Keep configuration data encrypted in production. Pause server initialisation until the decryption key is received.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

Secure Setup


Keep your server configuration data encrypted in production.

Security bugs are everywhere. Hense we must build software that stops any individal failure speading to entire systems. Should anyone gain access to your production node server, you wouldn't want them also getting your DB authorisations, AWS secrets, Twilio password etc. Maybe you think you can safely keep data in environment variables, or hidden files, but these are trivial to find for someone who has access to your source code.

In production, Secure Setup provides a simple interface for developers to decrypt and use configration data stored on the server as ciphertext. This is achieved by launching a server that waits until it receives the developer's key. On receipt, the configuration data is decrypted and passed as an object to a setup function. This initialises connections to databases and services before removing the plaintext configuration data from memory.

In 'development' mode, Secure Setup will create both plaintext and ciphertext config files (assuming they don't already exist). The setup function is then invoked with the config data as an argument, without the need to manually enter a decryption key.


npm install secure-setup


setup = require 'secure-setup'
setup (err, config) ->
  return console.error err if err
  # Connect to DBs
  # Connect to AWS
  # Connect to Twilio

, options