joker1007/yaml_vault joker1007/yaml_vault

  • Stars
    star
    158
  • Rank 235,621 (Top 5 %)
  • Language
    Ruby
  • License
    MIT License
  • Created over 8 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
joker1007/yaml_vault
github

joker1007

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Yaml file encryption/decryption helper.

YamlVault

Gem Version RSpec

Yaml file encryption/decryption helper.

Breaking Change from 0.x to 1.0

  • Output YAML file keeps alias & anchor syntax & tag info. (But empty line is trimmed)
  • --key format is changed. (Need $ as root document at first)
  • --key supports new formats. (Root Doc, Wildcard, Regexp, Quote)

Encryption Algorithm

yaml_vault uses ActiveSupport::MessageEncryptor.

Default cipher is aes-256-cbc. Default sign digest is SHA256.

Installation

Add this line to your application's Gemfile:

gem 'yaml_vault'

And then execute:

$ bundle

Or install it yourself as:

$ gem install yaml_vault

Usage

Encrypt

# secrets.yml

default: &default
  hoge: fuga
  aaa: true
  bbb: 2

foo: bar

complicated:
  - 1
  - ["hoge", "fuga"]
  - [{key1: val1, key2: val2}, {key3: val3}]
  - a:
      b:
        c: d
        e: !ruby/range 1..10

test:
  <<: *default
  hoge:
    - 1
    - 2
    - 3

vault:
  secret_data: "hogehoge"
  secrets:
    - 0
    - 1
    - "two"
    - true
    - four: 4
    - :five
    - :a:
        b: !ruby/range 1..10
    - [{key1: val1, key2: val2}, {key3: val3}]
% yaml_vault encrypt secrets.yml -o encrypted_secrets.yml"
Enter passphrase: <enter your passphrase>

output is ...

