https://github.com/staabm/secure_dotenv
A secure .env handler with encrypted key/value storage
https://github.com/staabm/secure_dotenv
Last synced: 3 months ago
JSON representation
A secure .env handler with encrypted key/value storage
- Host: GitHub
- URL: https://github.com/staabm/secure_dotenv
- Owner: staabm
- License: mit
- Created: 2023-11-16T09:29:18.000Z (over 2 years ago)
- Default Branch: master
- Last Pushed: 2025-10-13T05:22:27.000Z (9 months ago)
- Last Synced: 2025-10-24T02:56:41.210Z (8 months ago)
- Language: PHP
- Size: 71.3 KB
- Stars: 5
- Watchers: 0
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Awesome Lists containing this project
README
# secure_dotenv
The `secure_dotenv` library provides an easy way to handle the encryption and decryption of the information in your `.env` file.
One of the generally accepted security best practices is preventing the use of hard-coded, plain-text credentials of any kind. This library allows you to store the values in your `.env` as encrypted strings but still be able to access them transparently without worrying about implementing your own encryption method.
## Installation
### Download Composer package
You can install the library easily with a Composer `require` call on the command line:
```
composer require staabm/secure_dotenv
```
### Generate the key
First, you'll need to generate your encryption key. The library makes use of the [defuse/php-encryption](https://github.com/defuse/php-encryption) library for it's encryption handling.
```
php vendor/bin/generate-defuse-key
```
This will result in a randomized string to use with the `php-encryption` library's default encryption. This string should be placed in a file where the script can access it.
> **NOT:** According to security best practices, this key file should remain outside of the document root (not web accessible) but should be readable by the web server user (or executing user).
### Create the `.env` file
You'll then need to make the `.env` file you're wanting to place the values in:
```
touch /project/root/dir/.env
```
### Loading the values
With the key file and .env created, you can now create a new instance that can be used to read the encrypted values:
```php
getContent());
?>
```
You don't have to use a file as a source for the key either - you can use a string (potentially something fron an `$_ENV` variable or some other source):
```php
```
This can be useful to help prevent the key from being read by a [local file inclusion](https://en.wikipedia.org/wiki/File_inclusion_vulnerability#Local_File_Inclusion) attack.
If there are values currently in your `.env` file that are unencrypted, the library will pass them over and just return the plain-text version as pulled directly from the `.env` configuration.
## Setting values
You can also dynamically set values into your `.env` file using the `save()` method on the `Parser` class:
```php
save($keyName, $keyValue)) {
echo 'Save successful';
} else {
echo 'There was an error while saving the value.';
}
```
There's no need to worry about encrypting the value as the library takes care of that for you and outputs the encrypted result to the `.env` file.
## Encrypting values via CLI
This library also comes with a handy way to encrypt values and write them out to the `.env` configuration automatically:
```
vendor/bin/encrypt-env --keyfile=/path/to/keyfile
```
This tool will ask a few questions about the location of the `.env` file and the key/value pair to set. When it completes it will write the new, encrypted, value to the `.env` file. If a value is already set in the configuration and you want to overwrite it, call the `encrypt` script with the `--override` command line flag.
## Credits
this package is a maintained for of https://github.com/psecio/secure_dotenv originally created by [Chris Cornutt aka @enygma](https://github.com/enygma)