I want to encrypt a binary file with an asymetric key from my filesystem within rails (and then deliver it via email).
Can you recommend me how to do this? is it possible via bcrypt?
Didnt found so much (not outdated) informations about this...
Ok, i found a solution by myself - i did it with gpg...
First you have to generate/install the public key on the server and copy the private to your local machine.. afterwards you can use following command to encrypt and compress the file(if you have gzip installed):
# encrypting
system "gpg --armor -e -r 'receiverid' -o #{MYFILE_ENC} #{MYFILE} "
# compressing
system "gzip #{MYFILE_ENC}"
Related
I'm trying to deploy a rails 7 app to Fly.io, which uses Docker to deploy apps. I keep getting the below error when I try to deploy.
ActiveSupport::EncryptedFile::MissingKeyError: Missing encryption key to decrypt file with. Ask your team for your master key and write it to /app/config/credentials/production.key or put it in the ENV['RAILS_MASTER_KEY'].
I've tried putting the following into my docker file:
RUN --mount=type=secret,id=RAILS_MASTER_KEY \
RAILS_MASTER_KEY="$(cat /run/secrets/RAILS_MASTER_KEY)"
Then running:
fly deploy \
--build-secret RAILS_MASTER_KEY=the_actual_secret_key_here
That doesn't work. I've added the key as an environment variable to fly.io, but my understanding is this is failing because production keys aren't available at build time. Anyway, I'm stumped. Any ideas?
I'm new to docker, so it's likely I'm just missing something simple here.
With rails 6 (or 5.2) encrypted credentials, I am running into difficulty managing and resolving merge conflicts in the credentials.yml.enc file. As is outlined in the documentation, the intention is that encrypted credentials can be added to source control (https://guides.rubyonrails.org/security.html#custom-credentials)
E.g.
branch_a adds credentials for service a and gets merged to master
branch_b adds credentials for service b and when rebasing, the conflict in the credentials.yml.enc file looks something like this:
<<<<<<< HEAD
sahdkajshdkajhsdkjahsdkjahsdkajhsdkjahsdkjahdskjahsdjkahsdencryptedstring-a09dpjmcas==
=======
laskdjalksjdlakjsdlaksjdlakjsdlaksjdlakjsdlajsdlkajsdlkjasdljalsdajsdencryptedstringrere=
>>>>>>> branch_b
I can view the unencrypted credentials.yml.enc on each branch and resolve conflicts quite manually but is there a better way to go about managing credentials generally in order to avoid these credential conflicts.
I don't believe there is a better way, no.
Because of the nature of the encryption, there is no way to resolve it in it's encrypted state. If that was possible it would imply that you can somehow know the values and keys of the file in the encrypted state.
When you do your merge, you should resolve any conflicts in the source file, and then rerun the command that generates the encrypted file, then complete your merge.
It is possible. From the rails credentials usage:
=== Set up Git to Diff Credentials
Rails provides `rails credentials:diff --enroll` to instruct Git to call `rails credentials:diff`
when `git diff` is run on a credentials file.
Running the command enrolls the project such that all credentials files use the
"rails_credentials" diff driver in .gitattributes.
Additionally since Git requires the driver itself to be set up in a config file
that isn't tracked Rails automatically ensures it's configured when running
`credentials:edit`.
Otherwise each co-worker would have to run enable manually, including on each new
repo clone.
If you don't have rails credentials:diff...
It is possible to merge them, but you will have to decrypt them.
When dealing with merge conflicts, you can run git mergetool and it should generate 4 files:
config/credentials.yml_BACKUP_84723.enc
config/credentials.yml_LOCAL_84723.enc
config/credentials.yml_BASE_84723.enc
config/credentials.yml_LOCAL_84723.enc
You may need to run git mergetool in one terminal window, and in another, run this script:
Note that this will expose your credentials on the local machine.
