rust-config-secrets 0.1.0

A library for encrypting and decrypting secrets within configuration files.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114

# rust-config-secrets

A lightweight Rust library for safely managing secrets within configuration files using AES-256-GCM.

[![Crates.io](https://img.shields.io/crates/v/rust-config-secrets.svg)](https://crates.io/crates/rust-config-secrets)
[![Documentation](https://docs.rs/rust-config-secrets/badge.svg)](https://docs.rs/rust-config-secrets)

## Overview

`rust-config-secrets` allows you to embed encrypted secrets directly into your configuration files (JSON, YAML, TOML, etc.). You can commit your configuration files to version control safely by replacing sensitive plaintext with `SECRET(...)` blocks.

## Features

- **Format Agnostic**: Works with any text-based configuration format.
- **Secure**: Uses AES-256-GCM with unique nonces for every secret.
- **Simple API**: Easy functions for encrypting, decrypting, and generating keys.
- **In-place Editing**: Encrypt your configuration files directly on disk.
- **Safe**: Robust error handling without panics.

## Installation

### As a Library
Add this to your `Cargo.toml`:

```toml
[dependencies]
rust-config-secrets = "0.1.0"
```

### As a CLI Tool
Install the `config-secrets` utility using cargo:

```bash
cargo install rust-config-secrets --features cli
```

## CLI Usage

The CLI tool allows you to manage secrets without writing any code.

```bash
# 1. Generate a key
KEY=$(config-secrets gen-key)

# 2. Encrypt a value (prints raw alphanumeric string to stdout)
config-secrets encrypt --value "my-password" --key "$KEY"

# 3. Decrypt a value (accepts SECRET(...) or raw alphanumeric string)
config-secrets decrypt --value "alphanumeric-string-or-SECRET(...)" --key "$KEY"

# 4. Encrypt a file (modifies it in-place by default)
# This will find all ENCRYPT(plaintext) and replace them with SECRET(encoded_string)
config-secrets encrypt-file --path config.yaml --key "$KEY"

# 5. Decrypt a file to stdout
config-secrets decrypt-file --path config.yaml --key "$KEY"
```

## Quick Start

### 1. Generate a Key
```rust
use rust_config_secrets::generate_key;

let key = generate_key(); // Save this somewhere safe (e.g., environment variable)
```

### 2. Prepare and Encrypt your Config
Write your config using `ENCRYPT(...)` placeholders:

```yaml
# config.yaml
database:
  url: "postgres://user:password@localhost/db"
  api_token: "ENCRYPT(my-very-secret-token)"
```

Encrypt it:
```rust
use rust_config_secrets::encrypt_file_in_place;

let key = "your-alphanumeric-key";
encrypt_file_in_place("config.yaml", key).unwrap();
```

Your file now looks like this:
```yaml
# config.yaml
database:
  url: "postgres://user:password@localhost/db"
  api_token: "SECRET(Abc123...)"
```

### 3. Load and Decrypt at Runtime
```rust
use rust_config_secrets::decrypt_file;

let key = "your-alphanumeric-key";
let config_str = decrypt_file("config.yaml", key).unwrap();
// Now use your favorite parser (serde_json, serde_yaml, etc.) on config_str
```

## API Functions

- `generate_key()`: Generates a random 32-byte AES key (alphanumeric encoded).
- `encrypt_secrets(config, key)`: Encrypts `ENCRYPT()` blocks in a string.
- `decrypt_secrets(config, key)`: Decrypts `SECRET()` blocks in a string.
- `encrypt_file(input, output, key)`: Reads from input, encrypts, writes to output.
- `encrypt_file_in_place(path, key)`: Encrypts a file on disk.
- `decrypt_file(path, key)`: Reads and decrypts a file into a string.

## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.