coder wearing a hood and watching data on a monitor

Better secrets for Node.js apps? Meet Schluessel

TLDR

Secrets. Encrypted. Easy to Use. Much fork. Much secret wow.

https://github.com/Pik-9/schluessel

About Secrets

You know, the naughty bits in your code like API keys & passwords. Pretty much everyone knows, especially if you are using source control (please tell me you use source control. Lie to me, if need be). As people on a mission to make cool things happen, dealing with secrets just becomes just another one of those pesky topics that delay the FUN. If you are working in Node.js, there’s no shortage of options for managing secrets, but I had three criteria…

Dear Secret Santa

Can you store my secrets with you in the north pole? How do I get them back when I need them? Can I have a pony? OK, here were my three criteria:

  • Easy to set-up and use
  • Didn’t rely on .gitignore (or similar) to keep secrets away from mainstream eyeballs
  • Encrypted

Schluessel (which apparently is German for “keys.” I thought it was pastry) hits all three of these marks because in one command you can setup the encryption key, the secrets file to store your secrets and it will also handle .gitignore for you!

Even better, when you go to edit your secrets, you issue another command and it will decrypt the file into a temp file, open the editor, wait for you to save and close the file, encrypt the temp file and store it back to your secrets file. How much better can it get?

Other Options

I did consider other options, and thought maybe I should share why I did not select those.

HashiCorp Vault: Great product, but overkill for my rig. Certainly, though, if you want a more enterprise solution, this one will do the trick!

dotenv: This is a gadget that let’s you store secrets as name-value pairs in a “.env” file and map to that at runtime. It’s easy to setup, but not encrypted, and if you forget or accidentally change your .gitignore, those .env files can show up in your source code rep-oh-nooooooo!!.

config.js: This is more just a practice – no packages to setup, but it’s even more dangerous than dotenv, because not only is it not encrypted, you have to specifically block the config.js file in .gitignore. Unless people know this .js file is super secret, the extension makes it look like just another javascript file.

Much Fork

I did fork Schluessel, because I wanted to do a couple other things with it in my version:

  • I wanted the option to store the key it generated in a completely different path from the project
  • I wanted the option to specify my editor instead of use my system’s default assigned one
  • And, since I wanted to use vscode, I noticed that I needed to add the “–wait” parameter for it function properly.

My fork adds these options. They are not as elegant as the rest of the project so….I don’t expect my pull request to be accepted, but it could happen!

Happy coding!

Photo by Anete Lusina from Pexels

Leave a Reply

Your email address will not be published.