Learn R Programming

keyring

keyring provides a way to securely manage secrets using your operating system’s credential store. Once a secret is defined, it persists in a “keyring” across multiple R sessions. keyring is an alternative to using environment variables that’s a bit more secure because your secret is never stored in plain text, meaning that you can for instance never accidentally upload it to GitHub. For more security, you can also store secrets in a custom keyring that always requires a password to unlock.

keyring currently supports:

  • The macOS Keychain (backend_macos).
  • The Windows Credential Store (backend_wincred).
  • The Linux Secret Service API (backend_secret_service).

It also provides two backends that are available on all platforms:

  • Encrypted files (backend_file)
  • Environment variables (backend_env).

Installation

Install the package from CRAN:

# install.packages("pak")
pak::pak("keyring")

We recommend using pak to install keyring as it will ensure that Linux system requirements are automatically installed (for instance Ubuntu requires libsecret-1-dev, libssl-dev, and libsodium-dev).

To install the development version from GitHub, use:

pak::pak("r-lib/keyring")

Usage

The simplest usage only requires key_set() and key_get():

# Interactively save a secret. This avoids typing the value of the secret
# into the console as this could be recorded in your `.Rhistory`
key_set("secret-name")

# Later retrieve that secret
key_get("secret-name")

Each secret is associated with a keyring. By default, keyring will use the OS keyring (see default_backend() for details), which is automatically unlocked when you log into your computer account. That means while the secret is stored securely, it can be accessed by other processes.

If you want greater security you can create a custom keyring that you manually lock and unlock. That will require you to enter a custom password every time you want to access your secret.

keyring_create("mypackage")
key_set("secret-name", keyring = "mypackage")
key_get("secret-name", keyring = "mypackage")

Accessing the key unlocks the keyring, so if you’re being really careful, you might want to lock it after you’ve retrieved the value with keyring_lock().

GitHub

When you use keyring on GitHub, it will fall back to the environment variable backend. That means if you want to use key_get("mysecret") you need to do two things:

  • Add a new action secret to your repository.

  • Make the secret available in your workflow .yml, for instance

        env:
      GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
      R_KEEP_PKG_SOURCE: yes
      MY_SECRET: ${{ secrets.my_secret }}

The envvar backend doesn’t support custom keyrings, so if you’re using one locally you’ll need to use the default keyring on GitHub.

Development documentation

Please see our writeup of some keyring internals, and as always, use the source code.

Copy Link

Version

Install

install.packages('keyring')

Monthly Downloads

51,935

Version

1.3.2

License

MIT + file LICENSE

Issues

15

Pull Requests

2

Stars

199

Forks

30

Maintainer

Gabor Csardi

Last Published

December 11th, 2023

Functions in keyring (1.3.2)

backend_file

Encrypted file keyring backend
backend_macos

macOS Keychain keyring backend
backend_secret_service

Linux Secret Service keyring backend
backend_env

Environment variable keyring backend
backend

Abstract class of a minimal keyring backend
b_wincred_get

Get a key from a Wincred keyring
b_wincred_decode_auto

Decode a raw password obtained by b_wincred_get_raw (UTF-8 and UTF-16LE only)
backend_keyrings

Abstract class of a backend that supports multiple keyrings
has_keyring_support

Operations on keyrings
backend_wincred

Windows Credential Store keyring backend
backends

Select the default backend and default keyring
key_get

Operations on keys
b_wincred_decode

Decode a raw password obtained by b_wincred_get_raw
b_wincred_set_with_raw_value

Set a key on a Wincred keyring
keyring-package

keyring: Access the System Credential Store from R