# encrypted_secrets.yml

default: &default
  hoge: cTlEZkloUDlBS0F3VGdzL25PcXZRUT09LS1QdEFSZklJRlpGTWNVLzU5RC9IT2VnPT0=--f68324e76662ee92be4ff11faabf963bcba9b464d2a0af8cb505611755cf698c
  aaa: RUNneXhXYnBVVVRod0o1aTN2ZkRRZz09LS1BYjBYQXp3OGI2dE9TMERKNVZGbzd3PT0=--81ca6f9320426bfb52e4318c209ebe9e1e0f7ff54567aed4dd6a0ae9d7dce22b
  bbb: c2ExRXFpUXZKN1ltanRRUHpxMGduQT09LS1jWjVpbG9tTk9BRFdRc0QvbTBSVFBBPT0=--c63c47a104032b6aa4169ec58df5d2c4e0c5f38febbfb8f2167ae034fb93f488
foo: cWs4SmFVN3NXMGNra2tMUS9Ucmx5Zz09LS1meElVMXp0MSs0UGtrbW1tcnFKTnBnPT0=--ce755376767167c71a389637080465884295be1094e203a5c5ef396c2f13b7a8
complicated:
- ejBlc09wejFITmRpOUVBWVduQmZiQT09LS12YzdZN1hselkzQWNIOWpYd3QrR0dRPT0=--1fa11f7719fb0ffc7ce50eda52b8813d8ca547c341e710c044f8282767a22cfb
- ["ZHFlWjN3cUdMdFdFTDQwM2w0WW8xUT09LS1aOTNwU2NtQ0IvWHNYU1dJZGFCMUl3PT0=--b1ac20a6388d46e2e36bb50553cf89af673fbb4ff7ab83e96f0a315e806f5cd0",
  "L0pBVHVMSXdlMEVQbTRKTGJKb2pOZz09LS1xTjRRbEs3SFpDK2szRlpDYTFuYlV3PT0=--d65702ec4880c52dfe074a12af02498e16b84452231ca2390205a752b19b4986"]
- [{key1: dmNxVjI3c242YngwcHY4cGhJTmRZUT09LS1jYXh1LzdyTy9FK1VwVjVidkU1aUNBPT0=--b04624c5b3a7c5dfbdc5a69811cb5a194fbbd6da0d2266231d25d0bee9da3bf6,
    key2: eHBOM0xlRmczRFl1UERRdCtzbGF3dz09LS1TTjdWdHlqVlIreUhtekE0VGpsVEt3PT0=--ccd53fcfc3d3f51f5b4a97f5b1508e77e9149b0100995e0588b289fde920aba7},
  {key3: VHg2V2VHWjZCcHhHRWJZTHFXZGhUZz09LS1kTisvY3FZaDlaTEFjODNXeFQwTjFBPT0=--e6f809a272f4a7b347f4fcf28241cd51b1293310a1e7d372f19488c2c7a726e2}]
- a:
    b:
      c: d254QmFnRFprMUJldDBkRjlVWUpMQT09LS1CTFhQUUQzWUw3K3FUQnJVWkFLRzdnPT0=--85522ae049be7808ae77b586c9e9e1af225b08c44becbe60ec1995f2f4b31668
      e: enBYUkYrMkt1ZkdHd2JHbzAyNFo3czBpVmZRU0psaDNMalcyU2lKbEQvUT0tLVF5QSt6RXd2L0ptbHp0UVZCcm9LdXc9PQ==--06e9fa609a5a8f9f81997b314e54a91959088819b8a0f05fede68769d841ee3b
test:
  <<: *default
  hoge:
  - eERDbWVSeFhZNkJzNVFvSkRVMWFaZz09LS02WVFSamRDbmxEbXF4WExkSTFvUzl3PT0=--05bf3dcd005b32455409c70212d64452b0af3ec78471fa69760ad85dcd6147d4
  - Y1BPRGZIQys0bTBJdFJuV21WSWJBUT09LS1xZFdQcmVpd3ltWnVSWEttcVZ1Z3VRPT0=--6c57387b420bc569494a0308e896d8426ec7b6a649a6a1f890e779bc792fc9a0
  - anVLa2dXTWo1ckVVTlhQZG0vdVRHZz09LS04K3FIV2lsSUI5V01pR1ljS3lCWDVnPT0=--545a128c08152415ff27c35c89cb0ab1b5625530716ac8f8daf5f2e61fbe450c
vault:
  secret_data: "NUR1aFdaMjMrSkI2MyswRC84UXJzWUprVXgvZnBmRXhBM0dqUWdpOTBMaz0tLUJ4NmtpeUQ3dG0rN080cDZMWmlwc1E9PQ==--7e812eabdc22af8e46db8a7b8f361deb6484d3aa8568d4bc95d6e73c00149c28"
  secrets:
  - emExNlNIQ2tiNTliU1ZhU1FzUXBtQT09LS1pajcyYUU0bnlYSlorTEtFOEZyZVRRPT0=--c8483428c33401e99e55e7634ba468bcba219ab02034bb4ad80c89d639f52323
  - NXJ4c2JId0xLWUk0dHY2NHJyVzNIdz09LS0vUnlpWGptaitmYUZ0bk4zY1I0YWVnPT0=--18f9764a068ba555c5261be70de469e0460ef14b8a1636f418bddcb0b7b4ffcf
  - "WUFwWTEzK1lpOHJseGEwbGFmTEs4dz09LS1EK2xwNUFsSExQT2Zwa0p5QjFGbWJnPT0=--3f66ca21b4f1bae17d03233afc0ee80a1a42371244ac38ce71f284266bec3a95"
  - dGd2d1k4MTFSMHp3cy9xZE9NaGpIUT09LS1GcWNKdisxMlRGTzBLV2Zjam9PRmZ3PT0=--1f19086e9908d4c5313c3abfab8f6c8697785273c14ab0a2f39634a57ac57e72
  - four: QXlGUGsyYnB6dEtNWk9ia3MvR2duZz09LS1DWGprWVVIS2VkbjJrYnl0MkVmcUlBPT0=--0e426924db2fa7e577e4e4d7d62ce8f7e9390f14e72f90aca59be88df252b110
  - dDAvZzdNampwUmsrY1Q3ME5VaWNkQT09LS13YUJQVm9kZXpFMlpxVTVPRDJ3RG1RPT0=--c53ab9535f06eef08e41dbf9fd1641421760309f381c37016ce27d17d6910f11
  - :a:
      b: NHgycERIaXlQaTR2V09weWFUbG9DZE1aQ3pTZ1h0OWo0VzJ4NkRMaDk5WT0tLWhMc21MUHJOQnowTHlnSnhxUkluNVE9PQ==--081f7b5f9bc982f7270454a8453b5fcf860bea9ed6f8454a0f8509b0cc2a8638
  - [{key1: WHkwOEc5NVcvNm5IMTVNc24xWUtYdz09LS1GZGc0K2J2V3F5bW5iS29Vb1grcFNRPT0=--c453f9e814e4d62294d1d5d20b71db8825e8f94933ad8af157ca7860407e39c5,
      key2: eUZlQlgzVTFFRjVKUjF3dTZ6RlRidz09LS1rUzRtN2VlS2ZmRDFuR3JCMkRMRTNRPT0=--d30ebbf61e5393d3502e71486379215c4ea95d3f4697faa209214dd23d64e1fd},
    {key3: YStlVTBFZjZQQlVDWHhjMS85L052Zz09LS0rL2JtbUI2eFY2QVZsbG92OGM4Z2lnPT0=--ffc85954e68fdde7e03fdbaa715c43d624c2825e28439de3ce2d2fa0e9debe0b}]

