• Stars
    star
    162
  • Rank 232,284 (Top 5 %)
  • Language
    Ruby
  • Created almost 11 years ago
  • Updated over 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A secure and easy-to-use store for your production secrets

dotgpg is a tool for backing up and versioning your production secrets or shared passwords securely and easily. (Why?)

Getting started

If you're a ruby developer, you know the drill. Either gem install dotgpg or add gem "dotgpg" to your Gemfile.

There are also instructions for use without ruby.

Mac OS X

  1. brew install gpg
  2. sudo gem install dotgpg

Ubuntu

  1. sudo apt-get install ruby1.9
  2. sudo gem install dotgpg

RedHat/CentOS

  1. sudo yum install ruby ruby-devel
  2. sudo gem install dotgpg

Usage

dotgpg init

To get started run dotgpg init. Unless you've used GPG before, it will prompt you for a new passphrase. You should make this passphrase as secure as your SSH passphrase, i.e. 12-20 characters and not just letters.

$ dotgpg init
Creating a new GPG key: Conrad Irwin <[email protected]>
Passphrase:
Passphrase confirmation:

dotgpg edit

To create or edit files, just use dotgpg edit. I recommend you use the .gpg suffix so that other tools know what these files contain.

$ dotgpg edit production.gpg
[ opens your $EDITOR ]

dotgpg create

To create an encrypted file from piped input, use dotgpg create. I recommend you use the .gpg suffix so that other tools know what these files contain.

$ echo foo | dotgpg create bar.gpg

dotgpg cat

To read encrypted files, dotgpg cat them.

$ dotgpg cat production.gpg
GPG passphrase for [email protected]:

dotgpg add

To add other people to your team, you need to dotgpg add them. To run this command you need their public key (see dotgpg key).

$ dotgpg add
Paste a public key, then hit <ctrl-d> twice.
<paste>
<ctrl-d><ctrl-d>

Once you've added them run git commit or let Dropbox work its syncing magic and they'll be able to access the files just like you.

dotgpg key

To be added to a dotgpg directory, you just need to send your GPG public key to someone who already has access. Getting the key is as easy as running dotgpg key. Then email/IM someone who already has access (you can see the list with ls .gpg).

$ dotgpg key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.15 (Darwin)

mQENBFK2JfMBCAC8wX7dsWiNX2Ov9akPlz+54Y7n8a3gtdP63CiabW9Ao4614ZDu
vZWI8GIr1QaqMQOcUnhVe9BU3u3y4TX5ei1rHp4ykKoum606R7oFKS5Q4viob/6W
rfVND/o/Sh8twY9ZIpOxRq1zqfGmJk/wSTMuM047hhPUDZVf1BNU+lkURTh2qqnL
...snip...
ZQPcmlBEEI4zq+4GzLTTHHM3/rcHHZmi5p9JAK8OxM/Xyc2otF+N/+iGtIIHjD4a
0FJjy4jQzl7FsvLbDf0VDbcw6RZkJ5dGXIyaEcNiOkF3UGwDcfg6oLsA7d5lo+3a
leJCaaNJQBbIOj4QOjFWiZ8ATqLH9nkgawSwOV3xp0MWayCJ3MVnibt4CaI=
=Vzb6
-----END PGP PUBLIC KEY BLOCK-----

dotgpg merge

See the 'Integration With Git' section below.

Why

Production secrets are the keys that your app needs to run. For example the session cookie encryption key, or the database password. These are critical to the running of your app, so it's essential to have a backup that is version controlled. Then if anything goes wrong, you can find the previous values and go back to running happily.

Unfortunately it's also essential that your production secrets are kept secret. This means that traditional solutions to storing them, like putting them unenecrypted in git or in a shared google doc or in Dropbox are not sufficiently secure. Anyone who gets access to your source code, or to someone's Dropbox password, gets the keys to the kingdom for free.

Dotgpg aims to be as easy to use as "just store them in git/Dropbox", but because it uses gpg encryption is less vulnerable. If someone gets access to your source code, or someone's Google Apps account, they won't be able to get to your production database.

Deploying

dotenv

I recommend using dotenv for production secrets, then storing your production .env file as config/dotgpg/production.gpg in your web repository (after doing dotgpg init config/dotgpg).

You can do this manually with ssh:

dotgpg cat config/dotgpg/production.gpg |\
    ssh host1.example.com 'cat > /apps/website/shared/.env'

Or use Capistrano's put helper:

file = `dotgpg cat config/dotgpg/production.gpg`
put file, "/apps/website/shared/.env"

Heroku

We store a dump of heroku config -s in dotgpg with added comments. The dotgpg version is considered the master version, so if we make a mistake configuring Heroku (I've done that before...) we can restore easily.

Other

You're kind of on your own for now :). Just store secrets in dotgpg and nowhere else, and you'll be fine!

If you've got a setup that you think is common enough, please send a pull request to add docs.

