Skip to content

What Keys Can Do

Jump to bottom
Jeff Felchner edited this page Dec 30, 2020 · 3 revisions

Now that you know a bit about the types of keys that Chamber provides to you, let's take a look at what they can do.

Encrypting Information

When you think about it, there's no downside to being able to allow someone to encrypt information if they own the plain text of that same information.

For this reason, the public key can output an encrypted string that no one (except the person with the private key) can turn back into the original text.

WARNING: The public key can never undo its encryption. If you encrypt something you own with the public key, you cannot use the public key to reverse what you did.

On the other hand, the private key is able to turn encrypted information back into the original raw data.

Chamber Encryption Example

Let's say you have a settings.yml with the following information:

smtp:
  username:         'hello@example.com'
  _secure_password: 's3cr3t'

When you execute chamber secure, Chamber will use your public key (chamber.pub.pem) to turn s3cr3t into something like:

smtp:
  username:         'hello@example.com'
  _secure_password: 'JL5hAVux4tERpv49QPWxy9H0VC2Rnk7V8/e8+1XOwPcXcoH/a7Lh253UY/v9m8nI/Onb+ZG9nZ082J4M/BmLa+f7jwMEwufIqbUhUah9eKIW8xcxlppBYpl7JVGf2HJF5TfCN44gMQNgGNzboCQXKqRyeGFm4u772Sg9V2gEx/q7qJ6F4jg7v/cltCFLmJfXA2SHA5Dai4p9L4IvMVVJGm34k5j7KOegNqpVWs2RY99cagjPuzc9VM2XSUsXgqcUJdmH8YtPW8Kqkyg0oYlRh6VQWABlWXwTZz74QjTTjqtqfoELIoFTMBDh+cCvuUTAE5m06LhlqauVrB4UnBsd5g=='

This value is now safe to check into your version control. Why? Because no one (except your select few) have access to the private key.

If Chamber has access to your private key when it's running, calling Chamber.dig!('smtp', 'password') (in this example), will transparently decrypt the encrypted value into s3cr3t.

Verifying Ownership

Let's say that you have a message:

My name is Jeff and I wrote Chamber. It's an amazing way to keep your settings secure!

Now, I clearly don't care who sees that message! But how does someone who receives that message, know it was actually I who wrote it?

Well, my private key can look at some data and spit out a string of characters. This string, is a "signature". The signature is intended to be public (for reasons we'll see in a moment).

For our original message, the signature might look something like this:

FlPpqkwkmbgv/dY/+EIqnA3X4z9SyMWOl+wU3uH+skd/XW4E64t00DVJyyDhlR39
lWXPDf2zPr7GteI8cGzdqLTH8rcxbaI9RwwA4SXUnkQd9EA78eTcODUy5HYvOIVE
CEyhtieVyMd66XGy6r5dvNXn1wk3u0flCcyP0cVh+og2+IfbtMqvTUH3HvCKU9ko
ocwVS7OGff6LpknX9j8E5MDv9Lrx6EWhbfrZ8I3NZxJkzNfuNex/qn1kTJr6xVH5
k4lZW/WFRUKdv72oL6d3xO1H/OSc2Otfmp6HMLFzrarq77Z1D1wWL+zySmdCHq5r
dGB9Pg/fv5BOsy0Qf5Oe9Q==

Now, what happens to the signature if I change "wrote" in the original message to "write"? It's a single character change, however:

wDnK13YWhMOnD0NjNesyYp9at9kX1rRB3nlJMkU0KpJ+IbxR3jKx+xqWMPil/uaM
Q9qmq9Lr6L093lIWhGLhkY7wBtFv4EI2WszW2jYHSy6T7i4gMud5We8NPVCJd2js
tCGWQ2bPdfX1b6Xktdr3vJO2wzdKj3JwCCUTO5nyaNo0bwyDWKCV5d2HPS3BzDaB
Y6mZqKstfhHQamZQF8yHNT/rVgEChYS783L6bOocUrZFXc9zI6Ffwt2eQge39Y1t
+orrj1/bVo+cOx2c9cB8sdUoAbyKNRgtEDqCAJcLRXjteVvcxjfFwuLpMvGbQeoE
TdHLp4FFaGu5Bc8Avkxm5Q==

the signature is completely different!

How Can We Use The Signature?

Well, now that we have a signature, what is it useful for? The author of the message, who has previously given their public key to someone, can send both the message and the signature to that person like this:

My name is Jeff and I wrote Chamber.  It's an amazing way to keep your
settings secure!