If use --key option.

% yaml_vault encrypt secrets.yml -o encrypted_secrets.yml -k $.vault.secret_data
Enter passphrase: <enter your passphrase>

output is ...

# encrypted_secrets.yml

default: &default
  hoge: fuga
  aaa: true
  bbb: 2
foo: bar
complicated:
  - 1
  - ["hoge", "fuga"]
  - [{key1: val1, key2: val2}, {key3: val3}]
  - a:
      b:
        c: d
        e: !ruby/range 1..10
test:
  <<: *default
  hoge:
    - 1
    - 2
    - 3
vault:
  secret_data: SzZoOGlpcSs4UlBaQnhTYWx0YlN3NHk2QXhiZGYvVmpsc0c3ckllSlh1TT0tLU13ZERzRWsxaGc0Y090blNIdXVVMmc9PQ==--24b2af56d2563776ca316dbfa243333dd053fea1
  secrets:
  - 1
  - 2
  - "three"
  - true
  - four: 4

--key option supports following format.

  • $ as root document
  • * as wildcard for array or map key
  • /str/ as regexp to map key
  • :<key_name> as Symbol.
  • [0] as array key.
  • 'str' as map key (inner single quote string).
  • "str" as map key (inner double quote string).
  • other_string as map key

--key must start with $.

ex. $.production.:slaves.[0].*.:password

You can also use the --prefix and --suffix options to format the encrypted value. i.e by providing --prefix "ENC(" --suffix ")" you can get the following output from the above example:

# encrypted_secrets.yml

default: &default
...
vault:
  secret_data: ENC(SzZoOGlpcSs4UlBaQnhTYWx0YlN3NHk2QXhiZGYvVmpsc0c3ckllSlh1TT0tLU13ZERzRWsxaGc0Y090blNIdXVVMmc9PQ==--24b2af56d2563776ca316dbfa243333dd053fea1)
...

