eYaml
eyaml lets git be your secrets source of truth. Take a look:
📝
I've recently learned of https://github.com/mozilla/sops. It's very similar and you might question why choose this project. I built this as a way for hobbyist to have a simple way to handle secrets. I can't afford to manage a vault instance and I deploy apps on a PAAS (like fly.io) so sops has missing integrations for me. If this is you, I'll keep maintaining this tool since I'll continue to depend on it.
Is it Good?:
I think so. All credit to ejson for the creativity but it's the least burdensome way I've found so far. Here's a few things it helps with...
eyaml lets git be your secrets source of truth. Take a look:
📝
I've recently learned of https://github.com/mozilla/sops. It's very similar and you might question why choose this project. I built this as a way for hobbyist to have a simple way to handle secrets. I can't afford to manage a vault instance and I deploy apps on a PAAS (like fly.io) so sops has missing integrations for me. If this is you, I'll keep maintaining this tool since I'll continue to depend on it.
Is it Good?:
I think so. All credit to ejson for the creativity but it's the least burdensome way I've found so far. Here's a few things it helps with...
- Collaborators only need the public key to update/insert secrets
- Check it into Git
- Deploy changes to secrets along with the app
- Get a revision history for easy reverts and blames
- Its a yaml file, do what you would with any yaml file
- Isolate the encryption key
- integrate with iCloud Keychain for person projects or 1Password for professional ones. An enterprise? There's a Vault extension.
How do I get Secrets to Prod?
- Add the eyaml file to your project & git push
- Store your private key such that its accessible in Prod (k8s secrets? Vault?)
eyaml setenv my_config.e.yaml
- you can do this in a pre-deploy hook
- Your app can now read secrets through the exported environment
Why?
Secrets shouldn't be hard. They're rarely something I want to think about when building something. But often the approaches available today, make me think about them. They fall short of solving the problem well.
The workflow I prefer is one within Git, it avoids creating a specialized fork of work just for something as boring as managing secrets. This isn't new, tools like ansiable-vault or ejson (which I iterated on) exist but are incomplete or don't live to their full potential.
ansiable-vault encrypts an entire yaml file as a discernible blob that you can push to git. Unfortunately since its no longer an editable format, you've lost the ability to git blame. And to even view what keys are present, requires you to call out to the cli.
ejson is a great tool and a step above ansiable-vault. I loved using at Shopify. ejson lets you preserve your config/spec by only obscuring the values of the document. This means the file can maintain a revision history and PR's are a bit more functional. However ejson works on a json document, for better or worse the industry has decided to make yaml its default config format.
eyaml as it's name intends is mostly what ejson is but for yaml. This is important, yaml is format that's a bitt easier to manage and one that allows comments. It lets me add context for changes that I might have hidden away in a commit message.