
bbb: c2ExRXFpUXZKN1ltanRRUHpxMGduQT09LS1jWjVpbG9tTk9BRFdRc0QvbTBSVFBBPT0=--c63c47a104032b6aa4169ec58df5d2c4e0c5f38febbfb8f2167ae034fb93f488
foo: cWs4SmFVN3NXMGNra2tMUS9Ucmx5Zz09LS1meElVMXp0MSs0UGtrbW1tcnFKTnBnPT0=--ce755376767167c71a389637080465884295be1094e203a5c5ef396c2f13b7a8
complicated:
- ejBlc09wejFITmRpOUVBWVduQmZiQT09LS12YzdZN1hselkzQWNIOWpYd3QrR0dRPT0=--1fa11f7719fb0ffc7ce50eda52b8813d8ca547c341e710c044f8282767a22cfb
- ["ZHFlWjN3cUdMdFdFTDQwM2w0WW8xUT09LS1aOTNwU2NtQ0IvWHNYU1dJZGFCMUl3PT0=--b1ac20a6388d46e2e36bb50553cf89af673fbb4ff7ab83e96f0a315e806f5cd0",
"L0pBVHVMSXdlMEVQbTRKTGJKb2pOZz09LS1xTjRRbEs3SFpDK2szRlpDYTFuYlV3PT0=--d65702ec4880c52dfe074a12af02498e16b84452231ca2390205a752b19b4986"]
- [{key1: dmNxVjI3c242YngwcHY4cGhJTmRZUT09LS1jYXh1LzdyTy9FK1VwVjVidkU1aUNBPT0=--b04624c5b3a7c5dfbdc5a69811cb5a194fbbd6da0d2266231d25d0bee9da3bf6,
key2: eHBOM0xlRmczRFl1UERRdCtzbGF3dz09LS1TTjdWdHlqVlIreUhtekE0VGpsVEt3PT0=--ccd53fcfc3d3f51f5b4a97f5b1508e77e9149b0100995e0588b289fde920aba7},
{key3: VHg2V2VHWjZCcHhHRWJZTHFXZGhUZz09LS1kTisvY3FZaDlaTEFjODNXeFQwTjFBPT0=--e6f809a272f4a7b347f4fcf28241cd51b1293310a1e7d372f19488c2c7a726e2}]
- a:
b:
c: d254QmFnRFprMUJldDBkRjlVWUpMQT09LS1CTFhQUUQzWUw3K3FUQnJVWkFLRzdnPT0=--85522ae049be7808ae77b586c9e9e1af225b08c44becbe60ec1995f2f4b31668
e: enBYUkYrMkt1ZkdHd2JHbzAyNFo3czBpVmZRU0psaDNMalcyU2lKbEQvUT0tLVF5QSt6RXd2L0ptbHp0UVZCcm9LdXc9PQ==--06e9fa609a5a8f9f81997b314e54a91959088819b8a0f05fede68769d841ee3b
test:
<<: *default
hoge:
- eERDbWVSeFhZNkJzNVFvSkRVMWFaZz09LS02WVFSamRDbmxEbXF4WExkSTFvUzl3PT0=--05bf3dcd005b32455409c70212d64452b0af3ec78471fa69760ad85dcd6147d4
- Y1BPRGZIQys0bTBJdFJuV21WSWJBUT09LS1xZFdQcmVpd3ltWnVSWEttcVZ1Z3VRPT0=--6c57387b420bc569494a0308e896d8426ec7b6a649a6a1f890e779bc792fc9a0
- anVLa2dXTWo1ckVVTlhQZG0vdVRHZz09LS04K3FIV2lsSUI5V01pR1ljS3lCWDVnPT0=--545a128c08152415ff27c35c89cb0ab1b5625530716ac8f8daf5f2e61fbe450c
vault:
secret_data: "NUR1aFdaMjMrSkI2MyswRC84UXJzWUprVXgvZnBmRXhBM0dqUWdpOTBMaz0tLUJ4NmtpeUQ3dG0rN080cDZMWmlwc1E9PQ==--7e812eabdc22af8e46db8a7b8f361deb6484d3aa8568d4bc95d6e73c00149c28"
secrets:
- emExNlNIQ2tiNTliU1ZhU1FzUXBtQT09LS1pajcyYUU0bnlYSlorTEtFOEZyZVRRPT0=--c8483428c33401e99e55e7634ba468bcba219ab02034bb4ad80c89d639f52323
- NXJ4c2JId0xLWUk0dHY2NHJyVzNIdz09LS0vUnlpWGptaitmYUZ0bk4zY1I0YWVnPT0=--18f9764a068ba555c5261be70de469e0460ef14b8a1636f418bddcb0b7b4ffcf
- "WUFwWTEzK1lpOHJseGEwbGFmTEs4dz09LS1EK2xwNUFsSExQT2Zwa0p5QjFGbWJnPT0=--3f66ca21b4f1bae17d03233afc0ee80a1a42371244ac38ce71f284266bec3a95"
- dGd2d1k4MTFSMHp3cy9xZE9NaGpIUT09LS1GcWNKdisxMlRGTzBLV2Zjam9PRmZ3PT0=--1f19086e9908d4c5313c3abfab8f6c8697785273c14ab0a2f39634a57ac57e72
- four: QXlGUGsyYnB6dEtNWk9ia3MvR2duZz09LS1DWGprWVVIS2VkbjJrYnl0MkVmcUlBPT0=--0e426924db2fa7e577e4e4d7d62ce8f7e9390f14e72f90aca59be88df252b110
- dDAvZzdNampwUmsrY1Q3ME5VaWNkQT09LS13YUJQVm9kZXpFMlpxVTVPRDJ3RG1RPT0=--c53ab9535f06eef08e41dbf9fd1641421760309f381c37016ce27d17d6910f11
- :a:
b: NHgycERIaXlQaTR2V09weWFUbG9DZE1aQ3pTZ1h0OWo0VzJ4NkRMaDk5WT0tLWhMc21MUHJOQnowTHlnSnhxUkluNVE9PQ==--081f7b5f9bc982f7270454a8453b5fcf860bea9ed6f8454a0f8509b0cc2a8638
- [{key1: WHkwOEc5NVcvNm5IMTVNc24xWUtYdz09LS1GZGc0K2J2V3F5bW5iS29Vb1grcFNRPT0=--c453f9e814e4d62294d1d5d20b71db8825e8f94933ad8af157ca7860407e39c5,
key2: eUZlQlgzVTFFRjVKUjF3dTZ6RlRidz09LS1rUzRtN2VlS2ZmRDFuR3JCMkRMRTNRPT0=--d30ebbf61e5393d3502e71486379215c4ea95d3f4697faa209214dd23d64e1fd},
{key3: YStlVTBFZjZQQlVDWHhjMS85L052Zz09LS0rL2JtbUI2eFY2QVZsbG92OGM4Z2lnPT0=--ffc85954e68fdde7e03fdbaa715c43d624c2825e28439de3ce2d2fa0e9debe0b}]
```

If use `--key` option.