AWS KMS Encryption

Max encryptable size is 4096 bytes. (value size as encoded by Base64)

% yaml_vault encrypt secrets.yml -o encrypted_secrets.yml --cryptor=aws-kms \
  --aws-region=ap-northeast-1 \
  --aws-kms-key-id=<kms-cms-key-id> \
  --aws-access-key-id=<AWS_ACCESS_KEY_ID> \
  --aws-secret-access-key=<AWS_SECRET_ACCESS_KEY>

If region, access_key_id, secret_access_key is not set, use ENV["AWS_REGION"], ENV["AWS_ACCESS_KEY_ID"], ENV["AWS_SECRET_ACCESS_KEY"] or default credentials or Instance Profile.

GCP KMS Encryption

% yaml_vault encrypt secrets.yml -o encrypted_secrets.yml --cryptor=gcp-kms \
  --gcp-kms-resource-id=<kms-resource-id> \
  --gcp-credential-file=<credential-json-file-path>

ex. --gcp-kms-resource-id=projects/<PROJECT_ID>/locations/global/keyRings/<KEYRING_ID>/cryptoKeys/<KEY_ID>

If gcp_credential_file is not set, use Google Application Default Credentials flow (https://developers.google.com/identity/protocols/application-default-credentials)

Decrypt

% yaml_vault decrypt encrypted_secrets.yml -o secrets.yml
Enter passphrase: <enter your passphrase>

If ENV["YAML_VAULT_PASSPHRASE"], use it as passphrase

Note to pass the same --suffix and --prefix if the yaml was encrypted using these options.

AWS KMS Decryption

% yaml_vault decrypt encrypted_secrets.yml -o secrets.yml --cryptor=aws-kms \
  --aws-region=ap-northeast-1 \
  --aws-access-key-id=<AWS_ACCESS_KEY_ID> \
  --aws-secret-access-key=<AWS_SECRET_ACCESS_KEY>

GCP KMS Decryption

% yaml_vault decrypt encrypted_secrets.yml -o secrets.yml --cryptor=gcp-kms \
  --gcp-kms-resource-id=<kms-resource-id> \
  --gcp-credential-file=<credential-json-file-path>

Direct Assignment

# decrypt `configs['vault']` and `configs['production']['password']`

# Simple Encryption
configs = YamlVault::Main.from_file(
  File.expand_path("../encrypted_sample.yml", __FILE__),
  [["vault"], ["production", "password"]],
  passphrase: ENV["YAML_VAULT_PASSPHRASE"], sign_passphrase: ENV["YAML_VAULT_SIGN_PASSPHRASE"]
).decrypt

# AWS KMS
configs = YamlVault::Main.from_file(
  File.expand_path("../encrypted_sample.yml", __FILE__),
  [["vault"], ["production", "password"]],
  "kms",
  aws_kms_key_id: ENV["AWS_KMS_KEY_ID"],
  aws_region: ENV["AWS_REGION"],     # optional
  aws_access_key_id: "xxxxxxx",      # optional
  aws_secret_access_key: "xxxxxxx",  # optional
).decrypt

# GCP KMS
configs = YamlVault::Main.from_file(
  File.expand_path("../encrypted_sample.yml", __FILE__),
  [["vault"], ["production", "password"]],
  "gcp-kms",
  gcp_kms_resource_id: "xxxxxxx",
  gcp_credential_file: File.expand_path("../credential.json", __FILE__)
).decrypt

How to use with docker

docker run -it \
  -v `pwd`/:/vol \
  joker1007/yaml_vault \
  encrypt /vol/secrets.yml -o /vol/encrypted_secrets.yml

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment. Run bundle exec yaml_vault to use the gem in this directory, ignoring other installed copies of this gem.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/joker1007/yaml_vault.

