module Vault

Defined in:

vault/vault.cr

Constant Summary

CIPHER_KEY_SIZE = 32
ENCRYPTED_PREFIX = "encrypted:"
HMAC_KEY_SIZE = 32
IV_SIZE = 16
Log = ::Log.for(self)
PBKDF2_ITERATIONS = 600000
SALT_SIZE = 16

Class Method Summary

.decrypt_file(content : String, password : String) : String
Decrypt all encrypted values in a dotenv file content string.
.decrypt_hash(vars : Hash(String, String), password : String) : Hash(String, String)
Decrypt encrypted values in a loaded hash (from Dotenv.load).
.decrypt_value(value : String, password : String) : String
Decrypt an "encrypted:..." value with a password.
.encrypt_file(content : String, password : String) : Tuple(String, Array(String))
Encrypt all plaintext values in a dotenv file content string.
.encrypt_value(plaintext : String, password : String) : String
Encrypt a plaintext value with a password.
.encrypted?(value : String) : Bool
Check if a value is encrypted.
.has_encrypted?(vars : Hash(String, String)) : Bool
Check if any values in a hash are encrypted.
.load_dotenv_files(files : Enumerable(String), passwords : Array(ObfuscatedPassword) = [] of ObfuscatedPassword) : Tuple(Hash(String, String), Array(ObfuscatedPassword))
Load dotenv files, decrypting each file with its own password.
.prompt_password(confirm : Bool = false, prompt : String = "Password: ") : String
Prompt for password on STDERR (hidden input).
.wipe(bytes : Bytes) : Nil
Zero out a Bytes buffer to remove sensitive data from memory.
.wipe(str : String) : Nil
Zero out a String's backing memory to remove sensitive data.
.wipe_passwords(passwords : Array(ObfuscatedPassword)) : Nil
Wipe all cached obfuscated passwords.

Class Method Detail

def self.decrypt_file(content : String, password : String) : String #

Decrypt all encrypted values in a dotenv file content string.

[View source]

def self.decrypt_hash(vars : Hash(String, String), password : String) : Hash(String, String) #

Decrypt encrypted values in a loaded hash (from Dotenv.load).

[View source]

def self.decrypt_value(value : String, password : String) : String #

Decrypt an "encrypted:..." value with a password. Raises Vault::Error on wrong password or tampered data.

[View source]

def self.encrypt_file(content : String, password : String) : Tuple(String, Array(String)) #

Encrypt all plaintext values in a dotenv file content string. Returns {encrypted_content, skipped_keys}.

[View source]

def self.encrypt_value(plaintext : String, password : String) : String #

Encrypt a plaintext value with a password. Uses AES-256-CBC + HMAC-SHA256 (Encrypt-then-MAC). Returns "encrypted:" + Base64(salt[16] + iv[16] + hmac[32] + ciphertext[N])

[View source]

def self.encrypted?(value : String) : Bool #

Check if a value is encrypted.

[View source]

def self.has_encrypted?(vars : Hash(String, String)) : Bool #

Check if any values in a hash are encrypted.

[View source]

def self.load_dotenv_files(files : Enumerable(String), passwords : Array(ObfuscatedPassword) = [] of ObfuscatedPassword) : Tuple(Hash(String, String), Array(ObfuscatedPassword)) #

Load dotenv files, decrypting each file with its own password. Tries previously entered passwords first before prompting. Passwords are stored obfuscated (XOR'd with random pad) in memory. Returns merged vars and updated password cache.

[View source]

def self.prompt_password(confirm : Bool = false, prompt : String = "Password: ") : String #

Prompt for password on STDERR (hidden input).

[View source]

def self.wipe(bytes : Bytes) : Nil #

Zero out a Bytes buffer to remove sensitive data from memory.

[View source]

def self.wipe(str : String) : Nil #

Zero out a String's backing memory to remove sensitive data. Safe with Boehm GC (non-moving collector).

[View source]

def self.wipe_passwords(passwords : Array(ObfuscatedPassword)) : Nil #

Wipe all cached obfuscated passwords.

[View source]

CrystalDoc.info

werk

module Vault

Defined in:

Constant Summary

Class Method Summary

Class Method Detail