https://github.com/smartcontractkit/env-enc

https://github.com/smartcontractkit/env-enc

Last synced: about 1 month ago
JSON representation

• Host: GitHub
• URL: https://github.com/smartcontractkit/env-enc
• Owner: smartcontractkit
• License: mit
• Created: 2023-04-06T22:46:43.000Z (about 2 years ago)
• Default Branch: main
• Last Pushed: 2023-04-11T17:16:02.000Z (about 2 years ago)
• Last Synced: 2025-04-19T08:10:31.803Z (about 2 months ago)
• Language: TypeScript
• Size: 43.9 KB
• Stars: 31
• Watchers: 10
• Forks: 4
• Open Issues: 4
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# env-enc

A tool for loading and storing encrypted environment variables

## What

This is a tool for keeping environment variables such as private keys and other credentials encrypted at rest.

This reduces the risk of credential exposure by ensuring credentials are not visible in plaintext or in terminal history.

It also allows an encrypted environment variables to be stored on Github, provided they are protected with a secure password.

For loading environment variables, this works in a similar manner to the NPM package `dotenv` where environment variables are loaded from a `.env` file.

However, this plugin instead uses CLI commands to create an `.env.enc` file which stores environment variables that are encrypted using a password.

Then, when the `config()` method is called, these variables will be decrypted and loaded into the environment.

## Installation

1. Install `@chainlink/env-enc` from NPM

2. Import the package in your project's main file (this will be `hardhat.config.js` or `hardhat.config.ts` for HardHat projects)

- For JavaScript projects, add the following line to the top of main file (usually `index.js`):

  ```

  require("@chainlink/env-enc").config();

  ```

- For Typescript projects, add the following lines to the top of main file (usually `index.ts`):

  ```

  import * as envEnc from "@chainlink/env-enc";

  envEnc.config();

  ```

## Commands

The following commands accept an optional `--path` flag followed by a path to the desired encrypted environment variable file.

If one does not exist, it will be created automatically by the `npx env-enc set` command.

The `--path` flag has no effect on the `npx env-enc set-pw` command as the password is stored as an ephemeral environment variable for the current terminal session.

| Command                     | Description                                                                                                                                       | Parameters            |

| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |

| `npx env-enc set-pw`        | Sets the password to encrypt and decrypt the environment variable file **NOTE:** On Windows, this command may show a security confirmation prompt |                       |

| `npx env-enc set`           | Sets and saves variables to the encrypted environment variable file                                                                               |                       |

| `npx env-enc view`          | Shows all currently saved variables in the encrypted environment variable file                                                                    |                       |

| `npx env-enc remove ` | Removes a variable from the encrypted environment variable file                                                                                   | `name`: Variable name |

| `npx env-enc remove-all`    | Deletes the encrypted environment variable file                                                                                                   |                       |

## Configuration

By default, all encrypted environment variables will be stored in a file named `.env.enc` in the root directory of your project.

However, this file path can be configured using the `path` option in the `config()` method as shown below:

```

require("@chainlink/env-enc").config({ path: './your_directory/my_env.enc' });

```

## Usage

First, set the encryption password by running the command `npx env-enc set-password`.

The password must be set at the beginning of each new session.

If this password is lost, there will be no way to recover the encrypted environment variables.

When running this command on a Windows machine, you may receive a security confirmation prompt. Enter "r" to proceed.

> **NOTE:** When you finish each work session, exit your terminal to prevent your password from becoming exposes if your machine is compromised.

Run the command `npx env-enc set` to set and save environment variables.

These variables will be loaded into your environment when the `config()` method is called.

Use `npx env-enc view` to view all currently saved environment variables.

When pressing _ENTER_, the terminal will be cleared to prevent these values from remaining visible.

Running `npx env-enc remove VAR_NAME_HERE` deletes the specified environment variable.

The command `npx env-enc remove-all` deletes the entire saved environment variable file.

If you lose your password, delete your encrypted environment variable file. If you attempt to load an encrypted environment variable file without the correct password, it will cause an error.