Nimbus Secure Store Client

This gem provides the functionality required to talk to the Nimbus Secure service. Nimbus Secure is a service that provides highly encrypted storage of keys, passwords, tokens, and other private information necessary for running an application. For instance, you may store database credentials, service credentials, session cookie encryption keys, AWS keys, and other sensitive information without fear of them being stolen or accessible from any unauthorized individual. The data is stored encrypted, and the encryption keys are not communicated to the Nimbus Secure, meaning no one other than you may have access to this secure information.

The Service

To use this Gem, you must sign up for the service by visiting www.nimbus secure.com and signing up for an account. Both paid and free accounts are available.

Once you sign up for the service, you create crypt keys, which are secured tokens used to encrypt and decrypt the data you store within the service. While you set up the crypt keys from the service website, the crypt keys themselves are never sent to our servers, only you and anyone or system you authorize by giving them your crypt key will have access to the stored data within the service.

You may create as many crypt keys as you desire. Typically, one per service or system is a good choice. Additionally, you can add new crypt keys and roll your data over to use a new crypt key very easily in order to increase your security (key rotation). Each crypt key has a name for easy identification, and we store a salted digest of the key itself to verify correctness when it is provided.

Once your crypt keys are setup, you then enter all your sensitive data as "stored keys". Stored keys are encrypted using your specified crypt_keys before they are uploaded to our servers.

For security purposes, anytime the website or this Gem require a crypt key, it must be provided by you (the user of the website or Gem), and the value provided is checked against a stored signed digest for valdity before it is used to perform the requested encryption/decryption. The requested encryption/decryption occurs entirely within the client's computer (user's browser for the website, application server for users of the Gem), and is never communicated with Nimbus Secure directly.

Using the Secured Data

Once you have your data uploaded to your service, you can then install this Gem into your application, and use it's programmatic interface (or command line) to download and decrypt the stored credential so you may use it within your application.

Needed Credentials

In order to use this Gem, you need two pieces of secure information. The first is an API key that provides access to the API and allows you to access your online account. You can create an API key by logging into the service.

The second is the crypt key that you created above that is used to encrypt/decrypt your stored data. If you used more than one key, then you will need all the encrypted keys.

Typically, you store these two pieces of information outside of your application source repository itself, and only provide them to your application during application startup (typically via ENVIRONMENT variables or other boot parameters). That way, you do not have to share the credentials or persist them source repository.

Given these two pieces of information, this Gem, and the properly setup service, you can dynamically grab all your sensitive credentials and data needed to run your application. This typically happens during your application boot up process.

Setting up your .nibmussecure.yml file:

The easiest way to setup Nimbus Secure is to setup a configuration file in your home directory. This file will contain sensitive information, so it should be marked as readable to you only (permission mode 400). The following is a sample configuration file:

account: apikey: crypt_keys: key1: key2:

The value "" is the same value that appears in the base part of your URL you use to access Nmbus Secure. So, for example, if the URL you use to access Nimbus Secure is this:

https://www.nimbussecure.com/myaccount

Then your account id is "myaccount". Your "apikey" can be retrieved from the "Api Keys" tab in Nimbus Secure.

For each encryption key you have in your account and you wish to use, you must have a line in the "crypt_keys:"" section of the config file. In the above example, "key1" is the name assigned to the first encryption key, and "" is the secret value you assigned when you created this encryption key.

Using in Ruby

Assuming you have a stored key with a name "testmessage" setup, with an approprate encryption key. Also assuming your ~/.nimbussecure.yml file is setup with your account identifier, API Key, and the encryption key value. Then the following can be used to retrieve and decrypt a stored key:

require 'nimbussecure' stored_value=nimbussecure.lookup_value "testmessage" puts "The decrypted stored value is: #stored_value"