Use pemcrypt to automatically encrypt and decrypt JSON configuration files
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Use pemcrypt to automatically encrypt and decrypt any file

Getting Started

This plugin requires Grunt ~0.4.1

If you haven't used Grunt before, be sure to check out the Getting Started guide, as it explains how to create a Gruntfile as well as install and use Grunt plugins. Once you're familiar with that process, you may install this plugin with this command:

npm install grunt-pemcrypt --save-dev

Once the plugin has been installed, it may be enabled inside your Gruntfile with this line of JavaScript:


The "pemcrypt" task


In your project's Gruntfile, add the task you want to automate to the data object passed into grunt.initConfig().

var path = require('path');
var cwd = process.cwd();
var pemkey = path.join(cwd, '.private.pem');

  pem_gen: {
    key: { pem: pemkey }
  pem_encrypt: {
    foo: { pem: pemkey, store: 'foo' }
  pem_decrypt: {
    foo: { pem: pemkey, store: 'foo' }

Task pem_gen

Generates a private .pem key at the provided absolute file path. In the example I picked a file path in the project root, but you might want to keep your .pems outside the working directory for your repository altogether. You can optionally pass in a size value to determine the strength of the private key generated.

grunt pem_gen:key

Task pem_encrypt

Encrypts the store file sitting on our cwd, we can override cwd by passing it as an option. For example:

  "pem_encrypt": {
    "foo": {
      "pem": pemkey,
      "store": "foo",
      "cwd": __dirname + '/bar'

Alternatively to providing a store, you can provide different locations for each of your versions, for example:

  "pem_encrypt": {
    "foo": {
      "pem": pemkey,
      "pemstore": "secure/foo",
      "rawstore": "private/foo"

Task pem_decrypt

Decrypts the store file, using the same pem that encrypted it. This task carries the same configuration options found in the pem_encrypt task.


Generate the private key only once, then encrypt and decrypt all you like using that one key.