Signature:

FlPpqkwkmbgv/dY/+EIqnA3X4z9SyMWOl+wU3uH+skd/XW4E64t00DVJyyDhlR39
lWXPDf2zPr7GteI8cGzdqLTH8rcxbaI9RwwA4SXUnkQd9EA78eTcODUy5HYvOIVE
CEyhtieVyMd66XGy6r5dvNXn1wk3u0flCcyP0cVh+og2+IfbtMqvTUH3HvCKU9ko
ocwVS7OGff6LpknX9j8E5MDv9Lrx6EWhbfrZ8I3NZxJkzNfuNex/qn1kTJr6xVH5
k4lZW/WFRUKdv72oL6d3xO1H/OSc2Otfmp6HMLFzrarq77Z1D1wWL+zySmdCHq5r
dGB9Pg/fv5BOsy0Qf5Oe9Q==

And the person who receives it can use the public key, the message, and the signature to be certain that the person who wrote the message has possession of the private key. And because we don't give our private keys to anyone, they can infer with decent certainty that the person who wrote the message is the person they think it is.

Chamber Verification Example

Chamber allows its users to (optionally) sign their settings files with a private key. If you want full information on this, see Verifying Settings.

For example, if you have a settings.yml file which looks like this:

smtp:
  username:         'hello@example.com'
  _secure_password: 'JL5hAVux4tERpv49QPWxy9H0VC2Rnk7V8/e8+1XOwPcXcoH/a7Lh253UY/v9m8nI/Onb+ZG9nZ082J4M/BmLa+f7jwMEwufIqbUhUah9eKIW8xcxlppBYpl7JVGf2HJF5TfCN44gMQNgGNzboCQXKqRyeGFm4u772Sg9V2gEx/q7qJ6F4jg7v/cltCFLmJfXA2SHA5Dai4p9L4IvMVVJGm34k5j7KOegNqpVWs2RY99cagjPuzc9VM2XSUsXgqcUJdmH8YtPW8Kqkyg0oYlRh6VQWABlWXwTZz74QjTTjqtqfoELIoFTMBDh+cCvuUTAE5m06LhlqauVrB4UnBsd5g=='

Running chamber sign will create a signature file (in this case settings.sig) which will contain something like the following:

Signed By:  Jeff Felchner
Signed Via: .chamber.signature.pem
Signed At:  2017-01-01 00:00:00 UTC

-----BEGIN CHAMBER SIGNATURE-----
H8MxaNAhRfbmvmkmANwDG3rHyrbvS1trIhCxFRNmCjMnf6VA35aFNuxdsCgEukTr
WPILQPJlRG0JKUKZ2Bq8DULNV5dmfHKy55D0PL24Tg/NTg9Y0KFtT1zhwrSlSOjV
zlObDrDC+NU22+8z+V2vhEcCZOn55QdUlM1q8UCpIkO/qBU1Gk2IW+PTc+aXfbTO
k52n/MN51uzb3e3tQFFfFLXXqlCJ+sFlQfs9lH2Ft7TH69FpyamXJX8R7O5eI/Sw
MfEjQxqV5IJ/jda45L+fWuqugJyQmkqjiUSF6iQkmtHb01cYAqWn3hf97u1EmR0H
eiBVlcCUVybI335KVAx50A==
-----END CHAMBER SIGNATURE-----

settings.sig will be checked into version control. Once it is, anyone who pulls down the repository can run chamber sign --verify and make sure that the settings files were all approved by one of the people who have the private key.

Kompanee Logo Copyright ©2023

  1. Release News
  2. Gem Comparison
  3. 12-Factor App Rebuttal
  4. Environment Variable Problems
    1. Lack of Complex Values
    2. Organization
    3. Environment Sharing
    4. Team Member Syncing
    5. Environment Syncing
    6. Local Settings
    7. Tracking Changes
  5. Installation
    1. Initialization
    2. In a Ruby Project
    3. In a Rails Project
    4. In a Rails Engine
    5. In a Sinatra Project
    6. In a Padrino Project
    7. In a Hanami Project
  6. Basics
    1. File Layout
    2. Defining Settings
    3. Accessing Settings
    4. Namespace Basics
      1. Inline Namespaces
      2. Host-Based Settings
    5. Encryption Basics
      1. Encrypting Your Settings
      2. Accessing Encrypted Settings
    6. Environment Variables
  7. Defining Settings
    1. ERB Preprocessing
    2. Runtime Values
    3. Dynamic Templating
  8. Accessing Settings
    1. Dig
  9. Verifying Settings
  10. Namespaces
    1. File-Based Namespaces
    2. Mix and Match
    3. Custom Namespaces
  11. Environment Variables
    1. Coercions
  12. Integrations
    1. Git Commit Hooks
    2. Cloud Services
  13. Encryption
    1. Keypair Encryption
    2. What Keys Can Do
    3. Encrypting Nested Structures
    4. Namespaced Key Pairs
    5. Re-Securing
    6. Loading Keys from ENV
  14. Advanced Usage
    1. Manually Specifying Settings Files
    2. Outputting Your Settings
    3. Specifying Multiple Namespaces
    4. Handling Duplicates/Collisions
    5. Extending Chamber
  15. Command Line Reference
    1. init
    2. show
    3. files
    4. sign
    5. secure
    6. unsecure
    7. compare
Clone this wiki locally