This is a collection of encryption libraries intended to encrypt and store passwords outside of source code.
Some advantages of keeping credentials out of source code are:
- Credentials are not passed around when source code is shared.
- Unintentional exposure of source code does not reveal credentials.
- Read-access to source code can be much more permissive.
- Source code can be checked into version control systems without concern for exposure of credentials.
- It is easier to change credentials without having to worry about changing all instances.
- Leaving credentials in source code leads to poor password management in general. If changing a credential requires you to change code, you are less likely to want to do it.
This project is IN PROGRESS. File bugs and feature requests.
Command line use
Generate key/iv in current directory by default
$ passw3rd -g
generated keys in /Users/user
$ passw3rd -g ~/Desktop/
generated keys in /Users/user/Desktop/
Create a password file
$ passw3rd -e foobar_app
Enter the password:
Wrote password to /Users/neilmatatall/foobar_app
$ passw3rd -e foobar_app -p ~/Desktop/
Enter the password:
Wrote password to /Users/neilmatatall/Desktop/foobar_app
Read a password file
$ passw3rd -d foobar_app
The password is: asdf
$ passw3rd -d foobar_app -p ~/Desktop/
The password is: asdf
Common options per read/write operation
-d, --decrypt PATH_TO_PASSWORD Path to password file
-e, --encrypt PASSWORD_FILE Write the password to this location
-k, --key-dir KEY_PATH Use the keys specificed in this directory for encryption or decryption (default is current directory)
-p, --password-dir PATH Read and write password files to this directory (default is current directory)
Only used when generating keys
-g, --generate-key [PATH] generate key/iv and store in PATH, defaults to the current directory
$ rake rotate_keys[~/passwords,~/passwords,aes-256-cbc]
Ruby on Rails config/database.yml
Example configuration in boot.rb:
ENV['passw3rd-cipher_name'] = 'aes-256-cbc'
if %w{production staging}.include? ENV['RAILS_ENV']
ENV['passw3rd-password_file_dir'] = File.expand_path('../../passwords/production', __FILE__)
ENV['passw3rd-key_file_dir'] = File.expand_path('../../passwords/production', __FILE__)
else
ENV['passw3rd-password_file_dir'] = File.expand_path('../../passwords', __FILE__)
ENV['passw3rd-key_file_dir'] = File.expand_path('../../passwords', __FILE__)
end
Then remove passwords from config files and source code
Before:
development:
adapter: mysql
database: rails_development
username: root
password: my super secret password
After:
development:
adapter: mysql
database: rails_development
username: root
password: <%= PasswordService.get_password('foobar_app') -%>
OpenSSL command line
$ openssl enc -e -aes-256-cbc -K `cat ~/.passw3rd-encryptionKey` -iv `cat ~/.passw3rd-encryptionIV` -in README.md -out test.out
$ openssl enc -d -aes-256-cbc -K `cat ~/.passw3rd-encryptionKey` -iv `cat ~/.passw3rd-encryptionIV` -out README.md -in test.out
License: MIT (see LICENSE file)
Copyright 2010, YELLOWPAGES.COM LLC Development by Neil Matatall [email protected]