EJSON
EJSON is a small library to manage encrypted secrets using PKCS7 (asymmetric) encryption. It provides a simple command interface to manage and update secrets in a JSON file where keys are cleartext and values are encrypted.
Installation
It's on rubygems. Just gem install ejson
or add it to your Gemfile
.
Usage
1) Create a secrets.ejson
:
echo '{"a": "b"}' > config/secrets.production.ejson
Keys in this file will remain in cleartext, while values will all be encrypted. It can be arbitrarily nested.
2) Encrypt the file:
ejson
This updates config/secrets.ejson
in place, encrypting any newly-added or
modified values that are not yet encrypted. ejson
is short-hand for ejson encrypt
.
3) Decrypt the file:
ejson decrypt -k ~/.keys/ejson.priv.pem -p config/ejson.pub.pem secrets.production.ejson > secrets.production.json
Unlike encrypt, decrypt doesn't update the file in-place; it prints the decrypted contents to stdout. It also requires access to the private key created in step 1.
See ejson help
for more information.
Custom keypair:
We use a single keypair internally; the default public key is fetched from S3 on each run. However, you can generate your own keypair like so:
mkdir config && cd config
openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'
publickey.pem
and privatekey.pem
are created. Move privatekey.pem
somewhere more secure.
mkdir -p ~/.keys
mv config/privatekey.pem ~/.keys/ejson.pem
Then you can encrypt like:
ejson encrypt -p config/publickey.pem secrets.ejson