config-shield
v0.2.3
Published
Store and retrieve data sensative in nature
Downloads
39
Readme
Config Shield
About
The mission behind this project is to provide a "safe" process from which to store properties sensitive in nature, in a manner that is both developer friendly as well as optimized for production use.
Making configuration changes
Install config-shield
in your project:
npm install config-shield --save
Startup the command-line interface from root of application:
npm run config-shield
: enter path of config (enter to use secure-config.json)>
: enter path of private key> my.app.key
set simple_property true
set my-json-prop { "nested": { "values": [ 1, 2, 3 ] } }
set null-prop null
set evaluable-prop-as-string "null"
set string-prop this will be stored as string if type cannot be determined
set array-pop [ 1, 2, 3 ]
set boolean-prop true
set number-prop 5
remove number-prop
get my-json-prop
: { "nested": { "values": [ 1, 2, 3 ] } }
save
: changes saved
exit
Optionally you may also install config-shield
globally:
npm install config-shield -g
config-shield
Deploy your config
This step should be built into your CICD process, to clone the applicable
environment config and copy secure-config.json
over. Ideally these
assets will be in a limited-access store to avoid unnecessary risk.
Do not under any circumstance store your production private keys within your project.
Loading config from your App
var secureConfig = require('config-shield');
// one-time load
secureConfig.load({
configPath: './secure-config.json', // not required if default
privateKeyPath: '/etc/pki/tls/certs/my.app.key'
});
var myObj = secureConfig.getProp('my-json-prop');
Access your secure config from anywhere in your app:
var secureConfig = require('config-shield');
var myObj = secureConfig.getProp('my-json-prop');
Multiple configs? No problem:
var secureConfig = require('config-shield');
secureConfig.load({
instance: 'my-other-config',
configPath: './my-other-secure-config.json',
privateKeyPath: '/etc/pki/tls/certs/my.app.key'
});
var myOtherSecureConfig = secureConfig.instance('my-other-config');
var myObj = myOtherSecureConfig.getProp('my-prop');
Developer Environment
Optionally you may include your development private key within your project to keep things simple, but please do not do this for production environments as you'll be negating the value of this module. Only a limited few should have access to production private keys.
API
var secureConfig = require('config-shield');
- load (options[, cb]) - Load config.
- options.instance (default: 'default') - Name of the config instance.
- options.configPath (required) - Config to load, relative to the current working directory.
- options.privateKeyPath (required) - Private key to load. Or could be any secret.
- options.noCache (default: false) - Will disable caching of decrypted values if true.
- options.alg (default: 'aes-256-ctr') - Algorithm to use for encryption.
- cb (function(err, secureConfig)) - If callback is provided, will load asynchronously, otherwise will return synchronously.
- save ([configPath][, cb]) - Save config.
- configPath (required) - Config to save, relative to the current working directory.
- cb (function(err)) - If callback is provided, will save asynchronously, otherwise will return synchronously.
- convert ([options][, cb]) - Convert existing config to new private key.
- options.privateKeyPath (required) - Private key file to load. Or could be any secret file.
- options.backup (default:
false
) - Write old config values asbackup
to allow for a rotationary period where old key will continue to work. - options.alg (default: 'aes-256-ctr') - Algorithm to use for encryption.
- cb (function(err)) - If callback is provided, will save asynchronously, otherwise will return synchronously.
- dropBackup () - Removes all backup keys.
- getProp (propName) - Return decrypted config value.
- setProp (propName, propValue) - Store config value.
- removeProp (propName) - Remove config value.
- removeAll () - Remove all config values.
- getKeys () - Return an array of available property keys.
- getInstance (instanceName) - Return a config instance.
- setInstance (instance) - Set a config instance.
Rotating keys
In the case you have keys that must be rotated, you can use the convert with backup
option. The process would
require you to:
- Load config with old private key.
- Convert with new private key, setting
backup
totrue
. - Deploy your config change.
- Rotate your private keys.
- Load config with new private key.
- Run
dropBackup
. - Deploy your final config change.
In CLI, would look something like:
config-shield
enter path of config> secure-config.json
enter path of private key> old.key
> convert
enter path of private key> new.key
backup old values to enable key rotations? (enter to disable, or `true`)> true
> save
> exit
Deploy your change, then update your config one last time:
config-shield
enter path of config> secure-config.json
enter path of private key> new.key
> dropBackup
> save
> exit
Deploy the final config. If you skip the step of dropping the backup, your config will become vulnerable to attacks using the old private key, negating most of the value of rotating keys.
Future
Possible future enhancements:
- tts - Time to stale before auto-reloading config.