```
% yaml_vault encrypt secrets.yml -o encrypted_secrets.yml -k $.vault.secret_data
Enter passphrase:
```

output is ...

```yml
# encrypted_secrets.yml

default: &default
hoge: fuga
aaa: true
bbb: 2
foo: bar
complicated:
- 1
- ["hoge", "fuga"]
- [{key1: val1, key2: val2}, {key3: val3}]
- a:
b:
c: d
e: !ruby/range 1..10
test:
<<: *default
hoge:
- 1
- 2
- 3
vault:
secret_data: SzZoOGlpcSs4UlBaQnhTYWx0YlN3NHk2QXhiZGYvVmpsc0c3ckllSlh1TT0tLU13ZERzRWsxaGc0Y090blNIdXVVMmc9PQ==--24b2af56d2563776ca316dbfa243333dd053fea1
secrets:
- 1
- 2
- "three"
- true
- four: 4
```

`--key` option supports following format.

- `$` as root document
- `*` as wildcard for array or map key
- `/str/` as regexp to map key
- `:` as Symbol.
- `[0]` as array key.
- `'str'` as map key (inner single quote string).
- `"str"` as map key (inner double quote string).
- `other_string` as map key

`--key` must start with `$`.

ex. `$.production.:slaves.[0].*.:password`

You can also use the `--prefix` and `--suffix` options to format the encrypted value. i.e by providing `--prefix "ENC(" --suffix ")"` you can get the following output from the above example:

