Skip to content

Zemanta/go-secretcrypt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

91 Commits

.circleci

.circleci

 
 

.github

.github

 
 

cmd

cmd

 
 

internal

internal

 
 

.codecov.yml

.codecov.yml

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

doc.go

doc.go

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

secret.go

secret.go

 
 

secret_test.go

secret_test.go

 
 

Repository files navigation

go-secretcrypt

Circle CI GoDoc codecov Go Report Card

Utility for keeping your secrets encrypted. Also has a Python version.

For example, you have the following TOML (or any format whose decoder supports TextUnmarshaler interface for custom values) configuration file

MySecret = "VerySecretValue!"

but you can't include that file in VCS because then your secret value would be exposed.

With secretcrypt, you can encrypt your secret using your AWS KMS master key aliased MyKey:

$ encrypt-secret kms alias/MyKey
Enter plaintext: VerySecretValue! # enter
kms:region=us-east-1:CiC/SXeuXDGRADRIjc0qcE... # shortened for brevity

# --- or --
$ echo "VerySecretValue!" | encrypt-secret kms alias/MyKey
kms:region=us-east-1:CiC/SXeuXDGRADRIjc0qcE... # shortened for brevity
# only use piping when scripting, otherwise your secrets will be stored
# in your shell's history!

use that secret in my TOML config file:

MySecret = "kms:region=us-east-1:CiC/SXeuXDGRADRIjc0qcE..."  # shortened for brevity

or YAML:

mysecret: kms:region=us-east-1:CiC/SXeuXDGRADRIjc0qcE...  # shortened for brevity

or JSON:

{"MySecret": "kms:region=us-east-1:CiC/SXeuXDGRADRIjc0qcE..."}

Then, you can use that secret in your config struct

type Config struct {
  MySecret secretcrypt.Secret
}

var conf Config
if _, err := toml.Decode(tomlData, &conf); err != nil {
  // handle error
}

and get its plaintext as

plaintext, err := conf.MySecret.Decrypt()
if err != nil {
  // handle error
}

KMS

The KMS option uses AWS Key Management Service. When encrypting and decrypting KMS secrets, you need to provide the AWS region used for encrypting, the default being us-east-1.

So if you use a custom region, you must provide it to secretcrypt:

encrypt-secret kms --region us-west-1 alias/MyKey

Local encryption

This mode is meant for local and/or offline development usage. It generates a local key in your %USER_DATA_DIR% (see appdirs), so that the key cannot be accidentally committed to CVS.

It then uses that key to symmetrically encrypt and decrypt your secrets.

Password encryption - interactive only

The password encryption mode should not be used in your application - it is meant for easily sharing secrets among developers. It interactively prompts the user for a password when encrypting the secret. When decrypting, it prompts for the password again.

Install command-line utilities

You can install command-line utilities encrypt-secret and decrypt-secret via:

go install -i github.com/Zemanta/go-secretcrypt/cmd/...

About

Encrypt your secrets with kms

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

24 stars

Watchers

41 watching

Forks

2 forks
Report repository

Releases 6

v1.0.7 Latest
Mar 7, 2022
+ 5 releases

Packages

No packages published

Contributors 7

Languages