If you're storing your application keys, passwords and other secrets apart from your main git repository and you are working in a team, you probably know that managing those secrets across the team is a pain in the ass.
OneSecret aims to remedy that by encrypting all your secrets
inside Rails' config/secrets.yml
and decrypting them on the fly so that they are freely
available in your application.
OneSecret uses Rails' secret_key_base
as a key for encrypting your
secrets, so the only thing you need to set in your Production servers is the secret_key_base
(you should be doing this even if you don't use OneSecret).
Add this line to your application's Gemfile:
gem 'one_secret'
And then execute:
$ bundle
This gem only works with Rails >= 4.1, since it tightly integrates with the secrets.yml
which was added by Rails 4.1
To set a new secret, simply call the one_secret:set
task with a key and value to encrypt:
rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
That's it! This will encrypt the value and keep it inside
config/secrets.yml
. Feel free to commit this file to your git
repository.
There are 3 ways to access your secrets:
- Inside your app, secrets are decrypted automatically, so you can use them freely:
Rails.application.secrets.aws_secret_key # => aba41f7bea276da49ef50aa33474fee4
- If you wish to, you can access all secrets through
ENV
:
ENV['aws_secret_key'] # => aba41f7bea276da49ef50aa33474fee4
To enable access through ENV
, add this configuration block to
application.rb
:
# application.rb
OneSecret.configure do
decrypt_into_env!
end
- If you want to access secrets outside Rails, use the
one_secret:get
task:
rake one_secret:get aws_secret_key
> aba41f7bea276da49ef50aa33474fee4
or you could use the one_secret:get_all
task to get a hash of all
decrypted values.
The above commands work in development since you have the secret_key_base
set in config/secrets.yml
. OneSecret
will use the following strategy to determine what the value of secret_key_base
should be:
- ENV['SECRET_KEY_BASE']
- Rails.application.secrets.secret_key_base
- STDIN prompt
Since the Production secret_key_base
is only available in your Production servers, you should provide the secret_key_base
to the one_secret:set
Rake task when setting Production secrets. This could be done in one of the following ways:
If your app is hosted on Heroku, you can wire heroku config:get
:
:a
$ RAILS_ENV=production SECRET_KEY_BASE=`heroku config:get SECRET_KEY_BASE` rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
If you're not hosted on Heroku, you can pass your Production secret_key_base
to Rake:
RAILS_ENV=production SECRET_KEY_BASE=<your production secret> rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
Important - note that there is an extra space at the beginning of this command. Make sure you prefix your command with that extra space so it doesn't get saved in your shell history.
If your running environment doesn't have a secret_key_base
, OneSecret will simply prompt for it.
$ RAILS_ENV=production rake one_secret:set aws_secret_key aba41f7bea276da49ef50aa33474fee4
> <OneSecret> Please enter your secret key: <paste your production secret here>
Accessing secrets is the same for Production, as your Production machines would typically have ENV['secret_key_base']
present.
- Fork it ( https://github.com/rauchy/one_secret/fork )
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Add some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create a new Pull Request