Using Keyring in the RStudio IDE

Follow

Keyring is a platform-independent API to access the operating systems credential store. From version 1.2 of the RStudio IDE, you can use keyring to store secrets using .rs.askForSecret() R function.

Keyring currently supports the following backends:

OS Keyring Backend Dependencies
macOS Keychain None
Windows Credential Store None
Linux desktop Secret Service API libsecret
Linux servers File based (encrypted at rest) libsodium

In addition to these defaults, environment variables are supported on all platforms. Other storage backends can also be added.

Desktop Installation

OS X and Windows do not require additional software.

For Linux desktops install the libsecret library, at least version 0.16.

  • Debian/Ubuntu: libsecret-1-dev
  • Recent RedHat, Fedora and CentOS systems: libsecret-devel

Server Installation

For Linux servers install the libsodium library.

  • Debian/Ubuntu: libsodium-dev
  • Fedora, EPEL: libsodium-devel

libsecret requires an X11 interface (e.g. Gnome), so the secret service backend will not work with RStudio Server Open Source and RStudio Workbench (previously RStudio Server Pro). Instead, install libsodium and use the file backend by setting the keyring_backend option to file. The file backend stores encrypted secrets on disk under home/.config/r-keyring/system.keyring. Setup requires the system keyring and password be initialized manually.

  options("keyring_backend" = "file") # add this to .Rprofile
  keyring::keyring_create("system")

Using Keyring

Keyring can be used to store secrets in RStudio using the rstudioapi::askForSecret() function. This is useful and recommended while storing sensitive information like connection passwords and connection strings.

One can retrieve and store a secret with:

secret <- rstudioapi::askForSecret("Test")

Screen_Shot_2018-02-15_at_10.19.25_AM.png

If the keyring package is not installed, the checkbox will be disabled. Keyring can be manually installed using installed.packages("keyring") or by clicking the keyring hyperlink in the dialog and following the installation prompt.

If the user checks the "Remeber using keyring?" checkbox, then subsequent calls to:

secret <- rstudioapi::askForSecret("Test")

will remember the previous value and also retrieve the secret contents.

Screen_Shot_2018-02-15_at_10.18.52_AM.png

To remove a previously stored value, one can uncheck the "Remember using keyring?" checkbox.

Please be aware that while using Keyring to store secrets is secure, once a secret is retrieved from Keyring, the secret is no longer protected. Therefore, once a secret is retrieved from Keyring, avoid: printing, logging or saving your secret; instead, consider passing the unencrypted secret directly to the functions that need access to it. For instance, while connecting to a database, request the secret from Keyring directly in the connection function:

dbConnect(odbc::odbc(), password = rstudioapi::askForSecret("password"))

Comments

  • Avatar
    Javier Luraschi

    Correct, while using Keyring to store secrets is secure, once the secret is extracted from Keyring you need to handle the secret carefully. I've added a note in the footer of this article to give some guidance on what not to do once a secret is extracted from Keyring.