This is Cloak Swift - a CLI tool to encrypt secrets and then pass them in an obfuscated form into Swift applications.
Features • Install • Usage • Contributing
Set up secrets locally outside of the Git repository to avoid them being embedded into the code.
Create encryption key and encrypt secrets ready for use.
Generate a Swift file to access the secrets from your app's code.
The generated Swift uses obfuscation of the values rather than as raw strings.
Cloak Swift can be installed using Mise or ASDF either globally or with a project-specific version.
Note: Currently, the plugin URL needs to be specified. The plugin will be added to the registry soon so that this is no longer required.
Mise .mise.toml
[tools]
cloak-swift = "0.4.0"
[plugins]
cloak-swift = "https://github.com/lordcodes/asdf-cloak-swift"
Cloak Swift can be easily installed globally using Swift Package Manager.
git clone https://github.com/lordcodes/cloak-swift
cd cloak-swift
make install
This will install cloakswift into /usr/local/bin
. If you get a permission error it may be that you don't have permission to write there in which case you just need to adjust permissions using sudo chown -R $(whoami) /usr/local/bin
.
You can uninstall it again using make uninstall
which simply deletes it from /usr/local/bin
.
You can install Cloak Swift on MacOS using Mint as follows:
mint install lordcodes/cloak-swift
To install Cloak Swift for use in your own Swift code, add it is a Swift Package Manager dependency within your Package.swift
file. For help in doing this, please check out the Swift Package Manager documentation.
.package(url: "https://github.com/lordcodes/cloak-swift", exact: "0.4.0")
Create a configuration file within your project: .cloak/config
, this file should be kept in Git and shared between contributors. Enter key-value pairs into the file EnvironmentKey.
- CLOAK_SECRETS_CLASS_NAME -> Name to give the generated Swift enum that contains the secrets in-app.
- CLOAK_SECRETS_OUTPUT_FILEPATH -> File path to put the generated Swift file.
- CLOAK_SECRETS_ACCESS_LEVEL -> Swift access level to give to the enum and each secret static property. E.g. public.
Each of these settings can be provided as an environment variable instead of listed in the configuration file. The config file will take precedance.
For example:
CLOAK_SECRETS_CLASS_NAME=AppSecrets
CLOAK_SECRETS_OUTPUT_FILEPATH=Sources/Generated/AppSecrets.swift
CLOAK_SECRETS_ACCESS_LEVEL=public
You can list the required secret keys for your project in a .cloak/secret-keys
file, which can be kept in Git. This ensures each contributor has provided all required secrets locally. Secret keys should be listed one on each line.
For example:
ANALYTICS_WRITE_KEY
API_CLIENT_ID
API_CLIENT_SECRET
Each contributor on a project will need to create a file at .cloak/secrets
that uses the same format as the config
file but that lists secret key names and values. This file should be added to your project's .gitignore
to keep them out of Git.
You should also add your encryption key to this file using the key name CLOAK_ENCRYPTION_KEY
. This will allow the encrypt/decrypt commands to function and will also allow it to be included into the generated Swift file so that your app can decrypt the secrets at runtime in order to use them.
If the secret keys are specified in the required keys file secret-keys
, then they will be read as environment variables as well, where the environment variables take precendence. This is useful in a CI environment where you can specify them as environment variables and avoid having to write them to a file as you would locally.
The best practice is that the values should be encrypted first.
Run Cloak's tasks via a CLI. The tool will check paths relative to the working directory for the .cloak
directory configured above.
USAGE: cloakswift <subcommand> [-q|--quiet]
SUBCOMMANDS:
createkey Create encryption key.
decrypt Decrypt a value encrypted using cloak.
encrypt Encrypt a value.
generate Read in secrets, obfuscate them and then generate a Swift file to access them within an app.
version Print version.
OPTIONS:
-q, --quiet Silence any output except errors
You can obtain help using cloakswift --help
and also obtain help for each subcommand using cloakswift <subcommand> --help
.
Generates an encryption key, that can then be used within your project to encrypt secrets. This key is then passed into your app so that you can decrypt them at runtime.
cloakswift createkey
Provide a value and the encrypted version will be returned. Your encryption key should be provided as described above.
cloakswift encrypt <value>
Provide an encrypted value and the decrypted version will be returned. Your encryption key should be provided as described above.
cloakswift decrypt <encrypted>
Generate a Swift file that can be used to access your secrets within your app at runtime. Certain aspects of the generated file can be customised using the config
file as described above. The secrets will be obfuscated and included as [UInt8]
, but with Swift properties to return them as String
in their usable form.
cloakswift generate
To use Cloak Swift within your own Swift code, import and use the public API of CloakKit
.
import CloakKit
// Configure printing
Cloak.shared.printer = ConsolePrinter(quiet: false)
EncryptionService().createKey()
If you notice any bugs or have a new feature to suggest, please check out the contributing guide. If you want to make changes, please make sure to discuss anything big before putting in the effort of creating the PR.
To reach out, please contact @lordcodes on Twitter.