Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Libraries for encrypting and storing credentials outside of source code

branch: master
README.md

Build Status

Danger

Just an FYI, this library promotes "bad crypto". I'm not a cryptographer so you'll see a lot of "maybes" and "probably"s. The potential problem lies in the fact that the IV is reused for all values. I'm under the impression that IV reuse can lead to the key being revealed. The possibility of this attack rises with each encrypted value encountered. ActiveSupport's encryptor supports per-value IVs, but that's probably still not enough as the values aren't authenticated in any way.

There is an issue open to fix this (#32), but I just haven't had the time. Even worse, there will need to be a migration path from the old to the new.

If you are using this to store 5-20 passwords, you're probably OK. It's better than nothing in this case.

If you are using this to store a ton of records, you probably should use another encryption method.

Introduction

This is a collection of encryption libraries intended to encrypt and store passwords outside of source code.

Some advantages of keeping credentials out of source code are:

  1. Credentials are not passed around when source code is shared.
  2. Unintentional exposure of source code does not reveal credentials.
  3. Read-access to source code can be much more permissive.
  4. Source code can be checked into version control systems without concern for exposure of credentials.
  5. It is easier to change credentials without having to worry about changing all instances.
  6. Leaving credentials in source code leads to poor password management in general. If changing a credential requires you to change code, you are less likely to want to do it.

Status

This project is IN PROGRESS. File bugs and feature requests.

Examples

Command line use Generate key/iv in current directory by default

    $ passw3rd -g
    generated keys in /Users/user

    $ passw3rd -g ~/Desktop/
    generated keys in /Users/user/Desktop/

Create a password file

    $ passw3rd -e foobar_app
    Enter the password:
    Wrote password to /Users/neilmatatall/foobar_app
    $ passw3rd -e foobar_app -p ~/Desktop/
    Enter the password:
    Wrote password to /Users/neilmatatall/Desktop/foobar_app

Read a password file

    $ passw3rd -d foobar_app
    The password is: asdf
    $ passw3rd -d foobar_app -p ~/Desktop/
    The password is: asdf

Options

Common options per read/write operation

    -d, --decrypt PATH_TO_PASSWORD   Path to password file
    -e, --encrypt PASSWORD_FILE      Write the password to this location
    -k, --key-dir KEY_PATH           Use the keys specificed in this directory for encryption or decryption (default is current directory)
    -p, --password-dir PATH          Read and write password files to this directory (default is current directory)

Only used when generating keys

    -g, --generate-key [PATH]        generate key/iv and store in PATH, defaults to the current directory

Key rotation: simple

$ rake rotate_keys[~/passwords,~/passwords,aes-256-cbc]

Ruby on Rails config/database.yml

Example configuration in boot.rb:

ENV['passw3rd-cipher_name'] = 'aes-256-cbc'
if %w{production staging}.include? ENV['RAILS_ENV']
  ENV['passw3rd-password_file_dir'] = File.expand_path('../../passwords/production', __FILE__)
  ENV['passw3rd-key_file_dir'] = File.expand_path('../../passwords/production', __FILE__)
else
  ENV['passw3rd-password_file_dir'] = File.expand_path('../../passwords', __FILE__)
  ENV['passw3rd-key_file_dir'] = File.expand_path('../../passwords', __FILE__)
end

Then remove passwords from config files and source code

Before:

development:
  adapter: mysql
  database: rails_development
  username: root
  password: my super secret password


After:

development:
  adapter: mysql
  database: rails_development
  username: root
  password: <%= Passw3rd::PasswordService.get_password('foobar_app') %>

OpenSSL command line

$ openssl enc -e -aes-256-cbc -K `cat ~/.passw3rd-encryptionKey`  -iv `cat ~/.passw3rd-encryptionIV` -in README.md -out test.out
$ openssl enc -d -aes-256-cbc -K `cat ~/.passw3rd-encryptionKey`  -iv `cat ~/.passw3rd-encryptionIV` -out README.md -in test.out

License

License: MIT (see LICENSE file)

Credits

Copyright 2010, YELLOWPAGES.COM LLC Development by Neil Matatall neil.matatall@gmail.com

Something went wrong with that request. Please try again.