rskey
is a command-line tool (and bundled Go package) that generates secret
keys interoperable with the format used by RStudio's Workbench, Connect, and
Package Manager products.
It can be used to help manage secrets without the need to install these products first, and is designed for use in Infrastructure-as-Code and containerised deployments of these products.
This tool can also serve as a drop-in replacement for:
-
RStudio Connect's
rscadmin configure --encrypt-config-value
command -
Package Manager's
rspm encrypt
command. -
Workbench's
rstudio-server encrypt-password
command.
No local license keys are required, either.
This is not a general-purpose encryption tool.
Binary releases for Windows, macOS, and Linux are available on GitHub.
If you have a local Go toolchain you can also install via go install
:
$ go install github.com/rstudio/rskey@latest
Binary releases are signed with Sigstore. You can
verify these signatures with their cosign
tool, for example:
$ COSIGN_EXPERIMENTAL=1 cosign verify-blob \
--signature rskey_0.5.0_linux_amd64.tar.gz.sig \
rskey_0.5.0_linux_amd64.tar.gz
We use Cosign's "keyless"
mode, which uses the OpenID Connect tokens issued by GitHub for this repository
and ephemeral certificates instead of private keys. This feature currently
requires setting COSIGN_EXPERIMENTAL=1
.
You can generate keys with rskey generate
. For example:
$ rskey generate -o /var/lib/rstudio-pm/rstudio-pm.key
# Or, to simply echo the key to standard input:
$ rskey generate
You can then encrypt data (such as database passwords) interactively with rskey encrypt
. For example:
$ rskey encrypt -f /var/lib/rstudio-pm/rstudio-pm.key
Line-separated entries can also be passed on standard input:
$ cat passwords.txt | rskey encrypt -f /var/lib/rstudio-pm/rstudio-pm.key
An rskey decrypt
command is also provided.
Connect version 2022.03.0 and later supports an alternative encryption algorithm, AES-256-GCM. This algorithm is an Approved Security Function under Federal Information Processing Standard 140 (FIPS), unlike the default.
If you prefer to encrypt secrets using this algorithm and are using this version
of Connect or later, pass the --mode=fips
flag to the encrypt
command:
$ rskey encrypt -f connect.key --mode=fips
rskey decrypt
does not require this flag because the algorithm in use can be
determined from the encrypted output.
Secret keys for Workbench are traditionally generated by the uuid
command,
but there is no built-in support for this format in rskey generate
.
To encrypt or decrypt secrets for use with RStudio Workbench, pass the
--mode=workbench
flag to the appropriate command. Both key formats are
acceptable:
$ rskey generate -o /etc/rstudio/secure-cookie-key
$ rskey encrypt --mode=workbench -f /etc/rstudio/secure-cookie-key
$ echo `uuid` > uuid.key
$ rskey encrypt --mode=workbench -f uuid.key
-
Secret key must be kept secret, and anyone in possession of that key can decrypt any data encrypted with it.
-
Encryption for Connect and Package Manager uses the well-known NaCl Secretbox algorithm by default.
-
Connect version 2022.03.0 and later supports an alternative encryption algorithm, AES-256-GCM. This algorithm is an Approved Security Function under Federal Information Processing Standard 140, and can be used by passing
--mode=fips
to therskey encrypt
command. -
Encryption for Workbench uses AES-128-CBC.
-
Key files for Connect and Package Manager are a sequence of 512 hex-encoded, securely-generated random bytes. This means that
rskey generate
is analogous toopenssl rand -hex 512
. -
Key files for Workbench are 32 or more opaque bytes. Most often they are generated by the
uuid
command, but you can use the output ofrskey generate
as well.
rskey
and its packages follow strict semantic versioning.
Licensed under the Apache License, Version 2.0. See LICENSE
for details.