Skip to content

teyckmans/gradle-tink

BranchesTags

Repository files navigation

Gradle-Tink

GitHub tag (latest SemVer) teyckmans

What

Gradle plugin with tasks to perform encrypt/decrypt operations using the Google Tink library.

The Gradle-Tink project has two modules:

  • Gradle plugin providing basic tasks that can be used as is.
  • Core module for embedding in other plugins.

Why

Make it easy to securely work with sensitive information. Either by using this plugin directly or using the core module to create plugins that deal with sensitive information correctly. All too often this is overlooked which makes using plugins in a security sensitive environment harder than it needs to be.

How-to

In your build.gradle.kts file apply the plugin to get started.

plugins {
    id("dev.rigel.gradle.tink") version "0.1.1" // TODO use latest version
}

repositories {
    jcenter()
}

Available tasks

Short overview:

  • createKeyset: Create a new Google Tink keyset, needed to perform encrypt/decrypt operations.
  • encryptFile: Encrypt a complete file.
  • decryptFile: Decrypt a complete file.
  • encryptString: Encrypt a string.
  • decryptString: Decrypt a string.
  • encryptProperty: Encrypt a property value in a properties file.
  • decryptProperty: Decrypt a property value in a properties file.

With the following command you can list the task this plugin makes available.

$ ./gradlew tasks --group tink

Using the following command you can check what options a specific task has.

In the example bellow we

$ ./gradlew help --task createKeyset

The command output shows what options are available and shows the description.

> Task :help
Detailed task information for createKeyset

Path
     :createKeyset

Type
     CreateKeySetTask (dev.rigel.gradle.tink.tasks.CreateKeySetTask)

Options
     --keyStorageFormat     Options are json or binary (default: json)

     --keyTemplate     Keyset template name (default: AES256_CTR_HMAC_SHA256)

     --keysetFile     Filename to store the generation keyset to.

Description
     -

Group
     tink

BUILD SUCCESSFUL in 581ms
1 actionable task: 1 executed

Plugin Configuration

If you know Tink and the KeyTemplate that you are using is not known by the plugin you need to create an implementation of dev.rigel.gradle.tink.core.TinkKeyTemplate.

Register it in your build.gradle.kts file like this:

tink {
    register(MyCustomTinkKeyTemplate())
}

Now you can use it by providing the --keyTemplate option on the plugin tasks.

Embedding

The plugin delegates all tasks to the dev.rigel.gradle.tink.core.KeysetSupport class which has all the utility methods to perform encrypt/decrypt operations.

The specifics of how to perform the operations with the Google Tink library can be found in implementation of dev.rigel.gradle.tink.core.TinkKeyTemplate. A TinkKeyTemplate gives a name to a specific KeyTemplate in Tink.

You can use your own TinkKeyTemplate(s) by registering them using dev.rigel.gradle.tink.core.TinkKeyTemplates.register.

dependencies {
    implementation("dev.rigel.gradle.tink:core:0.1.1")
}

About

Gradle plugin that provides encryption support for secrets using https://github.com/google/tink.

Topics

kotlin java security cryptography crypto gradle tink

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages