-
-
Notifications
You must be signed in to change notification settings - Fork 25
Encryption Basics
There will be certain settings you will want to keep from prying eyes. Unlike other configuration libraries, Chamber doesn't require you to keep those files separate. You can check everything into your repo.
Why is keeping your secure files separate a pain? Because you must keep those files in sync between all of your team members who are deploying the app. Either you have to use a separate private repo, or you have to use something like a Dropbox share. In either case, you'd then symlink the files from their locations into your application. What. A. Pain.
Chamber uses public/private encryption keys to seamlessly store any of your settings values as encrypted text. The only file that needs to be synced once between developers is the private key.
After running chamber init
, the hard work is done. From here on out, Chamber
makes working with secure settings almost an afterthought.
chamber init
will create four files for you:
Filename | Committable? | Description |
---|---|---|
chamber.pem |
No | This is your private key. Only people/services you trust and who need to run the app should have it. But don't send this file, send the encrypted version. |
chamber.enc |
No | This is your encrypted private key. This is what you send to people who need the private key. |
chamber.enc.pass |
No | This is the passphrase that was generated for you which will decrypt .chamber.enc . This should be read out (either in person or over the phone) to someone who has received the encrypted key. |
chamber.pub.pem |
Yes | This is the public key which can be used for encryption. |
For more in-depth information on Chamber and how it encrypts your settings, check out What Keys Can Do.
When you create your YAML file (or add a new setting to an existing one), you
can add a secure key by prefixing the key name with _secure_
, like so:
# settings.yml
_secure_my_secure_key_name: 'my secure value'
To encrypt the secret with the key pair that you generated when you ran
chamber init
, use the chamber secure
command:
$ chamber secure
This will replace the plaintext secret with an encrypted version, looking something like this:
# settings.yml
_secure_my_secure_key_name: 8239f293r9283r9823r92hf9823hf9uehfksdhviwuehf923uhrehf9238
Now, only users with the private key file can access the secret value.
Pay special attention to the fact that only the value was encrypted. Chamber didn't simply encrypt the entire file. This allows everyone to easily be able to see the structure of the settings, while still not allowing them to see the sensitive information itself. However, if you want to encrypt the structure, you can.
Note: Chamber does its best to never reformat your YAML files, so you devs with a bit of OCD can rest a little easier. 😄
As long as the private key is in your application's root directory, you can access your secure settings just as you would any other setting.
The only difference is that you omit the _secure_
part of the name.
So if, in your YAML, you had:
# settings.yml
_secure_my_secure_key_name: 8239f293r9283r9823r92hf9823hf9uehfksdhviwuehf923uhrehf9238
Then you would access it like so:
Chamber.dig!('my_secure_key_name')
# => 'my secure value'
This also works for Hash notation:
Chamber['my_secure_key_name']
# => 'my secure value'
Next Step: Environment Variables
Learn More:
Copyright ©2023
- Release News
- Gem Comparison
- 12-Factor App Rebuttal
- Environment Variable Problems
- Installation
- Basics
- Defining Settings
- Accessing Settings
- Verifying Settings
- Namespaces
- Environment Variables
- Integrations
- Encryption
- Advanced Usage
- Command Line Reference