More Repositories

1

activerecord-cause

This gem logs where ActiveRecord actually loads record
Ruby
161
star
2

rukawa

Hyper simple workflow engine by concurrent-ruby
Ruby
123
star
3

rspec-power_assert

Power Assert for RSpec
Ruby
84
star
4

activemodel-associations

has_many and belongs_to macro for Plain Ruby Object.
Ruby
79
star
5

vim-markdown-quote-syntax

vim plugin for highliting code in markdown quote
Vim Script
63
star
6

vim-ruby-heredoc-syntax

vim plugin for highliting code in ruby here document
Vim Script
55
star
7

blackalbum

Media Browser by Electron
JavaScript
53
star
8

crono_trigger

Simple Asynchronous Job Scheduler for Rails.
Ruby
46
star
9

finalist

Finalist adds `final` method modifier. `final` forbids method override.
Ruby
39
star
10

embulk-filter-ruby_proc

Apply ruby proc code on filtering
Ruby
34
star
11

amanogawa

Listing GitHub repositories which you starred.
Ruby
33
star
12

devise_sample

Ruby
28
star
13

overrider

Add `override` syntax that is similar to Java's one.
Ruby
28
star
14

abstriker

Ruby
26
star
15

gulp-rev-rails-manifest

Write gulp-rev manifest.json that is Rails assets helper compatible
CoffeeScript
25
star
16

curl_escape

This gem provides fast URL escape by libcurl.
Ruby
25
star
17

unite-pull-request

unite-pull-request is a unite.vim plugin for Viewing GitHub pull request.
Vim Script
23
star
18

web-console-rake

This enable invoke Rake task on web-console REPL.
Ruby
23
star
19

dotfiles

dotfiles置き場
Lua
22
star
20

rspec-storage

RSpec output test report to any stroage (current support is [s3, gcs])
Ruby
22
star
21

github-commit-status-updater

Simple CLI Tools for GitHub commit status.
Ruby
22
star
22

octogate

Github hook proxy server
Ruby
22
star
23

binding_ninja

pass binding of method caller implicitly
Ruby
21
star
24

monar

Monad and Monad Syntax implementation in Ruby
Ruby
15
star
25

ghost_writer

This gem generate API examples doc from params and response of controller specs
Ruby
14
star
26

seirenes

Internet Karaoke System by Rails4
Ruby
14
star
27

rails_js_helper

Can use image_path, asset_path and named route helper (limited) on Javascript
Ruby
12
star
28

proc_to_ast

convert Proc to Parser::AST::Node, using parser gem.
Ruby
11
star
29

attr_typecastable

attr_accessor with typecast feature.
Ruby
11
star
30

tree-sitter-rbs

RBS grammer for tree-sitter
JavaScript
10
star
31

simple_note

Rails and Backbone sample
Ruby
10
star
32

yaml_master

Helper of yaml file generation from single master yaml file.
Ruby
10
star
33

given_keyword_args

Add helper method to get given all keyword args as Hash
Ruby
8
star
34

rails_browserify_sample

Railsをbrowserifyと組み合わせるサンプル実装
Ruby
8
star
35

vim-metarw-qiita

vim-metarwを利用してQiitaを読み書きするプラグイン
Vim Script
7
star
36

nil_guard

Nil safe method chain syntax by Refinements
Ruby
7
star
37

simple_taggable

Hyper simple tagging plugin for ActiveRecord
Ruby
7
star
38

wcnavi

トイレの場所をナビゲートする。
Python
6
star
39

slides

スライド置き場
JavaScript
5
star
40

blackalbum-old

動画ファイル、JPG in Zipファイルを管理するためのローカルウェブアプリ。
JavaScript
5
star
41

savant_time

Amazon Glacier Backup Wrapper
Ruby
5
star
42

sin_refinements

Ruby
5
star
43

markdown2hatena

markdown記法をはてな記法に変換する
Haskell
5
star
44

sidekiq-ffmpeg

Sidekiq job definition for ffmpeg
Ruby
5
star
45

kafka-connect-bigquery-storage-write

Kafka Connect BigQuery sink connector using Storage Write API
Java
4
star
46

embulk-formatter-avro

Java
4
star
47

fluent-plugin-cloudwatch-put

Fluentd output plugin to put metric data to AWS CloudWatch.
Ruby
4
star
48

embulk-parser-avro

Avro parser plugin for Embulk.
Java
4
star
49

refining

Syntax Sugar of inline refinement module
Ruby
4
star
50

prmstore-exec

This is wrapper command to exec a command with ENV vars that are fetched from Amazon SSM Parameter Store.
Go
4
star
51

