(r)EJSON

rejson is a utility for managing a collection of secrets in source control. The secrets are encrypted using collected in a JSON file, in which all the string values are encrypted. Public keys are embedded in the file, and the decrypter looks up the corresponding private key from its local filesystem.

This is a rust port of [EJSON] with a few extra bells and whistles. Full credit should go to the team that made EJSON. No innovation here other than needing Rust bindings and wanting a few extra features I'm not sure belonged upstream.

Install

cargo install rejson

Since this is a drop-in replacement for ejson you can add alias ejson="rejson" if you like. The expectation is that this is 100% compatible with ejson and it only additive. If that's not the case, it's a bug, and I'd appreciate you filing an issue.

Additions to EJSON

• A --strip-key flag on decrypt which will remove _public_key from the result.
• env command which will export all keys under the top-level environment key.

Usage

CLI

See rejson -h or (cargo run -- -h) for usage details.

```ignore A command line utility for managing secrets

Usage: rejson

Commands: encrypt Encrypt one or more EJSON files decrypt Decrypt an EJSON file keygen Generate a new EJSON key pair env Export the all scalar values under the "environment" key help Print this message or the help of the given subcommand(s)

Options: -h, --help Print help -V, --version Print version ```

To export all environment values in the environment key, run eval $(rejson env secrets.ejson).

ignore { "_public_key": "...", "environment": { "SOME_KEY": "SOME_VALUE" } }

Docker

A docker image is published for each release of rEJSON. Usage is similar to using the binary, only the /keys and /files volumes are required for encrypt/decrypt functionality.

```ignore

generate a new key pair

docker run --rm -it rejson keygen

encrypt a file to disk

docker run --rm -it \ -v $(pwd)/keys:/keys \ -v $(pwd)/secrets:/files \ rejson encrypt /files/secrets.ejson

decrypt a file to stdout

docker run --rm -it \ -v $(pwd)/keys:/keys \ -v $(pwd)/secrets:/files \ rejson decrypt /files/secrets.ejson ```

Code

```rust use std::fs;

use rejson::{KeyPair, SecretsFile};

fn main() -> Result<(), Box> { let file = "build/secrets.ejson"; let mut secretsfile = SecretsFile::load(file).expect("failed to load file"); secretsfile.transform(rejson::compact()?)?; secretsfile.transform(rejson::encrypt(&secretsfile)?)?;

let json = secrets_file.to_string();
let data = json.as_bytes();
fs::write(file, data)?;

println!("Wrote {} bytes to {}", data.len(), file);
Ok(())

} ```

Development

Local Setup

• Ensure you're using nightly (currently required only for Rustfmt and the trait_alias feature).
• Add pre-commit to avoid committing malformatted code

ignore ln -s -f ../../build/pre-commit .git/hooks/pre-commit

Cutting a New release

Run build/release. This will:

• Update version in Cargo.toml
• Create a new commit with the message "Release v"
• git tag -sm "Release v<version" v<version>
• git push --tags

From there, the release pipeline will publish the crate and the corresponding docker image.