```yml
# encrypted_secrets.yml

default: &default
...
vault:
secret_data: ENC(SzZoOGlpcSs4UlBaQnhTYWx0YlN3NHk2QXhiZGYvVmpsc0c3ckllSlh1TT0tLU13ZERzRWsxaGc0Y090blNIdXVVMmc9PQ==--24b2af56d2563776ca316dbfa243333dd053fea1)
...
```

#### AWS KMS Encryption

Max encryptable size is 4096 bytes. (value size as encoded by Base64)

```
% yaml_vault encrypt secrets.yml -o encrypted_secrets.yml --cryptor=aws-kms \
--aws-region=ap-northeast-1 \
--aws-kms-key-id= \
--aws-access-key-id= \
--aws-secret-access-key=
```

If region, access_key_id, secret_access_key is not set, use `ENV["AWS_REGION"]`, `ENV["AWS_ACCESS_KEY_ID"]`, `ENV["AWS_SECRET_ACCESS_KEY"]` or default credentials or Instance Profile.

#### GCP KMS Encryption

```
% yaml_vault encrypt secrets.yml -o encrypted_secrets.yml --cryptor=gcp-kms \
--gcp-kms-resource-id= \
--gcp-credential-file=
```

ex. `--gcp-kms-resource-id=projects//locations/global/keyRings//cryptoKeys/`

If gcp_credential_file is not set, use Google Application Default Credentials flow (https://developers.google.com/identity/protocols/application-default-credentials)

### Decrypt

```
% yaml_vault decrypt encrypted_secrets.yml -o secrets.yml
Enter passphrase:
```

If `ENV["YAML_VAULT_PASSPHRASE"]`, use it as passphrase

Note to pass the same `--suffix` and `--prefix` if the yaml was encrypted using these options.

#### AWS KMS Decryption

```
% yaml_vault decrypt encrypted_secrets.yml -o secrets.yml --cryptor=aws-kms \
--aws-region=ap-northeast-1 \
--aws-access-key-id= \
--aws-secret-access-key=
```

#### GCP KMS Decryption

```
% yaml_vault decrypt encrypted_secrets.yml -o secrets.yml --cryptor=gcp-kms \
--gcp-kms-resource-id= \
--gcp-credential-file=
```

### Direct Assignment

```ruby
# decrypt `configs['vault']` and `configs['production']['password']`

# Simple Encryption
configs = YamlVault::Main.from_file(
File.expand_path("../encrypted_sample.yml", __FILE__),
[["vault"], ["production", "password"]],
passphrase: ENV["YAML_VAULT_PASSPHRASE"], sign_passphrase: ENV["YAML_VAULT_SIGN_PASSPHRASE"]
).decrypt

# AWS KMS
configs = YamlVault::Main.from_file(
File.expand_path("../encrypted_sample.yml", __FILE__),
[["vault"], ["production", "password"]],
"kms",
aws_kms_key_id: ENV["AWS_KMS_KEY_ID"],
aws_region: ENV["AWS_REGION"], # optional
aws_access_key_id: "xxxxxxx", # optional
aws_secret_access_key: "xxxxxxx", # optional
).decrypt

# GCP KMS
configs = YamlVault::Main.from_file(
File.expand_path("../encrypted_sample.yml", __FILE__),
[["vault"], ["production", "password"]],
"gcp-kms",
gcp_kms_resource_id: "xxxxxxx",
gcp_credential_file: File.expand_path("../credential.json", __FILE__)
).decrypt
```

## How to use with docker

```bash
docker run -it \
-v `pwd`/:/vol \
joker1007/yaml_vault \
encrypt /vol/secrets.yml -o /vol/encrypted_secrets.yml
```

## Development

After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment. Run `bundle exec yaml_vault` to use the gem in this directory, ignoring other installed copies of this gem.

To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).

## Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/joker1007/yaml_vault.