Secrypt is a tiny tool for keeping repository secrets encrypted. It is designed to be fast, easy to use and highly secure.
Key features:
- Encrypted data is saved close to the original file with
.encextension. - AES-256-CBC is used for encryption and PBKDF2 SHA-512 to derive the encryption key
- Pretty small, a bit less than 400 lines of code. So it can be analyzed easily.
- It can be used as a standalone script . It's helpful when you don't trust a third-party package to manage your secrets.
- No dependencies
- Supports multiple environments with different secret keys.
Is it safe to keep encrypted credentials in the git repository? Well, this is a widely used approach at least in Ruby on Rails and in Fastlane.
npm install secrypt
"files": { "dev": ["secrets.json"] } }
secrypt init
echo '{ "files": { "dev": ["secrets.json"] } }' > secrypt.config.json
secrypt encrypt
echo secrypt.keys >> .gitignore
echo .env.dev >> .gitignore
git add .gitignore secrypt.config.json .env.dev.enc
git commit -m 'chore: Add encrypted secrets'
- Run
secrypt initcommand that creates two files:
- default
secrypt.config.jsonconfig - a random key for the dev (default) environment in the
secrypt.keysfile.
- Add your secret file list to the
secrypt.config.json:
{
"files": {
"dev": ["secrets.json"]
}
}- Run
secrypt encryptto encrypt all files from the list.
Remember to add secrypt.keys and secrets.json to .gitignore.
To decrypt secrets, just run secrypt decrypt.
By default, a secret key is stored in the secrypt.keys file, but it can also
be passed using SECRYPT_KEY environment variable.
Usage: secrypt COMMAND [options]
Commands:
encrypt [...ONLY_THIS_FILES]
decrypt [...ONLY_THIS_FILES]
init
Options:
-c, --config PATH Config file path (default: secrypt.config.json)
-e, --environment ENV Environment name (default: dev)
-p, --prefix PATH Change current working directory
Environment variables:
SECRYPT_KEY Key for encryption/decryption for the current environment
SECRYPT_PREFIX Change current working directory
NODE_ENV Environment nameA config can be stored in secrypt.config.json, secrypt.config.js or in the
secrypt section of package.json. Also, you can specify a path to the config
using --config command line option.
{
"files": {
"dev": [".env.dev"],
"prod": [".env.prod"]
}
}files: Record<string, string[]>- a list of files to encrypt/decryptkeys: Record<string, string>- a secret keys to use for encryption/decryption. Not recommended to use in the config file. UseSECRYPT_KEYenvironment variable instead.keyFile: string- a path to a file with secret keys. By default, it issecrypt.keys.
-
decryptFn: (file: SecryptFile) => Promise<void>- it could be used to decrypt a file in a custom way.Example:
async function decryptFn({ decrypted, encryped, key }) { await mycryptlib.decrypt(encryped.full, decrypted.full, key); }
-
encryptFn: (file: SecryptFile) => Promise<void>- it could be used to encrypt a file in a custom way.Example:
async function encryptFn({ decrypted, encryped, key }) { await mycryptlib.encrypt(decrypted.full, encryped.full, key); }
-
getFileListFn: (config: SecryptConfig) => Promise<SecryptFile[]>- return a list of files which should be encrypted.Example:
async function getFileListFn(config) { const env = config.environment === 'all' ? 'dev' : config.environment; const files = await glob('secrets/*.yml'); return files.map((rel) => ({ decryped: { full: path.resolve(file), rel }, encrypted: { full: path.resolve(`${file}.enc`), rel: `${file}.enc` }, key: config.keys[env], })); }
-
resolveEncryptedPathFn: (filePath: string) => string- it could be used to resolve a path to an encrypted file. By default, it adds.encextension.Example:
function resolveEncryptedPathFn(filePath) { return filePath + '.enc'; }
Licensed under MIT.