Shared passwords

You can also use dotgpg to share passwords for things that you log into manually with the rest of your team. This works particularly well if you put the dotgpg directory into Dropbox so that it syncs magically.

Use without ruby

The only person who really needs to use the dotgpg executable is the one responsible for adding and removing users from the directory. If you want to use dotgpg without requiring everyone to install ruby you can give them these instructions:

To export your GPG key, use: gpg --armor --export EMAIL_ADDRESS. (If you get an error 'nothing exported', you can generate a new key using the default settings of gpg --gen-key.)

To read the encrypted files use gpg --decrypt FILE.

To edit the encrypted files, you'll want to use vim-gnupg and add autocmd User GnuPG let b:GPGOptions += ["sign"] to your ~/.vimrc. Every time a new user is added to the directory, you'll need to sync GPG's public key store with gpg --import .gpg/* or you won't be able to save changes.

Security

I'm not a security professional, so please email me if you have feedback on anything in this section.

The files stored in dotgpg are unreadable to an attacker provided:

  1. A file encrypted by GnuPG cannot be decrypted except by someone with access to a recipient's private key.
  2. No-one has access to your GPG private key.

The former assumption is reasonably strong. I'm willing to accept the tiny risk that there's a bug in GnuPG because it'll make headline news.

The latter assumption is reasonably weak. GPG private keys are stored encrypted on your laptop, and the encryption key is based on a passphrase.

This means that if someone gets access to your laptop (or a backup) they can easily get your GPG key unless you've chosen a secure passphrase. I consider this acceptable risk because, by default, SSH passwords are easier to crack than GPG passphrases (GPG uses 65536 rounds of SHA-1 while SSH uses a single round of MD5) and if they can decrypt your SSH key they can read the secrets directly off your production servers.

Change passphrase

If you didn't choose a secure passphrase, you can change it with:

gpg --edit-keys [email protected] passwd

If you can't remember your passphrase then you generate a new key with dotgpg key -n and ask someone on your team to overwrite your existing key with dotgpg add -f.

Revoking access

Occasionally people leave, or stop needing access to dotgpg. To remove them use dotgpg rm.

Integration with git

Encrypted files don't work well with many git workflows because they are (basically) binary files that appear to be text files. Because of this diff and merge may appear to work from git's point of view but will actually generate garbage according to GPG. It's possible to work around this:

Add the following lines to your git config:

[diff "gpg"]
  textconv = dotgpg unsafe_cat
[merge "gpg"]
  name = dotgpg merge driver
  driver = "dotgpg merge %O %A %B"

(you may need to use bundle exec dotgpg ... depending on how you've installed dotgpg and ruby)

Add the following lines to your git attributes

*.gpg diff=gpg merge=gpg

Now git diff will show you the diff of the decrypted content. git merge will decrypted your files, try to merge the decrypted text, and then encrypt the subsequent output. If there's a conflict the file will be marked as such but will still be a valid GPG file - the decrypted file will contain the text with the merge conflict markers in it.

It's probably possible to adapt this to other VCS's.

More Repositories

1

pry-rescue

Start a pry session whenever something goes wrong.
Ruby
850
star
2

showterm

The rubygem to upload to http://showterm.io
Ruby
600
star
3

aws-name-server

DNS server that lets you look up ec2 instances by instance name
Go
560
star
4

vim-bracketed-paste

Handles bracketed-paste-mode in vim (aka. automatic `:set paste`)
Vim Script
481
star
5

showterm.io

The website for showterm!
JavaScript
354
star
6

async-profile

Asynchronous CPU profiling for node
CoffeeScript
264
star
7

jist

Jist just gists
Ruby
160
star
8

git-aliae

Random git stuff....
Shell
81
star
9

console.log

Log to the Javascript console from ruby.
Ruby
79
star
10

font

golang parser for OpenType files.
Go
70
star
11

em-imap

An event machine based IMAP client
Ruby
69
star
12

lspace

Safe operation-local global variables!
Ruby
62
star
13

pry-debundle

Allows you to use gems not in your Gemfile from Pry.
Ruby
50
star
14

gpg-decoder

A port of the awesome ASN.1 Javascript Decoder for GPG messages
JavaScript
44
star
15

ruby-source_map

A Ruby library for interacting with the awesome javascript SourceMaps.
Ruby
40
star
16

