WORK IN PROGRESS: use at your own risk
The goal of encryptedCredentials
is to provide a simple, secure way to
store credentials (e.g. API keys) and other sensitive data in your R
project, in particular shiny applications or analyses.
It follows the approach of Rails by creating a single, encrypted yml file that contains all your credentials. The file is secured by a master key, which is either saved (but not checked in) to disk or is available using environment variables.
You can install the released version of encryptedCredentials from CRAN with:
install.packages("encryptedCredentials")
remotes::install_github("dirkschumacher/encryptedCredentials")
The following code generates a new, random master key and stores it in
master.key
. It also uses the usethis
package to git-ignore the
master.key
file (in case you use git).
You run this function when setting up your project.
NEVER share this file with anyone.
library(encryptedCredentials)
use_encrypted_credentials()
#> Created the master.key file. Never share this file or commit it to git.
#> Created the credentials.yml.enc file. This is where your secrets are stored encryptedly.
The command above creates a key stored in master.key
.
There are generally two options to supply a master key:
- Having a
master.key
file in your working directory - Having an environment variable
R_ENCRYPTED_CRED_MASTER_KEY
with your key
You can use write_encrypted_credentials
to replace/update the content
in your encrypted yml file.
write_encrypted_credentials(
list(
databases = list(
postgres_url = "postgres://...",
redis_url = "..."
),
aws = list(
access_key_id = "abcded",
secret_access_key = "abcded"
)
)
)
#> It is recommended to restart your R session to remove any traces of data you just wrote to disk.
Everytime you call it, the key is read from the master.key
file or
from the environment. Then the data is converted to yml, encrypted and
saved to disk in the root directory of your project.
Its content looks like this:
readLines("credentials.yml.enc")
#> [1] "77bd5f22f807c99e26b340450f80ab1ba00332372580e0ffb769eb68b0ccfe1baa5b5b6c62a443060276d313bef06c3377c971f67a765ed614f1565b4fdd22d867ac49b408361c04003970c0c1e1ec36a8f5aada50c6c96c6858eb513622ff704212c4789c50ee33e1282eb872bea6ed61c1a3f333fec8a8b035656e100aa6ad5d54c90bdbae"
#> [2] "1e9c32a43f6eca0ed5014bd05be615f76bd263b0141367b1"
To access the information simply run the following command:
credentials <- read_encrypted_credentials()
credentials
#> $databases
#> $databases$postgres_url
#> [1] "postgres://..."
#>
#> $databases$redis_url
#> [1] "..."
#>
#>
#> $aws
#> $aws$access_key_id
#> [1] "abcded"
#>
#> $aws$secret_access_key
#> [1] "abcded"
This function looks for a valid key either in master.key
or in the
environment variable, decrypts the file in memory, converts the yml file
to an R object and returns it.
The key is either stored in master.key
or you can pass it using the
R_ENCRYPTED_CRED_MASTER_KEY
environment variable.
For shiny apps, the best way is probably using the environment variable,
while on personal projects (like a local R project that is checked into
git) the master.key
approach is probably best suited.
Only the credentials.yml.enc
is intented to be commited together with
you source code. Never share master.key
.
Currently the package uses a 32 bytes long random key, generated by
sodium::random
. It then uses sodium::data_encrypt|decrypt
(with a
new, random nonce) to secure the credentials file. All logic is stored
in crypt.R
and I am happy to hear any comments, suggestions or
security concerns.