{"id":18610576,"url":"https://github.com/ixnode/php-vault","last_synced_at":"2025-04-10T22:32:20.722Z","repository":{"id":45150956,"uuid":"357201253","full_name":"ixnode/php-vault","owner":"ixnode","description":"PHPVault allows a secure deployment process with .env files.","archived":false,"fork":false,"pushed_at":"2022-01-04T23:17:19.000Z","size":490,"stargazers_count":3,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-25T05:51:15.209Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ixnode.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null},"funding":{"ko_fi":"bjoernhempel"}},"created_at":"2021-04-12T13:19:20.000Z","updated_at":"2024-07-03T15:40:40.000Z","dependencies_parsed_at":"2022-09-13T19:51:38.312Z","dependency_job_id":null,"html_url":"https://github.com/ixnode/php-vault","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ixnode%2Fphp-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ixnode%2Fphp-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ixnode%2Fphp-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ixnode%2Fphp-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ixnode","download_url":"https://codeload.github.com/ixnode/php-vault/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248310105,"owners_count":21082348,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T03:11:07.008Z","updated_at":"2025-04-10T22:32:15.710Z","avatar_url":"https://github.com/ixnode.png","language":"PHP","funding_links":["https://ko-fi.com/bjoernhempel"],"categories":[],"sub_categories":[],"readme":"# PHPVault\n\n[![CI workflow](https://github.com/ixnode/php-vault/actions/workflows/ci-workflow.yml/badge.svg?branch=master)](https://github.com/ixnode/php-vault/actions/workflows/ci-workflow.yml)\n[![PHP](https://img.shields.io/badge/PHP-7.4%20%26%208.0-777bb3.svg?logo=php\u0026logoColor=white\u0026labelColor=555555\u0026style=flat)](https://www.php.net/supported-versions.php)\n[![PHPStan](https://img.shields.io/badge/PHPStan-Level%208-brightgreen.svg?style=flat)](https://phpstan.org/user-guide/rule-levels)\n[![LICENSE](https://img.shields.io/badge/License-MIT-428f7e.svg?logo=open%20source%20initiative\u0026logoColor=white\u0026labelColor=555555\u0026style=flat)](https://github.com/ixnode/php-vault/blob/master/LICENSE)\n\nPHPVault is a PHP library that can create, read, encrypt and decrypt environment files (so-called dotenv files). For\nexample is `.env` a plain file, `.env.enc` an encrypted file, etc. Within your project you can automatically load these\nencrypted  environment variables from `.env.enc` into `getenv()`, `$_ENV` and `$_SERVER`. The corresponding key-value\npairs within these dotenv files are encrypted and decrypted using an asymmetric encryption method\n([Public-key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography)). Private keys are only available\non productive systems for decrypting dotenv values. The public key, on the other hand, can be safely checked into\nthe repository and is used everywhere to encrypt new values.\n\nThe strict separation of configuration and code is a fundamental principle of software development and is based on the\n[The Twelve-Factor App](https://www.12factor.net/config) methodology. One way to do this is to store these data into\nseparate configuration files such as the dotenv files mentioned above. These are mostly unencrypted, but usually\ncontain very *sensitive* data such as database access and API keys. They must therefore never be checked into the code\nrepository! Since these are usually files within the project, there is still a risk that this could happen by mistake.