fluent-plugin-cassandra-json

Fluentd output plugin for cassandra that uses json payload
Ruby
3
star
52

yururema

日常のちょっとしたタスクをゆるく思い出すサービス
Ruby
3
star
53

pasokara_player3

ノートパソコン持ち込みカラオケを支援するためのシステム
Ruby
3
star
54

resque-ffmpeg

Ruby
3
star
55

movie_browser

動画を管理したり、HTTP Live Streaming形式でエンコードしたりする
Scala
3
star
56

template-switcher

Rails template switcher.
Ruby
3
star
57

emrakul

Ruby
3
star
58

keyword_arg_time

Time or Date object constructer by keyword arguments
Ruby
3
star
59

redshift_simple_migrator

super simple migrator for AWS Redshift (and PostgreSQL)
Ruby
3
star
60

thesource

Realtime interactive code review tool, written by Meteor
JavaScript
3
star
61

bq_fake_view

Create Static SQL View on Google Bigquery from Hash data.
Ruby
3
star
62

activejob-ffmpeg

ActiveJob job definition for ffmpeg
Ruby
2
star
63

hungry_tiger

とある食堂の欠食目録
Ruby
2
star
64

fluent-plugin-avro_turf

Fluentd formatter plugin to format by confluent schema registry format.
Ruby
2
star
65

embulk-output-kafka

Embulk output plugin for Apache Kafka
Java
2
star
66

vim-metarw-github-issues

vim-metarwを利用してgithub-issueを読み書きするプラグイン
Vim Script
2
star
67

embulk-output-influxdb

Ruby
2
star
68

sqrewdriver

Ruby
2
star
69

tokyu-sample

Sample Code for TokyuRubyKaigi
HTML
1
star
70

rukawa-server

Ruby
1
star
71

kafka-connect-join-field-transformer

kafka-connect-join-field-transformer
Java
1
star
72

gemfilestats

Ruby
1
star
73

fluent-plugin-sidekiq_metric

Ruby
1
star
74

embulk-input-kafka

Apache Kafka input plugin for Embulk
Java
1
star
75

gruff_tools

sar, vmstat, iostatグラフ作成サービス
Ruby
1
star
76

tddact01

TDD in Action
JavaScript
1
star
77

addresscopy

To, Cc, Bccを複製して、新しいメールの編集画面を開くThunderBird拡張
JavaScript
1
star
78

cucumber_handson

JavaScript
1
star
79

embulk-output-cassandra

Apache Cassandra output plugin for Embulk.
Java
1
star
80

implicit_parameter

Ruby
1
star
81

max_value

It makes easier to access first element's attribute after max_by or min_by
Ruby
1
star
82

mctwit

Mixiのコミュニティで立ったイベントトピをTwitterに通知する
Ruby
1
star
83

nico_downloader

Ruby
1
star
84

method_plus

Ruby Method class extentions for `.:method_name` syntax.
Ruby
1
star
85

maybe-chain

In method chain, This gem makes failure more graceful
Ruby
1
star
86

rspec-formatter-git_auto_commit

This gem commit to git repository automatically, every run rspec.
Ruby
1
star
87

embulk_javundler

Install embulk java plugin from git repository
Ruby
1
star
88

redis-cacheable

It is concern style redis caching helper. It makes very easy to cache object.
Ruby
1
star
89

tree_house

Ruby bindings for Tree-sitter written in Rust
Rust
1
star
90

pasokara_player

持ち込みカラオケ用Webインターフェース。旧バージョンにつき、アップデートはしない。
Ruby
1
star