Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/rstudio/rskey/llms.txt

Use this file to discover all available pages before exploring further.

rskey is a command-line tool and Go library that generates secret keys and encrypts sensitive configuration values in formats that are fully compatible with Posit Connect, Package Manager, and Workbench. It exists to solve a common bootstrapping problem: you need to provision keys and encrypt secrets before installing any Posit product, and the built-in key management commands those products provide are not available until after installation. rskey closes that gap, making it practical to manage secrets as part of Infrastructure-as-Code pipelines and containerized deployments without requiring a full product installation — or any license key.

Supported products and encryption schemes

rskey supports all three Posit server products, each using a distinct encryption scheme:
ProductDefault algorithmFIPS alternative
Posit ConnectNaCl SecretboxAES-256-GCM (--mode=fips)
Posit Package ManagerNaCl SecretboxAES-256-GCM (--mode=fips)
Posit WorkbenchAES-128-CBC
Connect and Package Manager share the same key format: 512 hex-encoded, securely-generated random bytes — equivalent to the output of openssl rand -hex 512. Workbench keys are 32 or more opaque bytes, most often generated by the uuid command. rskey accepts both formats for Workbench operations.

How rskey fits into your workflow

Normally, you would generate a key and encrypt secrets using a command that ships with each Posit product. Those commands require the product to be installed, and in many automated environments (Terraform modules, Ansible playbooks, Docker images, Kubernetes init containers) the product is not present at provisioning time. rskey lets you move key generation and secret encryption into a pre-installation step:
  1. Generate a key file and store it in your secrets manager or Kubernetes Secret.
  2. Encrypt configuration values (database passwords, API tokens) using that key.
  3. Write the encrypted values into your product’s configuration file via a template.
  4. When the product starts, it reads the key file and decrypts the configuration values automatically — no changes to the product configuration are needed.
rskey produces output that is byte-for-byte identical to what the product’s own commands produce, so you can switch between them at any time.

Drop-in replacements

rskey is a direct replacement for the following commands in each Posit product: All three commands encrypt a plaintext secret using the product’s key file and return ciphertext suitable for pasting into that product’s configuration. rskey does the same thing, and is compatible with all three products without requiring any of them to be installed.

Key features

CLI commands

Four commands cover the full key lifecycle: generate, encrypt, decrypt, and fingerprint. Each command accepts a key file path and optional mode flag.

Go packages

The bundled crypt and workbench packages expose the same key generation and encryption logic as Go APIs, so you can embed rskey behavior directly in your Go programs.

FIPS mode

Pass --mode=fips to use AES-256-GCM, an Approved Security Function under FIPS 140-3. Supported by Connect 2022.03.0+ and Package Manager 2024.04.0+.

Workbench support

Pass --mode=workbench to use AES-128-CBC encryption with Workbench key files in either the rskey or UUID format.
This is not a general-purpose encryption tool. rskey produces output in formats designed specifically for Posit Connect, Package Manager, and Workbench. Encrypted values are not intended for use outside those products, and the key files rskey generates are not suitable for general-purpose symmetric encryption workflows. Use a general-purpose tool such as age or GPG for any other encryption needs.

Build docs developers (and LLMs) love

Get started for freeTalk to us