trie-ing

The fastest weighted auto-completion trie known to...
JavaScript
33
star
17

unicode-dragon

Eats invalid unicode for breakfast.
JavaScript
25
star
18

interception

Listen to raise in ruby
Ruby
24
star
19

twitter-followers

A tool to download all a user's twitter followers
Go
22
star
20

http_load

hard-core HTTP load tester from http://acme.com/software/http_load/
C
20
star
21

pry-syntax-hacks

Some syntactic "high fructose corn syrup"s for pry.
Ruby
16
star
22

zepto-ghostclick

A Zepto plugin to help avoid ghost clicks
JavaScript
14
star
23

rfc2047-ruby

An RFC 2047 compliant email header parser
Ruby
11
star
24

motion-rubygems

Very very broken support for rubygems in RubyMotion
Ruby
11
star
25

pry-highlight

Highlights strings in pry output
Ruby
9
star
26

cap-runit

Capistrano 3 runit support
Ruby
9
star
27

gotar

A replacement for `go build` that includes static assets
Go
9
star
28

cause

A backport of Exception#cause from Ruby-2.1.0
Ruby
9
star
29

golo

defer go compile errors to runtime
Go
8
star
30

pry-em

Playing with async stuff is as easy as pry!
Ruby
8
star
31

ruby18_source_location

Giving Ruby 1.8.7 a chance to join in the #source_location fun.
Ruby
8
star
32

conradirwin.github.com

My Blog.
HTML
6
star
33

mongoid-rails

Strong parameters integration with mongoid
Ruby
6
star
34

yada_yada

A reimplementation of perl's Yada Yada operator in ruby!
Ruby
6
star
35

pry-capture

The old version of pry-rescue!
Ruby
5
star
36

encoding-codepage

A rubygem that lets you look up encodings by Microsoft® Code Page Identifier
Ruby
5
star
37

thin-attach_socket

Adds Thin::Backend::AttachSocket for running thin behind einhorn
Ruby
4
star
38

vim-comment-object

Perform actions on an entire comment.
Vim Script
4
star
39

wiktionary

A python library for playing with Wiktionary
Python
4
star
40

go-dwarf

DWARF debugging data parser in go
Go
4
star
41

self

Provides debug-access to private methods and instance variables of ruby Objects
Ruby
4
star
42

optimistic_dev

An optimistic developer twitter persona!
Go
4
star
43

secure_equals

Constant time equality for ruby.
Ruby
4
star
44

canvas-animation-loader

GPU-accelerated canvas animations in webpack
JavaScript
3
star
45

rbenv-all

Provides "rbenv all" for running one command against all your rubies
Shell
3
star
46

p_enwikt

git fork of https://fisheye.toolserver.org/browse/enwikt/
Perl
3
star
47

git-fetch-series

A tool to let you download patches from the git mailing list.
Python
3
star
48

c_location

source_location for methods written in C (Method#c_location)
Ruby
3
star
49

autoconfig.mozillamessaging.com

Mirror of http://svn.mozilla.org/mozillamessaging.com/sites/autoconfig.mozillamessaging.com, Mozilla's ISPDB
DIGITAL Command Language
3
star
50

pry-lexer

A pygments lexer for pry sessions!
Python
3
star
51

proxies

Ruby
2
star
52

jslint-node

Run jslint with node
JavaScript
2
star
53

mruby-example

"Hello world!" executable with mruby
Ruby
2
star
54

bisect

Library for maintaining sorted Arrays borrowed from Python
Ruby
2
star
55

go-for-rubyists

Go for rubyists, a tech talk.
JavaScript
2
star
56

amfs

Go
2
star
57

fireplace

Go
2
star
58

howtobuilda.bike

A writeup of building a bike
CSS
2
star
59

Commune

Ruby
2
star
60

libxml2

My fork of git://git.gnome.org/libxml2
C
2
star
61

motion-rubygems-example

An example project that uses motion-rubygems
Ruby
2
star
62

better-gmail

clean up gmail interface
JavaScript
1
star
63

node-zset

Disk backed semi-sorted sets
CoffeeScript
1
star
64

test

1
star
65

bytes

A small utility for dealing with raw bytes
Go
1
star
66

cap3-elb

Capistrano commands for managing your ELB.
Ruby
1
star
67

qrcode-raplet

A raplet to make it easier to phone people
JavaScript
1
star
68

udt

Ideas for CRDTs
Go
1
star
69

mrsa

Mediated RSA in golang
Go
1
star
70

em-monitor

For monitoring the distribution of CPU-spans in your event machine reactor thread.
Ruby
1
star
71

parallel

Structured concurrency for go
Go
1
star
72

browser-action-open

JavaScript
1
star
73

plotocrat

Automatically plot probability distributions
JavaScript
1
star
74

code-point-mapping

Map between javascript string indices and unicode code point offsets effectively
TypeScript
1
star
75

ggg

An experimental self-hosted debugger for go
Go
1
star
76

music

LilyPond
1
star
77

source_map-jsmin

A Source Map enabled pure-ruby version of Doug Crockford's awesome jsmin
JavaScript
1
star
78

goer

Some people like to browse, other's prefer to go directly.
JavaScript
1
star
79

introducing-teacup

The really simple sample app created in http://cirw.in/blog/introducing-teacup
Ruby
1
star
80

beamer-bootstrap

A bootstrap for beamer presentations that include code and images.
C
1
star
81

airpad

An iPad client for the awesome http://airbrake.io/
Objective-C
1
star
82

tracing-bug

Rust
1
star
83

lxterminal-clicky

A terminal emulator you can click on
C
1
star