A thought experiment on storing credential configuration files in a safe way.
Store credential files in a secure blobs that require at least three known pieces of information in order to get the decrypted files out of the repo.
The three pieces of required information:
- environment : (eg: prod)
- filename : (eg: database.yml)
- secret key
Each file that needs to be stored in this secure repository should be run
through pi-encrypt.rb
. This script will encrypt the file and place the
resultant output into a secure file in the blobs
directory. The blob
filenames are obfuscated to hide the environment and use of the contained
data. Filenames are calculated using HMAC-SHA1
by concatenating the
environment name (padded) and key, then digesting the filename. The files'
contents are encrypted with AES128
by using the secret key as key and
concatenating the environment and filename as the IV.
At run time or build time, steps should be taken to gather the necessary
files by calling pi-decrypt.rb
for each file in the environment and
providing the proper secret key.
Keys for each environment are NOT contained in this repository.