Skip to main content

Secrets

Store and retrieve secrets with full encryption at rest and complete version history.

Storing Secrets

# Simple secret
BrainzLab::Vault.set("stripe/api_key", "sk_live_xxx")

# With description
BrainzLab::Vault.set("stripe/api_key", "sk_live_xxx",
  description: "Stripe production API key"
)

# For specific environment
BrainzLab::Vault.set("database/password", "secret123",
  environment: :production
)

# With metadata
BrainzLab::Vault.set("aws/access_key", "AKIA...",
  metadata: {
    service: "s3",
    region: "us-east-1"
  }
)

Retrieving Secrets

# Get current value
api_key = BrainzLab::Vault.get("stripe/api_key")

# Get for specific environment
password = BrainzLab::Vault.get("database/password", environment: :production)

# Get with metadata
secret = BrainzLab::Vault.get_secret("aws/access_key")
puts secret.value
puts secret.metadata[:region]
puts secret.version

Secret Organization

Organize secrets with path-like names: 
# By service
BrainzLab::Vault.set("stripe/api_key", "...")
BrainzLab::Vault.set("stripe/webhook_secret", "...")

# By component
BrainzLab::Vault.set("database/primary/password", "...")
BrainzLab::Vault.set("database/replica/password", "...")

# List by prefix
stripe_secrets = BrainzLab::Vault.list("stripe/")

Version History

Every update creates a new version: 
# Get version history
versions = BrainzLab::Vault.versions("stripe/api_key")

versions.each do |v|
  puts "Version #{v.number}: created #{v.created_at} by #{v.created_by}"
end

# Get specific version
old_key = BrainzLab::Vault.get("stripe/api_key", version: 2)

# Rollback to previous version
BrainzLab::Vault.rollback("stripe/api_key", version: 2)

Secret Rotation

Rotate secrets automatically or manually: 
# Manual rotation
BrainzLab::Vault.rotate("stripe/api_key", "sk_live_new_xxx")

# Schedule rotation reminder
BrainzLab::Vault.set_rotation_reminder("aws/access_key",
  interval: 90.days,
  notify: [:slack, :email]
)

Bulk Operations

# Import multiple secrets
BrainzLab::Vault.import({
  "stripe/api_key" => "sk_live_xxx",
  "stripe/webhook_secret" => "whsec_xxx",
  "aws/access_key" => "AKIA..."
})

# Export (for backup/migration)
secrets = BrainzLab::Vault.export(prefix: "stripe/")

Delete Secrets

# Soft delete (recoverable)
BrainzLab::Vault.delete("old/secret")

# Recover deleted secret
BrainzLab::Vault.recover("old/secret")

# Permanent delete (after soft delete)
BrainzLab::Vault.destroy("old/secret")

Environment Variables

Inject secrets as environment variables: 
# In your app configuration
BrainzLab::Vault.inject_env([
  { secret: "database/password", env: "DATABASE_PASSWORD" },
  { secret: "stripe/api_key", env: "STRIPE_API_KEY" }
])

# Now accessible as ENV vars
puts ENV["DATABASE_PASSWORD"]
puts ENV["STRIPE_API_KEY"]

Rails Credentials Alternative

Use Vault instead of Rails credentials: 
# config/initializers/vault.rb
Rails.application.configure do
  config.stripe_api_key = BrainzLab::Vault.get("stripe/api_key")
  config.database_password = BrainzLab::Vault.get("database/password")
end