rejson 0.6.1

A command line utility for managing secrets
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

# (r)EJSON

[![CI](https://github.com/pseudomuto/rejson/actions/workflows/ci.yaml/badge.svg)](https://github.com/pseudomuto/rejson/actions/workflows/ci.yaml)
[![Latest version](https://img.shields.io/crates/v/rejson.svg)](https://crates.io/crates/rejson)
[![Docs](https://img.shields.io/badge/docs-rs-blue)](https://docs.rs/rejson/latest)
[![codecov](https://codecov.io/gh/pseudomuto/rejson/graph/badge.svg?token=pEmI3xM9Ae)](https://codecov.io/gh/pseudomuto/rejson)

`rejson` is a utility for managing a collection of secrets in source control. The secrets are encrypted using
[public key], [elliptic curve] cryptography ([NaCl] [Box]: [Curve25519] + [Salsa20] + [Poly1305-AES]). Secrets are
collected in a JSON file, in which all the string values are encrypted. Public keys are embedded in the file, and
the decrypter looks up the corresponding private key from its local filesystem.

> This is a rust port of [EJSON] with a few extra bells and whistles. Full credit should go to the team that made
> EJSON. No innovation here other than needing Rust bindings and wanting a few extra features I'm not sure belonged
> upstream.

[public key]: http://en.wikipedia.org/wiki/Public-key_cryptography
[elliptic curve]: http://en.wikipedia.org/wiki/Elliptic_curve_cryptography
[NaCl]: http://nacl.cr.yp.to/
[Box]: http://nacl.cr.yp.to/box.html
[Curve25519]: http://en.wikipedia.org/wiki/Curve25519
[Poly1305-AES]: http://en.wikipedia.org/wiki/Poly1305-AES
[Salsa20]: http://en.wikipedia.org/wiki/Salsa20
[EJSON]: https://github.com/Shopify/ejson

## Install

**From Releases**

```ignore
curl -fsSL https://github.com/pseudomuto/rejson/releases/download/v0.2.0/rejson_0.2.0_$(uname -s)_$(uname -m).tar.gz | tar xzf -
```

**With Cargo**

`cargo install rejson`

Since this is a drop-in replacement for `ejson` you can add `alias ejson="rejson"` if you like. The expectation is that
this is 100% compatible with `ejson` and it only additive. If that's not the case, it's a bug, and I'd appreciate you
filing an issue.

### Additions to EJSON

- A `--strip-key` flag on `decrypt` which will remove `_public_key` from the result.
- `env` command which will export all keys under the top-level `environment` key.
- `kube-secrets` command which will output K8s secret manifests for values under the `kubernetes` key.

## Usage

### CLI

See `rejson -h` or (`cargo run -- -h`) for usage details.

```ignore
A command line utility for managing secrets

Usage: rejson <COMMAND>

Commands:
  encrypt  Encrypt one or more EJSON files
  decrypt  Decrypt an EJSON file
  keygen   Generate a new EJSON key pair
  env      Export the all scalar values under the "environment" key
  help     Print this message or the help of the given subcommand(s)

Options:
  -h, --help     Print help
  -V, --version  Print version
```

To export all environment values in the environment key, run `eval $(rejson env secrets.ejson)`.

```ignore
{
  "_public_key": "...",
  "environment": {
    "SOME_KEY": "SOME_VALUE"
  }
}
```

### Docker

A docker image is published for each release of rEJSON. Usage is similar to using the binary, only the `/keys` and
`/files` volumes are required for encrypt/decrypt functionality.

```ignore
# generate a new key pair
docker run --rm -it rejson keygen

# encrypt a file to disk
docker run --rm -it \
  -v $(pwd)/keys:/keys \
  -v $(pwd)/secrets:/files \
  rejson encrypt /files/secrets.ejson

# decrypt a file to stdout
docker run --rm -it \
  -v $(pwd)/keys:/keys \
  -v $(pwd)/secrets:/files \
  rejson decrypt /files/secrets.ejson
```

### Code

```rust
use std::fs;

use rejson::{KeyPair, SecretsFile};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let file = "examples/data/secrets.ejson";
    let mut secrets_file = SecretsFile::load(file).expect("failed to load file");
    secrets_file.transform(rejson::compact()?)?;
    secrets_file.transform(rejson::encrypt(&secrets_file)?)?;

    let json = secrets_file.to_string();
    let data = json.as_bytes();
    fs::write(file, data)?;

    println!("Wrote {} bytes to {}", data.len(), file);
    Ok(())
}
```

See the [_examples_](examples/) directory for more.

## Development

### Local Setup

- Make sure you have the nightly toolchain (used for rustfmt only)
- Add pre-commit to avoid committing malformatted code

```ignore
ln -sf ../../build/pre-commit .git/hooks/pre-commit
```

### Cutting a New release

Run `build/release <new_version>`. This will:

- Update version in Cargo.toml
- Create a new commit with the message "Release v<version>"
- `git tag -sm "Release v<version" v<version>`
- `git push --tags`

Once the release pipeline has finished and published the crate, run the following to create the GitHub release with
attached binaries, etc.

```ignore
task release
```

Add archives to the GitHub release and publish it.