Project

valvet

0.0
No release in over 3 years
valvetvarvet/valvetHomepageDocumentationSource CodeBug Tracker
Keep secrets in your config files. Valvet encrypts sensitive values while leaving everything else readable, so you can check the whole file into version control. Uses NaCl sealed boxes via RbNaCl.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
 Popularity
Downloads
136
Stars
0
Forks
0
Watchers
0
 Releases
Current version
0.1.0
Total releases
1
First release
1980-01-02
Latest release
1980-01-02
 Pull Requests
Open Pull Requests
1
Closed Pull Requests
0
Merged Pull Requests
0
Pull Request Acceptance Rate
0%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2026-02-24
Reverse Dependencies
0

 Dependencies

Runtime

base64
>= 0
rbnacl
>= 0
zeitwerk
>= 0
 Project Readme

Valvet

Keep secrets in your config files. Valvet encrypts sensitive values while leaving everything else readable, so you can check the whole file into version control, just like Rails credentials.

It uses asymmetric encryption (NaCl sealed boxes via RbNaCl), which means anyone on the team can add new secrets using the public key — without ever needing the private key.

Give each environment its own keypair and they can all live in one file, each unable to decrypt the other's secrets.

Usage

CLI

Generate a keypair (public key to stdout, private key to stderr):

valvet keypair                            # prints both, labeled
valvet keypair > public.key 2> private.key  # saves each to a file

Encrypt and decrypt individual values:

valvet encrypt "my secret" --key public.key
valvet decrypt "ciphertext..." --key private.key

Config files

Put your config in a YAML file with !public_key and !encrypted tags:

development:
  public_key: !public_key cWgtEYZ3bDXYgiHGbanGr+vl4HQrDgiAmOlBRc+hhgo=
  secret_key_base: !encrypted 7oc+QbPyIa3Oe4ty09tNWRhgkAvlFjyWcggfeRAz8olE5VRF3lNvJEVGs8xgGquoXvItXPWOfus0ntQaUphFEsANyAE=
  database:
    password: !encrypted 3ad2zo3NKQU1EZm7XB2uFiqE6wAWjPPqjvPTD8rUB3m+ya2xrE5YvEuxDYkswgxqMjRfm5V1OHyz4cnez0GLUTif1+0=

production:
  public_key: !public_key R7ljpsyGiOm2Yz3ElbQwCDDapAMEhCHl6WYWS/ep4vM=
  secret_key_base: !encrypted HWZrJnY+AxBW5+W71Ar6DHkW2clqmtccrcCy5iek+9H4BfYTS1VR5/P3p+YhNzIgd7+MTTJxSTXmGeG9k0CQfoUpnn0=
  database:
    password: !encrypted 8Z2QiPc7gKWqTmjs6mlNiKWPJ997ftzgpiMO/NdEEjzAvXAAckYIqeyOxem+OeCsDHsCwM8j2x8XPH/7VM383dmw+jA=

Rails

Place your config in config/valvet.yml and set VALVET_PRIVATE_KEY in your environment. The Railtie is loaded automatically and exposes Rails.configuration.valvet:

Rails.configuration.valvet.secret_key_base
Rails.configuration.valvet.database.password

Installation

bundle add valvet

Development

bin/setup
rake          # runs tests, linting, and RBS validation

License

MIT