\n\nThe PHPVault approach preserves the principle of separation and goes one step further: It encrypts plain dotenv\nfiles and allows them to be checked into the code repository. To decrypt and use the data on a productive system,\nsimply exchange the private key. This approach is great for providing secure and automated deployment processes\n([CI/CD](https://en.wikipedia.org/wiki/CI/CD), etc.).\n\nTo start simply run:\n\n```bash\n$ composer require ixnode/php-vault\n```\n\nThis requires [Composer](https://getcomposer.org/), a dependency manager for PHP.\n\n## Command line command `vendor/bin/php-vault`\n\nThe basis of all operations is the command line tool `vendor/bin/php-vault`.  Help can be displayed at any time:\n\n```bash\n$ vendor/bin/php-vault --help\nPHPVault command line interpreter.\nPHPVault, version v1.0.7\n\nCommands:\n  decrypt-file  df    Decrypts a given file. Requires a private key.\n  display       d     Displays the environment variables from given file.\n  display-env   de    Displays the environment variables from server.\n  encrypt-file  ef    Encrypts a given file. Requires a public key.\n  generate-keys gk    Generates and displays a private and public key.\n  info          i     Shows information.\n  set           s     Sets or updates a new variable. Needs a public key.\n\nRun `\u003ccommand\u003e --help` for specific help\n```\n\n```bash\n$ vendor/bin/php-vault --version\nv1.0.7\n```\n\n## On development system\n\nUsually, you need the *public* key in this environment. Examples can be found below. There are several\n[ways](docs/ENVIRONMENT.md) to pass the public key to the `php-vault` interpreter. In the following,\nthe key is loaded from the `.keys` directory (`--public-key`).\n\n### Generate keys\n\n```bash\n$ vendor/bin/php-vault generate-keys --persist\n\nThe key pair is written to folder \".keys\"\n\nNever add the private key to the repository!\n```\n\n* **Attention!**:\n\t* Keep the private key safe for the productive systems (`.keys/private.key`).\n\t    * Delete the private key file `.keys/private.key` if you have saved it and submitted it to the admin for the productive system.\n\t* Use the public key on development and local systems (`.keys/public.key`).\n\n### Create environment file\n\n* Add key-value pair `DB_USER=secret.user` with description `\"DB Configs\"`\n* Add key-value pair `DB_PASS=secret.pass`\n* Add key-value pair `DB_HOST=secret.host`\n* Add key-value pair `DB_NAME=secret.name`\n* Use public key (`--public-key` → read from `.keys/public.key`).\n\n```bash\n# Create file .env.enc\n$ vendor/bin/php-vault set .env.enc DB_USER secret.user \"DB Configs\" --public-key --create\n# Adds values to .env.enc\n$ vendor/bin/php-vault set .env.enc DB_PASS secret.pass --public-key\n$ vendor/bin/php-vault set .env.enc DB_HOST secret.host --public-key\n$ vendor/bin/php-vault set .env.enc DB_NAME secret.name --public-key\n```\n\n### Display the environment file\n\n* The contents displayed are encrypted.\n* Do not need any key.\n\n```bash\n$ vendor/bin/php-vault display .env.enc --load-encrypted\n...\n```\n\n## On production system\n\nUsually, you need the *private* key in this environment. Examples can be found below. There are several\n[ways](docs/ENVIRONMENT.md) to pass the private key to the `php-vault` interpreter. In the following,\nthe key is loaded from the `.keys` directory (`--private-key`).\n\n### Display an encrypted file\n\n* Use private key (`--private-key` → read from `.keys/private.key`).\n\n```bash\n$ vendor/bin/php-vault display .env.enc --load-encrypted --display-decrypted --private-key\n+---------+-------------+-------------+\n| Key     | Value       | Description |\n+---------+-------------+-------------+\n| DB_USER | secret.user | DB Configs  |\n| DB_PASS | secret.pass |             |\n| DB_HOST | secret.host |             |\n| DB_NAME | secret.name |             |\n+---------+-------------+-------------+\n```\n\n### Decrypt an encrypted file\n\n* Never add the produced decrypted file `.env` to the repository!