yaml-crypt v0.7.8

yaml-crypt

Command line utility to encrypt and decrypt YAML documents.

Installation

The package is available on the npm registry, so just run

$ yarn global add yaml-crypt
$ yaml-crypt -h

You can also install the package locally:

$ mkdir yaml-crypt && cd yaml-crypt
$ yarn init --yes
$ yarn add yaml-crypt
$ ./node_modules/.bin/yaml-crypt -h

You can also use the Docker image:

$ docker run --rm autoapply/yaml-crypt -h

Usage

First you will need to generate a key file. Currently, both Fernet and Branca encryption schemes are supported.

To generate a new random key, run

$ yaml-crypt --generate-key > my-key-file

To encrypt all values in a YAML file, run

$ yaml-crypt -k my-key-file my-file.yaml

This will encrypt the file contents and rename the file to my-file.yaml-crypt.

The operation will be performed based on the file extension, so to decrypt a file, just use

$ yaml-crypt -k my-key-file my-file.yaml-crypt

To specify an explicit operation, use -e or -d for encryption or decryption.

You can also encrypt only certain parts of a file. Given the following YAML file

apiVersion: v1
kind: Secret
data:
  username: user1
  password: secret123

you can use --path data to only encrypt the values user1 and secret123.

Kubernetes secrets are Base64 encoded, so you should also use the --base64 (or -B) option.

It is also possible to directly open encrypted files in an editor, decrypting them before opening and encrypting again when saving:

$ yaml-crypt -E my-file.yaml-crypt

When editing, you can add new encrypted data by specifying the yaml tag <!yaml-crypt>:

unencrypted:
  hello: world
encrypted:
  key1: !<!yaml-crypt/:0> secret-key-1
  # add the following line to add a new encrypted entry "key2" to the file,
  # which will be encrypted in the yaml-crypt file:
  key2: !<!yaml-crypt> secret123

Configuration

The yaml-crypt command looks in ~/.yaml-crypt for a file config.yaml or config.yml. Currently, only the keys property is supported. These keys will be used when no keys are given on the command line:

$ cat ~/.yaml-crypt/config.yaml
keys:
- key: my-raw-key-data
- key: !!binary my-base64-key-data
$ yaml-crypt my-file.yaml

All whitespaces at the beginning and end of keys will be removed when reading keys.

Related projects

• https://github.com/mozilla/sops
• https://github.com/huwtl/secure_yaml
• https://github.com/StackExchange/blackbox
• https://github.com/bitnami-labs/sealed-secrets

License

The yaml-crypt tool is licensed under the MIT License