Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/imcatwhocode/envienc
🔐 Encrypt dotenv, YAML and Hpp values keeping the rest of file intact
https://github.com/imcatwhocode/envienc
dotenv encrypt hpp yaml
Last synced: 2 days ago
JSON representation
🔐 Encrypt dotenv, YAML and Hpp values keeping the rest of file intact
- Host: GitHub
- URL: https://github.com/imcatwhocode/envienc
- Owner: imcatwhocode
- License: mit
- Created: 2023-03-12T17:35:46.000Z (almost 2 years ago)
- Default Branch: release
- Last Pushed: 2024-02-22T22:30:11.000Z (10 months ago)
- Last Synced: 2024-04-23T22:55:25.759Z (8 months ago)
- Topics: dotenv, encrypt, hpp, yaml
- Language: TypeScript
- Homepage:
- Size: 625 KB
- Stars: 1
- Watchers: 2
- Forks: 1
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
Awesome Lists containing this project
README
# envienc
Envienc is a command-line tool for encrypting dotenv, YAML and .h/.hpp files, while keeping keys,
comments, and overall structure untouched.It encrypts only the values, leaving the rest of the file intact.
## Installation
You need to have Node.js installed on your system. Then, run the following commands:
```bash
# Install envienc globally
npm install -g envienc# ... or use npx to run it without installing
npx envienc# ... or install it to your project and run it from there
cd your-project
npm install --save-dev envienc
npx envienc
```## Quick start
```bash
# First, let's init a new project.
# This will create a .enviencrc file in your project root.
# Using "-g" flag, you can specify globs for dotenv and YAML files.
npx envienc init -g ".env" -g ".env.*" -g "deployments/*.yml"# Then, add unencrypted files to .gitignore if applicable.
# This will prevent you from accidentally committing unencrypted files.
# Make sure that globs in .gitignore wouldn't match encrypted files with ".envienc" suffix# Now you can encrypt your files.
npx envienc encrypt# When you need to decrypt your files, run
npx envienc decrypt# Help is here anytime you need it
npx envienc --help
```## Exceptions
You can skip specific configuration entries from being encrypted.
Use `@envienc no-encrypt` comment:
## For dotenv
```dotenv
# @envienc no-encrypt
PUBLIC_INFO=This variable wouldn't be encrypted# But this one would
MY_SECRET=hellokitty
```## For YAML
```yaml
nested:
- item1:
# Flag below would prevent encryption of entire "item1" entry
# @envienc no-encrypt
key1: value1
key2: value2
subitems:
- subitem1
- subitem2
# "item2" will be encrypted as expected
- item2:
keyA: valueA
keyB: valueBcolors:
red: '#FF0000'
green: '#00FF00'
# Flag below would prevent encryption only of "blue" entry
blue: '#0000FF' # @envienc no-encrypt
random:
rgb: [
128,
# Flag below would prevent encryption only of "255" value
255, # @envienc no-encrypt
64,
]
hex: '#FFFFFF'# Entire "branding" entry will be kept unencrypted
# @envienc no-encrypt
branding:
logo_uri: 'https://example.com/logo.png'
name: 'My App'
description: 'My App is a great app'
```## For .H/.HPP
```c
// Will be encrypted
#define SECURE_STUFF "my_sweetest_secret"// Will not be encrypted
#define NON_SECURE_STUFF /* @envienc no-encrypt */ "not_secret_at_all"
```## Log
Envienc uses `pino` for logging. By default, output is prettified using `pino-pretty` package.
If you want to output logs in default JSON format, set `LOG_JSON` environment variable to `true`.```bash
# This will output logs in Pino's default JSON format
LOG_JSON=true npx envienc encrypt
```## Encryption
Under the hood, envienc uses the AES-256-GCM algorithm to encrypt the values.
- To produce the encryption key, it uses the PBKDF2 algorithm with 600,000 iterations.
- Salt for PBKDF2 is generated using Node's built-in CSPRNG via the `crypto.randomBytes()` method.
Salt is unique per project and stored in `.enviencrc` configuration file.
- Each encrypted value has its own unique IV and auth tag stored with ciphertext.## Password input
You can provide the password in several ways. The order of precedence is as follows:
1. Using the `--password` option. Please, don't ever do this in production.
2. Using the `ENVIENC_PASSWORD` environment variable.
3. Using the interactive prompt when encrypting or decrypting.