README
¶
ejson
ejson is a utility for managing a collection of secrets in source control. The
secrets are encrypted using public
key, elliptic
curve cryptography
(NaCl Box:
Curve25519 +
Salsa20 +
Poly1305-AES). Secrets are
collected in a JSON file, in which all the string values are encrypted. Public
keys are embedded in the file, and the decrypter looks up the corresponding
private key from its local filesystem.
The main benefits provided by ejson are:
- Secrets can be safely stored in a git repo.
- Changes to secrets are auditable on a line-by-line basis with
git blame. - Anyone with git commit access has access to write new secrets.
- Decryption access can easily be locked down to production servers only.
- Secrets change synchronously with application source (as opposed to secrets provisioned by Configuration Management).
- Simple, well-tested, easily-auditable source.
See the manpages for more technical documentation.
Installation
You can download the .deb package from Github Releases.
On development machines (64-bit linux or OS X), the recommended installation method is via rubygems:
gem install ejson
Workflow
1: Create the Keydir
By default, EJSON looks for keys in /opt/ejson/keys. You can change this by
setting EJSON_KEYDIR or passing the -keydir option.
$ mkdir -p /opt/ejson/keys
2: Generate a keypair
When called with -w, ejson keygen will write the keypair into the keydir
and print the public key. Without -w, it will print both keys to stdout. This
is useful if you have to distribute the key to multiple servers via
configuration management, etc.
$ ejson keygen
Public Key:
63ccf05a9492e68e12eeb1c705888aebdcc0080af7e594fc402beb24cce9d14f
Private Key:
75b80b4a693156eb435f4ed2fe397e583f461f09fd99ec2bd1bdef0a56cf6e64
$ ./ejson keygen -w
53393332c6c7c474af603c078f5696c8fe16677a09a711bba299a6c1c1676a59
$ cat /opt/ejson/keys/5339*
888a4291bef9135729357b8c70e5a62b0bbe104a679d829cdbe56d46a4481aaf
3: Create an ejson file
The format is described in more detail later on. For now, create a
file that looks something like this. Fill in the <key> with whatever you got
back in step 2.
Create this file as test.ejson:
{
"_public_key": "<key>",
"database_password": "1234password"
}
4: Encrypt the file
Running ejson encrypt test.ejson will encrypt any new plaintext keys in the
file, and leave any existing encrypted keys untouched:
{
"_public_key": "63ccf05a9492e68e12eeb1c705888aebdcc0080af7e594fc402beb24cce9d14f",
"database_password": "EJ[1:WGj2t4znULHT1IRveMEdvvNXqZzNBNMsJ5iZVy6Dvxs=:kA6ekF8ViYR5ZLeSmMXWsdLfWr7wn9qS:fcHQtdt6nqcNOXa97/M278RX6w==]"
}
Try adding another plaintext secret to the file and run ejson encrypt test.ejson again. The database_password field will not be changed, but the
new secret will be encrypted.
5: Decrypt the file
To decrypt the file, you must have a file present in the keydir whose name is
the 64-byte hex-encoded public key exactly as embedded in the ejson document.
The contents of that file must be the similarly-encoded private key. If you used
ejson keygen -w, you've already got this covered.
Unlike ejson encrypt, which overwrites the specified files, ejson decrypt
only takes one file parameter, and prints the output to stdout:
$ ejson decrypt foo.ejson
{
"_public_key": "63ccf05a9492e68e12eeb1c705888aebdcc0080af7e594fc402beb24cce9d14f",
"database_password": "1234password"
}
Format
The ejson document format is simple, but there are a few points to be aware
of:
- It's just JSON.
- There must be a key at the top level named
_public_key, whose value is a 32-byte hex-encoded (i.e. 64 ASCII byte) public key as generated byejson keygen. - Any string literal that isn't an object key will be encrypted by default (ie.
in
{"a": "b"},"b"will be encrypted, but"a"will not. - Numbers, booleans, and nulls aren't encrypted.
- If a key begins with an underscore, its corresponding value will not be
encrypted. This is used to prevent the
_public_keyfield from being encrypted, and is useful for implementing metadata schemes. - Underscores do not propagate downward. For example, in
{"_a": {"b": "c"}},"c"will be encrypted.
See also
- If you use Capistrano for deployment you can use capistrano-ejson to automatically decrypt the secrets on deploy.
Documentation
¶
Overview ¶
Package ejson implements the primary interface to interact with ejson documents and keypairs. The CLI implemented by cmd/ejson is a fairly thin wrapper around this package.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DecryptFile ¶
DecryptFile takes a path to an encrypted EJSON file and returns the data decrypted. The public key used to encrypt the values is embedded in the referenced document, and the matching private key is searched for in keydir. There must exist a file in keydir whose name is the public key from the EJSON document, and whose contents are the corresponding private key. See README.md for more details on this.
func EncryptFileInPlace ¶
EncryptFileInPlace takes a path to a file on disk, which must be a valid EJSON file (see README.md for more on what constitutes a valid EJSON file). Any encryptable-but-unencrypted fields in the file will be encrypted using the public key embdded in the file, and the resulting text will be written over the file present on disk.
func GenerateKeypair ¶
GenerateKeypair is used to create a new ejson keypair. It returns the keys as hex-encoded strings, suitable for printing to the screen. hex.DecodeString can be used to load the true representation if necessary.
