Uses Google KMS to encrypt values in YAML/JSON/Text files to be able to store them in Git.
- docker
You can use plain ruby version. But recommended way is to run it via docker.
Make sure you have enough permissions within your Google project in order to to work with KMS. Acquire new user credentials to use for Application Default Credentials
gcloud auth application-default login
Make sure that you have ~/bin in your PATH.
Download shortcut to run docker container
curl -L https://raw.githubusercontent.com/Bidmath/kms-secrets/v0.1.0/bin/kms-secrets \
-o ~/bin/kms-secrets
chmod +x ~/bin/kms-secretsMake sure that you understand the content of ~/bin/kms-secrets
To encrypt for the first time:
kms-secrets encrypt \
--project=my-project \
--key_ring=my-keyring \
--key_name=my-key \
path/to/src/config-unencrypted.yaml
path/to/dest/config-encrypted.yamlTo edit encrypted file (in VIM):
kms-secrets edit path/to/config-encrypted.yamlTo view (in less):
kms-secrets view path/to/config-encrypted.yamlTo decrypt:
kms-secrets decrypt \
path/to/src/config-encrypted.yaml
path/to/dest/config-unencrypted.yamlDecrypting is skipped if checksum of target (unencrypted) file matches one stored in metadata of encrypted. It also validates checksums after decrypting (if one took place)