dhall-secret: Encrypt Decrypt Dhall expressions

This is a package candidate release! Here you can preview how this package release will appear once published to the main package index (which can be accomplished via the 'maintain' link below). Please note that once a package has been published to the main package index it cannot be undone! Please consult the package uploading documentation for more information.

[maintain] [Publish]

Please see the README on GitHub at https://github.com/jcouyang/dhall-secret#readme


[Skip to Readme]

Properties

Versions 0.1.9
Change log ChangeLog.md
Dependencies amazonka (>=1.6.1 && <1.7), amazonka-kms (>=1.6.1 && <1.7), base (>=4.7 && <5), bytestring (>=0.10.12.0 && <0.11), cryptonite (>=0.29 && <0.30), dhall (>=1.39.0 && <1.40), dhall-secret, lens (>=4.19.2 && <4.20), memory (>=0.15.0 && <0.16), optparse-applicative (>=0.16.1.0 && <0.17), text (>=1.2.4.1 && <1.3), unordered-containers (>=0.2.16.0 && <0.3) [details]
License BSD-3-Clause
Copyright 2022 Jichao Ouyang
Author Jichao Ouyang
Maintainer oyanglulu@gmail.com
Category Compiler
Home page https://github.com/jcouyang/dhall-secret#readme
Bug tracker https://github.com/jcouyang/dhall-secret/issues
Source repo head: git clone https://github.com/jcouyang/dhall-secret
Uploaded by oyanglulu at 2022-02-26T06:18:37Z

Modules

Downloads

Maintainer's Corner

For package maintainers and hackage trustees


Readme for dhall-secret-0.1.9

[back to package description]

dhall-secret

Build and Test

A simple tool to manage secrets in Dhall configuration, inspired by sops

Install

Download binary according to your OS from releases channel, or if you have nix

nix-env -f https://github.com/jcouyang/dhall-secret/archive/master.tar.gz -iA dhall-secret

Usage

Usage: dhall-secret (encrypt | decrypt | gen-types) [-v|--version]

Available options:
-h,--help                Show this help text
-v,--version             print version

Available commands:
encrypt                  Encrypt a Dhall expression
decrypt                  Decrypt a Dhall expression
gen-types                generate types

Example

create a unencrypted version of Dhall file ./test/example.dhall, put the plain text secret in PlainText

let dhall-secret =
      https://raw.githubusercontent.com/jcouyang/dhall-secret/v0.1.8/Type.dhall

let empty =
      https://raw.githubusercontent.com/dhall-lang/dhall-lang/v22.0.0/Prelude/Map/empty.dhall

in  { kmsExample =
        dhall-secret.AwsKmsDecrypted
          { KeyId = "alias/dhall-secret/test"
          , PlainText = "a secret to be encrypted"
          , EncryptionContext = empty Text Text
          }
    , aesExample =
        dhall-secret.Aes256Decrypted
          { KeyEnvName = "MY_AES_SECRET"
          , PlainText = "another secret to be encrypted"
          }
    , somethingElse = "not secret"
    }

The file contains two secrets to be encrypted

AWS KMS

  1. login to your AWS account, either through ~/.aws/credentials or AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY environment

  2. probably need to also export AWS_REGION=<your-kms-key-region>

AES256

just export the secret string in environment variable that matching the name in KeyEnvName

export MY_AES_SECRET=super-secure-secret

Encrypt

from stdin

> dhall-secret encrypt
let dhall-secret =
      https://raw.githubusercontent.com/jcouyang/dhall-secret/v0.1.0+6/Type.dhall

in  { my-config =
        dhall-secret.Aes256Decrypted
          { KeyEnvName = "MY_AES_SECRET", PlainText = "shhhh" }
    }
[Ctrl-D]
< Aes256Decrypted : { KeyEnvName : Text, PlainText : Text }
| Aes256Encrypted : { CiphertextBlob : Text, IV : Text, KeyEnvName : Text }
| AwsKmsDecrypted :
    { EncryptionContext : List { mapKey : Text, mapValue : Text }
    , KeyId : Text
    , PlainText : Text
    }
| AwsKmsEncrypted :
    { CiphertextBlob : Text
    , EncryptionContext : List { mapKey : Text, mapValue : Text }
    , KeyId : Text
    }
>.Aes256Encrypted
  { KeyEnvName = "MY_AES_SECRET"
  , CiphertextBlob = "Um5EXmk="
  , IV = "CdbCJEEk2B8/e2YWTNvMtg=="
  }

