Sekret
Sekret copied to clipboard
DatL4g
🔒 Deeply hide secrets with Kotlin Multiplatform
Sekret
The Sekret plugin allows any Kotlin developer to deeply hide secrets in your project. This prevents credentials harvesting to a certain level.
The following obfuscation techniques are used:
- The secret is obfuscated using a reversible XOR operation, so it never appears as plain text
- Obfuscated secret is stored in a native binary as a hexadecimal array, so it's hard to decompile
- This is not the case for javascript modules
- The obfuscated string is not persisted in the binary to force runtime evaluation
This plugin is a more flexible and Kotlin Multiplatform compatible version of klaxit/hidden-secrets-gradle-plugin
⚠️ Nothing on the client-side is unbreakable. So generally speaking, keeping a secret in application package is not a smart idea. But when you absolutely need to, this is the best method to hide it.
This plugin can be used with any Kotlin project (single-, or multiplatform).
Install
This project is available through mavenCentral.
Gradle Plugin
⚠️ Make sure to apply the plugin to the desired project/module only!
plugins {
id("dev.datlag.sekret") version "1.0.0"
}
Plugin configuration
You can call the following after applying the plugin in your build.gradle.kts
sekret {
packageName.set("your.package.name")
encryptionKey.set("yourUniqueEncryption") // default is the specified packageName
// more configuration...
}
Setup
The plugin will generate a separate module, since it needs to compile for native targets even if you just use Android or JVM for example.
Add generated sekret module
Therefore, you need to include the generated sekret module in your settings.gradle.kts.
⚠️ Make sure to exclude this module by adding it to your .gitignore
include(":sample", ":sample:sekret")
Add secrets
Create a sekret.properties file in the project/module where you applied the plugin and simply add key-value pairs.
YOUR_KEY_NAME=yourSuperSecretSecret
OTHER_SECRET=th1s1s4n0th3rS3cr3t
You can change the name and location by changing the sekret configuration:
sekret {
propertiesFile.set(project.layout.projectDirectory.file("my-secrets.properties"))
}
⚠️ Make sure to exclude this file by adding it to your .gitignore
Generate secrets
To generate source code for your provided secrets, just call ./gradlew generateSekret.
Customize targets
You can change the generated build.gradle.kts depending on your needs, just make sure to apply the required native targets:
- For Android:
androidNativeX - For JVM:
linuxX,mingwXandmacOsX, depending on your output platform.
If you misconfigured your build script or added new targets to your base module, you can run ./gradlew sample:generateSekretBuildScript.
Compose
Make sure to configure the compose application correctly, take a look at the sample project.
- If you use Android or JVM target you have to call
./gradlew createAndCopySekretNativeLibrary. - If you use any JS target you can just use the generated
Sekretclass as is.
Load secrets in code
val binaryLoded = NativeLoader.loadLibrary("sekret", System.getProperty("compose.application.resources.dir")?.let { File(it) })
if (binaryLoded) {
val yourKeyName = Sekret().yourKeyName("your-encryption-key")
val otherSecret = Sekret().otherSecret("your-encryption-key")
}
Support the project
This is a non-profit project!
Sponsoring to this project means sponsoring to all my projects! So the further text is not to be attributed to this project, but to all my apps and libraries.
Supporting this project helps to keep it up-to-date. You can donate if you want or contribute to the project as well. This shows that the library is used by people, and it's worth to maintain.
DatL4g