Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rstudio/rskey

Standalone encryption and secret key management for RStudio's Connect and Package Manager
https://github.com/rstudio/rskey

rstudio

Last synced: about 1 month ago
JSON representation

Standalone encryption and secret key management for RStudio's Connect and Package Manager

Awesome Lists containing this project

README 

        
# rskey



`rskey` is a command-line tool (and bundled Go package) that generates secret

keys interoperable with the format used by RStudio's Workbench, Connect, and

Package Manager products.



It can be used to help manage secrets without the need to install these products

first, and is designed for use in Infrastructure-as-Code and containerised

deployments of these products.



This tool can also serve as a drop-in replacement for:



* RStudio Connect's `rscadmin configure --encrypt-config-value`

  [command](https://docs.rstudio.com/connect/admin/appendix/cli/#rscadmin)



* Package Manager's `rspm encrypt`

  [command](https://docs.rstudio.com/rspm/admin/appendix/encryption/#rspm-encrypt).



* Workbench's `rstudio-server encrypt-password`

  [command](https://docs.rstudio.com/ide/server-pro/rstudio_server_cli/rstudio_server_cli.html#database).



No local license keys are required, either.



**This is not a general-purpose encryption tool.**



## Installation



Binary releases for Windows, macOS, and Linux are available [on

GitHub](https://github.com/rstudio/rskey/releases).



If you have a local Go toolchain you can also install via `go install`:



``` shell

$ go install github.com/rstudio/rskey@latest

```



Binary releases are signed with [Sigstore](https://www.sigstore.dev/). You can

verify these signatures with their `cosign` tool, for example:



``` shell

$ COSIGN_EXPERIMENTAL=1 cosign verify-blob \

  --signature rskey_0.5.0_linux_amd64.tar.gz.sig \

  rskey_0.5.0_linux_amd64.tar.gz

```



We use Cosign's ["keyless"](https://docs.sigstore.dev/cosign/openid_signing)

mode, which uses the OpenID Connect tokens issued by GitHub for this repository

and ephemeral certificates instead of private keys. This feature currently

requires setting `COSIGN_EXPERIMENTAL=1`.



## Usage



You can generate keys with `rskey generate`. For example:



``` shell

$ rskey generate -o /var/lib/rstudio-pm/rstudio-pm.key

# Or, to simply echo the key to standard input:

$ rskey generate

```



You can then encrypt data (such as database passwords) interactively with `rskey

encrypt`. For example:



``` shell

$ rskey encrypt -f /var/lib/rstudio-pm/rstudio-pm.key

```



Line-separated entries can also be passed on standard input:



``` shell

$ cat passwords.txt | rskey encrypt -f /var/lib/rstudio-pm/rstudio-pm.key

```



An `rskey decrypt` command is also provided.



### FIPS Mode



Connect version 2022.03.0 and later supports [an alternative encryption

algorithm](https://docs.rstudio.com/connect/news/#rstudio-connect-2022030),

AES-256-GCM. This algorithm is an Approved Security Function under [Federal

Information Processing Standard

140](https://csrc.nist.gov/publications/detail/fips/140/3/final) (FIPS), unlike

the default.



If you prefer to encrypt secrets using this algorithm and are using this version

of Connect or later, pass the `--mode=fips` flag to the `encrypt` command:



``` shell

$ rskey encrypt -f connect.key --mode=fips

```



`rskey decrypt` does not require this flag because the algorithm in use can be

determined from the encrypted output.



### Workbench



Secret keys for Workbench are [traditionally generated by the `uuid`

command](https://docs.rstudio.com/ide/server-pro/load_balancing/configuration.html#generating-a-key),

but there is no built-in support for this format in `rskey generate`.



To encrypt or decrypt secrets for use with RStudio Workbench, pass the

`--mode=workbench` flag to the appropriate command. Both key formats are

acceptable:



``` shell

$ rskey generate -o /etc/rstudio/secure-cookie-key

$ rskey encrypt --mode=workbench -f /etc/rstudio/secure-cookie-key

$ echo `uuid` > uuid.key

$ rskey encrypt --mode=workbench -f uuid.key

```



## Details



* Secret key must be kept secret, and anyone in possession of that key can

  decrypt any data encrypted with it.



* Encryption for Connect and Package Manager uses the well-known [NaCl Secretbox

  algorithm](https://pkg.go.dev/golang.org/x/crypto/nacl/secretbox) by default.



* Connect version 2022.03.0 and later supports [an alternative encryption

  algorithm](https://docs.rstudio.com/connect/news/#rstudio-connect-2022030),

  AES-256-GCM. This algorithm is an Approved Security Function under [Federal

  Information Processing Standard

  140](https://csrc.nist.gov/publications/detail/fips/140/3/final), and can be

  used by passing `--mode=fips` to the `rskey encrypt` command.



* Encryption for Workbench uses AES-128-CBC.



* Key files for Connect and Package Manager are a sequence of 512 hex-encoded,

  securely-generated random bytes. This means that `rskey generate` is analogous

  to `openssl rand -hex 512`.



* Key files for Workbench are 32 or more opaque bytes. Most often they are

  generated by [the `uuid`

  command](https://docs.rstudio.com/ide/server-pro/load_balancing/configuration.html#generating-a-key),

  but you can use the output of `rskey generate` as well.



## API Stability and Versioning



`rskey` and its packages follow strict semantic versioning.



## License



Licensed under the Apache License, Version 2.0. See `LICENSE` for details.