\n* Use private key (`--private-key` → load from `.keys/private.key`).\n\n```bash\n$ vendor/bin/php-vault decrypt-file .env.enc --private-key\n\nThe file was successfully written to \".env\".\n```\n\n### Display the decrypted file without encryption\n\n* Do not need any key.\n\n```bash\n$ vendor/bin/php-vault display .env --display-decrypted\n+---------+-------------+-------------+\n| Key     | Value       | Description |\n+---------+-------------+-------------+\n| DB_USER | secret.user | DB Configs  |\n| DB_PASS | secret.pass |             |\n| DB_HOST | secret.host |             |\n| DB_NAME | secret.name |             |\n+---------+-------------+-------------+\n```\n\n## Using the PHPVault class\n\n### Load the private key from a given file\n\n```php\n\u003c?php\n\nrequire 'vendor/autoload.php';\n\nuse Ixnode\\PhpVault\\PHPVault;\n\n/* Path to private key and .env.enc */\n$pathToPrivateKey = __DIR__.'/.keys/private.key';\n$pathToEncryptedEnv = __DIR__.'/.env.enc';\n\n/* - Initiate PHPVault Core.\n * - Load private key.\n * - Load the encrypted env file.\n */\n$phpVault = new PHPVault();\n$phpVault-\u003eloadPrivateKeyFromFile($pathToPrivateKey);\n$phpVault-\u003eimportEncryptedEnvFile($pathToEncryptedEnv);\n\n/* Usage */\n$dbUser = getenv('PHPVAULT_DB_USER');\n$dbPass = getenv('PHPVAULT_DB_PASS');\n$dbHost = getenv('PHPVAULT_DB_HOST');\n$dbName = getenv('PHPVAULT_DB_NAME');\n```\n\n### Load the private key from the server environment variable `PRIVATE_KEY`\n\nFor options to set the environment variable, see [here](docs/ENVIRONMENT.md).\n\n```php\n\u003c?php\n\nrequire 'vendor/autoload.php';\n\nuse Ixnode\\PhpVault\\PHPVault;\n\n/* Path to private key and .env.enc */\n$pathToEncryptedEnv = __DIR__.'/.env.enc';\n\n/* - Initiate PHPVault Core and use the PRIVATE_KEY environment variable.\n * - Load the encrypted env file.\n */\n$phpVault = new PHPVault();\n$phpVault-\u003eimportEncryptedEnvFile($pathToEncryptedEnv);\n\n/* Usage */\n$dbUser = getenv('PHPVAULT_DB_USER');\n$dbPass = getenv('PHPVAULT_DB_PASS');\n$dbHost = getenv('PHPVAULT_DB_HOST');\n$dbName = getenv('PHPVAULT_DB_NAME');\n```\n\n## Run tests\n\nThe part is only available if the project is checked out directly for development:\n\n```bash\n$ git clone https://github.com/ixnode/php-vault.git \u0026\u0026 cd php-vault\n$ composer install\n```\n\n### PHPUnit tests\n\n```bash\n$ composer run tests\n\u003e phpunit tests\nPHPUnit 9.5.4 by Sebastian Bergmann and contributors.\n\n...............................................................  63 / 154 ( 40%)\n............................................................... 126 / 154 ( 81%)\n............................                                    154 / 154 (100%)\n\nTime: 00:00.136, Memory: 8.00 MB\n\nOK (154 tests, 274 assertions)\n```\n\n### Static code analysis (PHPStan)\n\n```bash\n$ composer run analyse\n\u003e phpstan analyse src --level max --no-progress\n\n [OK] No errors\n\n\u003e phpstan analyse tests --level max --no-progress\n\n [OK] No errors\n```\n\n### Continuous integration\n\nRuns `@analyse` and `@tests`:\n\n```bash\n$ composer run ci\n```\n\n## Security\n\nIf you discover a security vulnerability within this package, please send an email to Björn Hempel at\nbjoern@hempel.li. All security vulnerabilities will be promptly addressed. You may view our full\nsecurity policy [here](https://github.com/ixnode/php-vault/security/policy).\n\n## License\n\nPHPVault is licensed under [MIT](https://github.com/ixnode/php-vault/blob/master/LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fixnode%2Fphp-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fixnode%2Fphp-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fixnode%2Fphp-vault/lists"}