Nimbus Secure Store Client

This gem provides the functionality required to talk to the Nimbus Secure service.

Nimbus Secure is a service that provides your web application with just-in-time access to the credentials and other sensitive data your application needs to operate, without exposing those credentials to inappropriate outside access.

Examples of sensitive data you can store includes database credentials, service credentials, session cookie encryption keys, AWS keys, and other sensitive information without fear of them being stolen or accessible from any unauthorized individual.

Nimbus Secure stores your sensitive data encrypted using an encryption key, and provides an API for your application to get access to the credentials in a safe and secure manner. No one who has access to your application, even your application source code, needs access to your production secret credentials. Nimbus Secure makes sure that only your application, and those you specifically authorize, have access.

Security is essential to us, so you never have to send your unencrypted sensitive data, or your encryption key to Nimbus Secure for any reason. All encryption and decryption occurs in your personal web browser when you are accessing your data via our web site, and inside your application when you are accessing your data via this gem from your application.

The Service

To use this Gem, you must sign up for the service by visiting www.nimbussecure.com and signing up for an account. Both paid and free accounts are available.

Once you sign up for the service, you create encryption keys, which are secured tokens used to encrypt and decrypt the data you store within the service. While you set up the encryption keys from the service website, the encryption keys themselves are never sent to our servers, only you and anyone or system you authorize by giving them your encryption key will have access to the stored data within the service. Within our service, we refer to your encryption key via a unique human readable identifier you assign to your encryption keys.

You may create as many encryption keys as you desire. Typically, one per service or system is a good choice. Additionally, you can add new encryption keys and roll your data over to use a new encryption key very easily in order to increase your security (key rotation). Each encryption key has a name for easy identification, and we store a salted digest of the key itself to verify correctness when it is used.

Once your encryption keys are setup, you then enter all your sensitive data as "stored data". Stored data is encrypted using your specified encryption keys before they are uploaded to our servers.

For security purposes, anytime the website or this Gem require an encryption key (in order to encrypt or decrypt your sensitive data), it must be provided by you (the user of the website or your application configuration using the gem). The value provided is checked against a stored signed digest for validity before it is used to perform the requested encryption/decryption. The requested encryption/decryption occurs entirely within the client's computer (user's browser for the website, application server for users of the gem), and is never communicated with Nimbus Secure directly.

Using the Secured Data

Once you have your data uploaded to your service, you can then install this Gem into your application, and use it's programmatic interface (or command line) to download and decrypt the stored credential so you may use it within your application.

Needed Credentials

In order to use this gem, you need two pieces of secure information besides the name of your account. The first is an API key that provides access to the API and allows you to access your online account. You can create an API key by logging into the service.

The second is the encryption key that you created above that is used to encrypt/decrypt your stored data. If you used more than one key, then you will need all the encrypted keys.

This information is stored in a configuration file on the computer that will be using the gem. Typically, the configuration file is stored outside of your application source repository, and is only available on your application server to users with trusted access to those servers. You do not typically need access to this file in order to deploy or update your application, such as by using tools such as Capistrano. That way, you do not have to share the credentials or persist them source repository.

Given this configuration file and this gem, and the properly setup service, you can dynamically grab all your sensitive credentials and data needed to run your application. This typically happens during your application boot up process.

Quick Setup

For a complete set of instructions on how to setup and use Nimbus Secure, please go to https://www.nimbussecure.com, login, and click on "Instructions" in the top menu bar.

Command Line

You must complete the set of instructions under 'Quick Setup' above for this to work properly.

Once ready, you can do things like this:

nimbussecure account

will return a list of information about your account.

Assuming you have setup a stored key with the name "testmessage" and an appropriate encryption key, then the following can be used to retrieve and decrypt the stored key:

nimbussecure lookup testmessage

The decrypted value in the stored key will be sent to stdout.

Using in Ruby

You must complete the set of instructions under 'Setup' above for this to work properly.

Assuming you have setup a stored key with the name "testmessage" and an appropriate encryption key, then the following can be used to retrieve and decrypt the stored key:

require 'nimbussecure' stored_value=nimbussecure.lookup_value "testmessage" puts "The decrypted stored value is: #stored_value"