to stdout

> dhall-secret encrypt -f test/example.dhall
{ aesExample =
    < Aes256Decrypted : { KeyEnvName : Text, PlainText : Text }
    | Aes256Encrypted : { CiphertextBlob : Text, IV : Text, KeyEnvName : Text }
    | AwsKmsDecrypted :
        { EncryptionContext : List { mapKey : Text, mapValue : Text }
        , KeyId : Text
        , PlainText : Text
        }
    | AwsKmsEncrypted :
        { CiphertextBlob : Text
        , EncryptionContext : List { mapKey : Text, mapValue : Text }
        , KeyId : Text
        }
    >.Aes256Encrypted
      { KeyEnvName = "MY_AES_SECRET"
      , CiphertextBlob = "LxjbrUXYPyUyL3Zs/2e0D+2ERuUl6feqZsAKA8GA"
      , IV = "vMAEGQmmBzw71yTdnIfqDg=="
      }
, kmsExample =
    < Aes256Decrypted : { KeyEnvName : Text, PlainText : Text }
    | Aes256Encrypted : { CiphertextBlob : Text, IV : Text, KeyEnvName : Text }
    | AwsKmsDecrypted :
        { EncryptionContext : List { mapKey : Text, mapValue : Text }
        , KeyId : Text
        , PlainText : Text
        }
    | AwsKmsEncrypted :
        { CiphertextBlob : Text
        , EncryptionContext : List { mapKey : Text, mapValue : Text }
        , KeyId : Text
        }
    >.AwsKmsEncrypted
      { KeyId =
          "arn:aws:kms:ap-southeast-2:930712508576:key/5d2e1d54-c2e6-49a8-924d-bed828e792ed"
      , CiphertextBlob =
          "AQICAHi57hQGRM9IFIHoHuk+WakSY0atAV9FXc+z5HouBxa8MAHG1oF/3MNJF3tNIaYnKiFrAAAAdjB0BgkqhkiG9w0BBwagZzBlAgEAMGAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMI0avfHdpPID2SGr8AgEQgDPAVWUzh7vyhloh3ij/BOS4/jIr/4mvyyJ7Nx0XmM1BlE0NQReINgv+Gpu47U15qq6hHS0="
      , EncryptionContext = [] : List { mapKey : Text, mapValue : Text }
      }
, somethingElse = "not secret"
}

in place

dhall-secret encrypt -f test/example.dhall --inplace

to a new file

dhall-secret encrypt -f test/example.dhall -o test/example.encrypted.dhall

Decrypt

to stdout

> dhall-secret decrypt -f test/example.encrypted.dhall
{ aesExample =
    < Aes256Decrypted : { KeyEnvName : Text, PlainText : Text }
    | Aes256Encrypted : { CiphertextBlob : Text, IV : Text, KeyEnvName : Text }
    | AwsKmsDecrypted :
        { EncryptionContext : List { mapKey : Text, mapValue : Text }
        , KeyId : Text
        , PlainText : Text
        }
    | AwsKmsEncrypted :
        { CiphertextBlob : Text
        , EncryptionContext : List { mapKey : Text, mapValue : Text }
        , KeyId : Text
        }
    >.Aes256Decrypted
      { KeyEnvName = "MY_AES_SECRET"
      , PlainText = "another secret to be encrypted"
      }
, kmsExample =
    < Aes256Decrypted : { KeyEnvName : Text, PlainText : Text }
    | Aes256Encrypted : { CiphertextBlob : Text, IV : Text, KeyEnvName : Text }
    | AwsKmsDecrypted :
        { EncryptionContext : List { mapKey : Text, mapValue : Text }
        , KeyId : Text
        , PlainText : Text
        }
    | AwsKmsEncrypted :
        { CiphertextBlob : Text
        , EncryptionContext : List { mapKey : Text, mapValue : Text }
        , KeyId : Text
        }
    >.AwsKmsDecrypted
      { KeyId =
          "arn:aws:kms:ap-southeast-2:930712508576:key/5d2e1d54-c2e6-49a8-924d-bed828e792ed"
      , PlainText = "a secret to be encrypted"
      , EncryptionContext = [] : List { mapKey : Text, mapValue : Text }
      }
, somethingElse = "not secret"
}

in place

dhall-secret decrypt -f test/example.encrypted.dhall --inplace

to a new file

dhall-secret decrypt -f test/example.encrypted.dhall -o test/example.dhall

Re-encrypt

dhall-secret decrypt -f test/example.encrypted.dhall | dhall-secret encrypt --in-place