dcr v0.3.0

dcr

Decrypt sensitive parts of log stream on the fly

Build status for master

Decrypts a log stream with some encrypted details

2017-03-25T22:40:38.590Z - warn: [error-logger.js] Request body: ENCRYPTED(09fdb69ec06f0357e97225178e7403041b32da1520ce5b3eea1188f2a92c5947a29f5206)

to readable on the fly:

2017-03-25T22:40:38.590Z - warn: [error-logger.js] Request body: {"name": "John Doe"}

Why

This tool makes life easier when handling logs which have encrypted parts.

I use this in my node backend projects. My main use case is to log body objects of failed requests, which may contain user email, addresses and other personal data. Sensitive data needs to be encrypted and logging them as plain text is not a good practice. However I want to keep other parts of the logs as plain text so they are searchable in e.g. Papertrail.

This prevents accidentally leaking user data via log dumps.

Usage

In server code, encrypt certain parts of logs with simple-encryptor. Make sure you print in ENCRYPTED(gibberish) format.

const simpleEncryptor = require('simple-encryptor');

const encryptor = simpleEncryptor(process.env.LOG_ENCRYPT_KEY);
const userData = { name: 'John Doe', securityNumber: '1234' };
console.log('User data', `ENCRYPTED(${encryptor.encrypt(secretObj)})`);

To print logs as plain text

npm start | dcr

Print Heroku logs as plain text

heroku logs --force-colors -a my-app -t | dcr --key=$(heroku config:get LOG_ENCRYPT_KEY -a my-app)

Decrypt also stderr

npm start 2>&1 | dcr

Decryption key is read from process.env.LOG_ENCRYPT_KEY by default.

Unfortunately the only way to use dcr currently is via piping. Open an issue if you have other use cases.

Install

npm install -g dcr

Only Node 6 is "officially" supported at the moment.

License

MIT