search

Shopify / ejson

EJSON is a small library to manage encrypted secrets using asymmetric encryption.
MIT License
1.34k stars 62 forks source link

Allow reading private key from environment variable #23

Closed meunierd closed 3 months ago

meunierd commented 8 years ago

The Social Channels team would like to start taking advantage of ejson for our heroku applications, and reading the private keys from a file outside the repository is hacky at best under heroku.

burke commented 8 years ago

I'd kind of prefer not to -- in general, storing secrets in the environment is bad practice. I wouldn't be opposed to adding a --keydir flag though if that made things easier -- is the problem just because heroku's FS isn't writable outside of your application? I haven't used heroku myself in ages.

scalp42 commented 8 years ago

@burke could let the user decide regarding environment variables ? Keep sane defaults but allow the user to use environment variables if he wants/needs to.

burke commented 8 years ago

It's more a question of not wanting to add features to ejson that allow people to make bad choices. I'd rather a bit of hackiness to make things work on heroku than convey to people that it's even-maybe-sensible to store decryption keys in environment variables.

meunierd commented 8 years ago

Heroku's entire workflow is centred around storing secrets in their environment variables already. This is more about a desire to consolidate since we have secrets in ejson (deployment related) and env vars (application related).

burke commented 8 years ago

Yep -- so I'm saying we should do the minimum possible in the ejson codebase to accommodate that without implicitly encouraging it in other workflows. To me that sounds like adding a --keydir option and doing something like the following in heroku apps:

Dir.mktempdir do |dir|
  File.open(File.join(dir, ENV['EJSON_PUBLIC_KEY']), 'w') do |f|
    f.write(ENV['EJSON_PRIVATE_KEY'])
  end
  system(File.join(Bundler.bin_path, "ejson"), 
    "--keydir", dir, 
    "decrypt", 
    "--out", "config/secrets.json", 
    "config/secrets.production.ejson")
end
burke commented 8 years ago

Is that realistic? Let me know if I've missed something and that won't actually work as well as I've imagined.

burke commented 8 years ago

Oh hey, there's already a --keydir option that I forgot about, according to https://shopify.github.io/ejson/