CLI tool and Node.js API to encrypt/decrypt secret files
- Simple to install via npm (
npm i -g @naturalcycles/secret-libor
yarn global add @naturalcycles/secret-lib)
- Scripts immediately available in global $PATH (if installed globally)
- Opinionated, based on directory structure conventions
- Light (few dependencies)
- Exposes Node.js API (with types) so you can programmaticaly use same function that CLI provides (only if you want to)
aes-256-cbc algorithm is used by default.
Random initialization vector (IV) is used, prepended to the encrypted file (first 16 bytes).
Encrypted file is stored in binary format (Buffer), containing concatenated (byte range in brackets):
- IV (0, 16)
- Payload (16, ...)
Globally (e.g in CI environment):
yarn global add @naturalcycles/secret-lib
Or locally (if in Node.js project):
yarn add -D @naturalcycles/secret-lib
secrets-gen-key: Generate a
SECRET_ENCRYPTION_KEYto be used for encryption/decryption of secret files.
secrets-encrypt: Encrypt all files (except already encrypted
.encis added to the file.
secrets-decrypt: Decrypt all encrypted files (
.encextension is removed after encryption, files are overwritten.
secrets-decrypt need a key to perform an operation (generate it
secrets-gen-key first time).
Key can be passed in one of the following ways, in order of preference:
--encKey myKeyCLI argument (overrides everything else)
.envfile in your project folder (
Also, you can provide e.g
--encKeyVar SECRET_ENCRYPTION_KEY_B - name of env variable to read key
All examples are for global installation. For local installations prepend the command with
SECRET_ENCRYPTION_KEY to be used for encryption/decryption of secret files.
Keep it secret, provide as env variable
SECRET_ENCRYPTION_KEY to the following commands.
Encrypt all files (except already encrypted
./secret folder (and its subfolder).
.enc is added to the file.
secret1.json will become
--pattern- directory (pattern) to encrypt (default to
./secret). Can provide many like
--pattern p1 p2or
--pattern p1 --pattern p2. Supports
--encKey- provide encryption key
--encKeyVar- read encryption key from env variable with this name (default
--algorithm- encryption algorithm to use (default
--del- delete source files after successful encryption. Be careful!
help- list possible options
Decrypt all encrypted files (
./secret folder (and its subfolders).
.enc extension is
removed after encryption, files are overwritten.
secret1.json.enc will become
Options: same as
--dir is used instead of
--dir ./secret will decrypt all
Use dev-lib and
Otherwise, this is the right config for
# All secrets are ignored, except encrypted /secret/**/*.* !/secret/**/*.enc