dhall-secret: Encrypt Decrypt Dhall expressions
This is a package candidate release! Here you can preview how this package release will appear once published to the main package index (which can be accomplished via the 'maintain' link below). Please note that once a package has been published to the main package index it cannot be undone! Please consult the package uploading documentation for more information.
Properties
| Versions | 0.1.0.0, 0.5.50, 0.5.52, 0.5.53 |
|---|---|
| Change log | ChangeLog.md |
| Dependencies | amazonka (>=1.6.1 && <1.7), amazonka-kms (>=1.6.1 && <1.7), base (>=4.7 && <5), bytestring (>=0.10.12.0 && <0.11), cryptonite (>=0.29 && <0.30), dhall (>=1.39.0 && <1.40), dhall-secret, lens (>=4.19.2 && <4.20), memory (>=0.15.0 && <0.16), optparse-applicative (>=0.16.1.0 && <0.17), text (>=1.2.4.1 && <1.3), unordered-containers (>=0.2.16.0 && <0.3) [details] |
| License | BSD-3-Clause |
| Copyright | 2022 Jichao Ouyang |
| Author | Jichao Ouyang |
| Maintainer | oyanglulu@gmail.com |
| Category | Compiler |
| Home page | https://github.com/jcouyang/dhall-secret#readme |
| Bug tracker | https://github.com/jcouyang/dhall-secret/issues |
| Source repo | head: git clone https://github.com/jcouyang/dhall-secret |
| Uploaded | by oyanglulu at 2022-05-29T02:59:48Z |
Modules
[Index] [Quick Jump]
- Dhall
- Dhall.Secret
- Dhall.Secret.Aes
- Dhall.Secret.Aws
- Dhall.Secret.Chacha
- Dhall.Secret
Downloads
- dhall-secret-0.1.0.0.tar.gz [browse] (Cabal source package)
- Package description (as included in the package)
Maintainer's Corner
Package maintainers
For package maintainers and hackage trustees
Readme for dhall-secret-0.1.0.0
[back to package description]dhall-secret
A simple tool to manage secrets in Dhall configuration, inspired by sops
Install
Download binary according to your OS from releases channel, or if you have nix
nix-env -f https://github.com/jcouyang/dhall-secret/archive/master.tar.gz -iA dhall-secret
Usage
Usage: dhall-secret (encrypt | decrypt | gen-types) [-v|--version]
Available options:
-h,--help Show this help text
-v,--version print version
Available commands:
encrypt Encrypt a Dhall expression
decrypt Decrypt a Dhall expression
gen-types generate types
Example
create a unencrypted version of Dhall file ./test/example.dhall, put the plain text secret in PlainText
let dhall-secret =
https://raw.githubusercontent.com/jcouyang/dhall-secret/v0.1.8/Type.dhall
let empty =
https://raw.githubusercontent.com/dhall-lang/dhall-lang/v22.0.0/Prelude/Map/empty.dhall
in { kmsExample =
dhall-secret.AwsKmsDecrypted
{ KeyId = "alias/dhall-secret/test"
, PlainText = "a secret to be encrypted"
, EncryptionContext = empty Text Text
}
, aesExample =
dhall-secret.Aes256Decrypted
{ KeyEnvName = "MY_AES_SECRET"
, PlainText = "another secret to be encrypted"
}
, somethingElse = "not secret"
}
The file contains two secrets to be encrypted
a secret to be encryptedis a secret needs to be encrypted via KMS with key idalias/dhall-secret/testanother secret to be encryptedis a secret needs to be encrypted via AES256, the secret string of AES encryption need to be provide in environment vairableMY_AES_SECRET
AWS KMS
-
login to your AWS account, either through
~/.aws/credentialsorAWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEYenvironment -
probably need to also
export AWS_REGION=<your-kms-key-region>
AES256
just export the secret string in environment variable that matching the name in KeyEnvName
export MY_AES_SECRET=super-secure-secret
Encrypt
from stdin
> dhall-secret encrypt
let dhall-secret =
https://raw.githubusercontent.com/jcouyang/dhall-secret/v0.1.0+6/Type.dhall
in { my-config =
dhall-secret.Aes256Decrypted
{ KeyEnvName = "MY_AES_SECRET", PlainText = "shhhh" }
}
[Ctrl-D]
let dhall-secret = ...
in dhall-secret.Aes256Encrypted
{ KeyEnvName = "MY_AES_SECRET"
, CiphertextBlob = "Um5EXmk="
, IV = "CdbCJEEk2B8/e2YWTNvMtg=="
}
to stdout
> dhall-secret encrypt -f test/example.dhall
let dhall-secret = ...
in { aesExample =
dhall-secret.Aes256Encrypted
{ KeyEnvName = "MY_AES_SECRET"
, CiphertextBlob = "LxjbrUXYPyUyL3Zs/2e0D+2ERuUl6feqZsAKA8GA"
, IV = "vMAEGQmmBzw71yTdnIfqDg=="
}
, kmsExample =
dhall-secret.AwsKmsEncrypted
{ KeyId =
"arn:aws:kms:ap-southeast-2:930712508576:key/5d2e1d54-c2e6-49a8-924d-bed828e792ed"
, CiphertextBlob =
"AQICAHi57hQGRM9IFIHoHuk+WakSY0atAV9FXc+z5HouBxa8MAHG1oF/3MNJF3tNIaYnKiFrAAAAdjB0BgkqhkiG9w0BBwagZzBlAgEAMGAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMI0avfHdpPID2SGr8AgEQgDPAVWUzh7vyhloh3ij/BOS4/jIr/4mvyyJ7Nx0XmM1BlE0NQReINgv+Gpu47U15qq6hHS0="
, EncryptionContext = [] : List { mapKey : Text, mapValue : Text }
}
, somethingElse = "not secret"
}
in place
dhall-secret encrypt -f test/example.dhall --inplace
to a new file
dhall-secret encrypt -f test/example.dhall -o test/example.encrypted.dhall
update a encrypted file
let dhall-secret = ...
in { foo =
{ aes256 =
dhall-secret.Aes256Encrypted
{ KeyEnvName = "MY_AES_SECRET"
, CiphertextBlob = "QBwc5A=="
, IV = "6HNitzH9f3xf27t99XZa9g=="
}
, plain = "hello world"
}
}
+ with foo.aes256
+ =
+ dhall-secret.Aes256Decrypted
+ { KeyEnvName = "MY_AES_SECRET", PlainText = "hello AES" }
then
dhall-secret encrypt -f test/example.dhall -i
Decrypt
to stdout
> dhall-secret decrypt -f test/example.encrypted.dhall
let dhall-secret = ...
in { aesExample =
dhall-secret.Aes256Decrypted
{ KeyEnvName = "MY_AES_SECRET"
, PlainText = "another secret to be encrypted"
}
, kmsExample =
dhall-secret.AwsKmsDecrypted
{ KeyId =
"arn:aws:kms:ap-southeast-2:930712508576:key/5d2e1d54-c2e6-49a8-924d-bed828e792ed"
, PlainText = "a secret to be encrypted"
, EncryptionContext = [] : List { mapKey : Text, mapValue : Text }
}
, somethingElse = "not secret"
}
in place
dhall-secret decrypt -f test/example.encrypted.dhall --inplace
to a new file
dhall-secret decrypt -f test/example.encrypted.dhall -o test/example.dhall
Re-encrypt
dhall-secret decrypt -f test/example.encrypted.dhall | dhall-secret encrypt --in-place