# Temporarily move credentials file to another location
mv config/credentials.yml.enc ~/Desktop/credentials_temp.yml.enc
# Copy local file to original location
cp config/credentials.yml_LOCAL_* config/credentials.yml.enc
# Decrypt and send decrypted credentials to desktop
rails credentials:show > ~/Desktop/credentials_local.yaml
# Delete the copied local file
rm config/credentials.yml.enc
# Copy remote file to original location
cp config/credentials.yml_REMOTE_* config/credentials.yml.enc
# Decrypt and send decrypted credentials to desktop
rails credentials:show > ~/Desktop/credentials_remote.yaml
# Delete the copied remote file
rm config/credentials.yml.enc
# Move credentials file back
mv ~/Desktop/credentials_temp.yml.enc config/credentials.yml.enc
# See diffs or open both
diff ~/Desktop/credentials_local.yaml ~/Desktop/credentials_remote.yaml
# Delete the decrypted files
rm ~/Desktop/credentials_local.yaml ~/Desktop/credentials_remote.yaml
Local is on the left. Remote is on the right.
Enjoy.
Generally it is recommended to ignore credentials in version control i.e. .gitignore and configure them via environment variable.
I have a CI system on my Windows to build my server code.
Nowadays, I also want to autobuild my IOS project daily, but it can only build in Mac system.
So I write a shell script that can build my ios project on my Mac, and I want to remotely execute my script from Windows.
How can I write a batch file on Windows to remote access my Mac and execute my script there?
So I can make my CI system to execute that batch file everyday automatically.
Or... does anyone got other better ways to do this thing?
Thanks!
Get "plink" from the PuTTY download page. Put the command(s) to kick off your Mac shell script in a file (e.g. "maccommands.txt") on your Windows computer. Then make a batch file that contains:
plink -l macusername -m maccommands.txt your.mac.ip.address
If you don't want to be prompted for a password every time, you could make a public-private keypair with an empty passphrase using PuTTYgen. Save the private key as "pc_rsa.ppk" (or whatever you want to call it). Copy the public key out of the PuTTYgen window to the clipboard, and paste it in a text editor and save it (e.g. as "pc_rsa_pub.txt").
Then transfer the file with public key over to the Mac, and add its contents to the end of ~/.ssh/authorized_keys, e.g. with cat pc_rsa_pub.txt >> ~/.ssh/authorized_keys
Then add -i pc_rsa.ppk to the plink command above to use your private key.
(This obviously has security implications, so protect the private key file. You could also use -pw password but that has even greater security implications as the password would be plainly visible within your batch file.)
Another solution is to use openssh. The benefit is not having to use an alternative format for your keys.
You can install Git for Windows. During the installation choose the third option of being able to use the "unix" tools from the command line.
I have a small wrapper utility that loads the agent to memory in github (#selfplug)
Using the ssh module in erlang, it is possible to establish a connection to a remote server.
There are several options indicated in such API, but it is unclear to me which one would allow me to establish a connection that is enforced only by authenticating using a .pem file.
For example, using the ssh command in an OS shell, I can connect to my host using this:
ssh -c 3des -2 -l root -i MYPERMISSIONFILE.PEM myhost.mydomain.com -p 22
In Erlang, the ssh module has a fd option { fd,
ssh:start().
ssh:connect("myhost.mydomain.com",22, ???????? ).
There are several security options, I beleive the content of the .pem file could be used as one of the security optins, but that would be 1700 characters! There is an option to use a file descriptor [ {fd, } ], but it is unclear to me if that is the way to achieve this.
I was able to get it working by copying the pem file using the name id_rsa in a folder other than ~/.ssh (so it doesn't overwrite any keys you have set up already), e.g. ~/keys, and then passing into ssh:connect/3 the option {user_dir, "~/keys"}. It picks up the renamed pem as the rsa key.
Passenger says:
Ruby on Rails application could not be started
...
Command 'exiftool' not found (MiniExiftool::Error)
When I login with ssh and I type exiftool in any directory the command works properly.
I have the follwing line in both .bash_profile and .bashrc
export PATH=$PATH:$HOME/bin
Is it possible that Rails (MiniExiftool plugin) does not recognize that bash command? How can I fix this behaviour?
The PATH for the user your server runs as does not include the directory that exiftool is in. You can either add it to that user's path, or you can refer to exiftool using its full path. I'd recommend this second approach for reasons of security. There are a number of attacks that involve putting trojan horses in a user's path ahead of the directories where the real binaries live.