Types ¶
This section is empty.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Godeps
|
|
|
_workspace/src/github.com/codegangsta/cli
Package cli provides a minimal framework for creating and organizing command line Go applications.
|
Package cli provides a minimal framework for creating and organizing command line Go applications. |
|
_workspace/src/github.com/dustin/gojson
Package json implements encoding and decoding of JSON objects as defined in RFC 4627.
|
Package json implements encoding and decoding of JSON objects as defined in RFC 4627. |
|
_workspace/src/github.com/smartystreets/goconvey/convey
Oh the stack trace scanning! The density of comments in this file is evidence that the code doesn't exactly explain itself.
|
Oh the stack trace scanning! The density of comments in this file is evidence that the code doesn't exactly explain itself. |
|
_workspace/src/github.com/smartystreets/goconvey/convey/assertions
Package assertions contains the implementations for all assertions which are referenced in the convey package for use with the So(...) method.
|
Package assertions contains the implementations for all assertions which are referenced in the convey package for use with the So(...) method. |
|
_workspace/src/github.com/smartystreets/goconvey/convey/assertions/oglematchers
Package oglematchers provides a set of matchers useful in a testing or mocking framework.
|
Package oglematchers provides a set of matchers useful in a testing or mocking framework. |
|
_workspace/src/github.com/smartystreets/goconvey/convey/assertions/oglemock/createmock
createmock is used to generate source code for mock versions of interfaces from installed packages.
|
createmock is used to generate source code for mock versions of interfaces from installed packages. |
|
_workspace/src/github.com/smartystreets/goconvey/convey/assertions/oglemock/generate
Package generate implements code generation for mock classes.
|
Package generate implements code generation for mock classes. |
|
_workspace/src/github.com/smartystreets/goconvey/convey/assertions/oglemock/generate/test_cases/complicated_pkg
Package complicated_pkg contains an interface with lots of interesting cases, for use in integration testing.
|
Package complicated_pkg contains an interface with lots of interesting cases, for use in integration testing. |
|
_workspace/src/github.com/smartystreets/goconvey/convey/assertions/oglemock/generate/test_cases/renamed_pkg
A package that calls itself something different than its package path would have you believe.
|
A package that calls itself something different than its package path would have you believe. |
|
_workspace/src/github.com/smartystreets/goconvey/convey/assertions/ogletest
Package ogletest provides a framework for writing expressive unit tests.
|
Package ogletest provides a framework for writing expressive unit tests. |
|
_workspace/src/github.com/smartystreets/goconvey/convey/gotest
Package gotest contains internal functionality.
|
Package gotest contains internal functionality. |
|
_workspace/src/github.com/smartystreets/goconvey/convey/reporting
Package reporting contains internal functionality related to console reporting and output.
|
Package reporting contains internal functionality related to console reporting and output. |
|
_workspace/src/golang.org/x/crypto/curve25519
Package curve25519 provides an implementation of scalar multiplication on the elliptic curve known as curve25519.
|
Package curve25519 provides an implementation of scalar multiplication on the elliptic curve known as curve25519. |
|
_workspace/src/golang.org/x/crypto/nacl/box
Package box authenticates and encrypts messages using public-key cryptography.
|
Package box authenticates and encrypts messages using public-key cryptography. |
|
_workspace/src/golang.org/x/crypto/nacl/secretbox
Package secretbox encrypts and authenticates small messages.
|
Package secretbox encrypts and authenticates small messages. |
|
_workspace/src/golang.org/x/crypto/poly1305
Package poly1305 implements Poly1305 one-time message authentication code as specified in http://cr.yp.to/mac/poly1305-20050329.pdf.
|
Package poly1305 implements Poly1305 one-time message authentication code as specified in http://cr.yp.to/mac/poly1305-20050329.pdf. |
|
_workspace/src/golang.org/x/crypto/salsa20/salsa
Package salsa provides low-level access to functions in the Salsa family.
|
Package salsa provides low-level access to functions in the Salsa family. |
|
cmd
|
|
|
Package crypto implements a simple convenience wrapper around golang.org/x/crypto/nacl/box.
|
Package crypto implements a simple convenience wrapper around golang.org/x/crypto/nacl/box. |
|
Package json implements functions to load the Public key data from an EJSON file, and to walk that data file, encrypting or decrypting any keys which, according to the specification, are marked as encryptable (see README.md for details).
|
Package json implements functions to load the Public key data from an EJSON file, and to walk that data file, encrypting or decrypting any keys which, according to the specification, are marked as encryptable (see README.md for details). |