README
¶
Simple Secrets Encryptor
This project can be used for encoding and decoding of a bunch of structured files containing key-value maps (e.g. YAML) using asymmetric encryption (RSA). This encryption allows the holders of the public key to perform the one way encryption without the possibility to retrieve the original value. The holders of the private key, however, can perform the decryption (and also derive the public key for encryption).
Use-cases
CI/CD
Often, a lot of secrets are required during the phases of CI/CD. Holding the secrets in the unencrypted format as part of the code can be considered as bad practice. However, by encrypting the secrets before pushing them to the repository makes them useless for eavesdropper which do not have the private key required for encryption.
A step of the CI/CD pipeline (e.g. in [GitHub Action]) can inject the public key (e.g. from the GitHub Secrets) and decrypt the required secrets using the Simple Secret Encoder.
GitHub Secrets Management
GitHub Secrets can be managed via the GitHub UI, via the REST API, by using a 3rd party tool like Terraform, etc. For easier secret management it can be considered storing the encrypted secrets in a file (which can be pushed to a repository) and decrypt it before executing Terraform.
How to Build
Go 1.15+ is required to build the project. Checkout the repository and trigger the build on Unix-like systems by executing the following command:
$ go build -o sse
On Windows:
> go build -o sse.exe
Both commands will generate the executable binary named sse.
This executable will be used in the following examples.
However, go run main.go can be used if the binary is missing.
However, a pre-built container can be used. Please consider that the keys and secrets must be attached to it via volumes at run time.
$ docker run -ti --rm \
-v $(pwd)/public.pem:/workspace-keys/public.pem \
-v $(pwd)/test-secrets:/workspace \
dimw/sse encrypt --workdir=/workspace --public-key-file=/workspace-keys/public.pem
Commands
The following command will retrieve the supported commands.
$ sse help
Generation of Keys
The well-known ssh-keygen tool can be used for generation of the RSA key pair.
However, the Simple Secret Encryptor provides a shortcut for generating the private and public keys.
Per default, the output will be stored in the files private.key and public.pem accordingly.
$ sse generate-keys
Encryption
The encrypt can be used to encrypt secrets. The process is structured as following:
- It traverses through the working directory (default:
./), - Visits each dictionary-like file (default:
*.{yml,yaml}), - Detects keys referring to secrets (those containing
secret,password, ortokenkeywords) - Performs encryption of those secrets using the provided public key (default:
public.pem). - The original files are replaces.
Example:
$ mkdir ./secrets
$ echo "foo-token: bar" > ./secrets/secret.yml
$ sse encrypt --workdir=./secrets
$ cat ./secrets/secret.yml
foo-token: ENC[rsa,data:OG4ZLQYbAthyx8...Es4kcZSDXy50iQ==]
The values which are already encrypted (similar to ENC[...]) are omitted.
The command can be considered being idempotent.
Decryption
The decryption can be performed when the private key (default file: private.key) is present.
The process reads all files of the working directory, searches the encrypted keys, and replaces them in-place.
Example:
$ mkdir ./secrets
$ echo "foo-token: ENC[rsa,data:OG4ZLQYbAthyx8...Es4kcZSDXy50iQ==]" > ./secrets/secret.yml
$ sse encrypt --workdir=./secrets
$ cat ./secrets/secret.yml
foo-token: bar
Supported Secret File Formats
Single-level key-value pairs can be encrypted and decrypted only. The secret files can be in the following formats:
- YAML
- JSON
Known Limitations
- Only key-value maps without nesting are currently supported for encoding.
- Use private key protected by a passphrase.
Documentation
¶
There is no documentation for this package.
Source Files
Directories