• Stars
    star
    117
  • Rank 301,828 (Top 6 %)
  • Language
    PHP
  • Created over 6 years ago
  • Updated 11 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A secure .env handler with encrypted key/value storage

secure_dotenv

The secure_dotenv library provides an easy way to handle the encryption and decryption of the information in your .env file.

One of the generally accepted security best practices is preventing the use of hard-coded, plain-text credentials of any kind. This library allows you to store the values in your .env as encrypted strings but still be able to access them transparently without worrying about implementing your own encryption method.

Travis-CI Build Status

Installation

Download Composer package

You can install the library easily with a Composer require call on the command line:

composer require psecio/secure_dotenv

Generate the key

First, you'll need to generate your encryption key. The library makes use of the defuse/php-encryption library for it's encryption handling.

php vendor/bin/generate-defuse-key

This will result in a randomized string to use with the php-encryption library's default encryption. This string should be placed in a file where the script can access it.

NOT: According to security best practices, this key file should remain outside of the document root (not web accessible) but should be readable by the web server user (or executing user).

Create the .env file

You'll then need to make the .env file you're wanting to place the values in:

touch /project/root/dir/.env

Loading the values

With the key file and .env created, you can now create a new instance that can be used to read the encrypted values:

<?php
require_once __DIR__.'/vendor/autoload.php';

$keyfile = __DIR__.'/keyfile';
$envFile = __DIR__.'/.env';

$d = new \Psecio\SecureDotenv\Parser($keyfile, $envFile);

// The contents here is the set of all decrypted values fron the .env
print_r($d->getContent());
?>

You don't have to use a file as a source for the key either - you can use a string (potentially something fron an $_ENV variable or some other source):

<?php
require_once __DIR__.'/vendor/autoload.php';

$key = $_ENV['ENCRYPTION_KEY'];
$envFile = __DIR__.'/.env';

$d = new \Psecio\SecureDotenv\Parser($key, $envFile);

?>

This can be useful to help prevent the key from being read by a local file inclusion attack.

If there are values currently in your .env file that are unencrypted, the library will pass them over and just return the plain-text version as pulled directly from the .env configuration.

Setting values

You can also dynamically set values into your .env file using the save() method on the Parser class:

<?php
require_once __DIR__.'/vendor/autoload.php';

$keyfile = __DIR__.'/keyfile';
$envFile = __DIR__.'/.env';

$d = new \Psecio\SecureDotenv\Parser($keyfile, $envFile);

$keyName = 'test1';
$keyValue = 'foobarbaz';

if ($d->save($keyName, $keyValue)) {
    echo 'Save successful';
} else {
    echo 'There was an error while saving the value.';
}

There's no need to worry about encrypting the value as the library takes care of that for you and outputs the encrypted result to the .env file.

Encrypting values via CLI

This library also comes with a handy way to encrypt values and write them out to the .env configuration automatically:

vendor/psecio/secure_dotenv/bin/encrypt --keyfile=/path/to/keyfile

This tool will ask a few questions about the location of the .env file and the key/value pair to set. When it completes it will write the new, encrypted, value to the .env file. If a value is already set in the configuration and you want to overwrite it, call the encrypt script with the --override command line flag.

More Repositories

1

iniscan

A php.ini scanner for best security practices
PHP
1,479
star
2

gatekeeper

Gatekeeper: An Authentication & Authorization Library
PHP
367
star
3

parse

Parse: A Static Security Scanner
PHP
365
star
4

versionscan

A PHP version scanner for reporting possible vulnerabilities
PHP
255
star
5

jwt

A JWT (JSON Web Token) Encoder & Decoder
PHP
110
star
6

propauth

A library for property-based policy evaluation
PHP
59
star
7

invoke

Invoke: Route Authentication/Authorization Management
PHP
36
star
8

canary

Canary: Input Detection and Response
PHP
30
star
9

pwdcheck

A password strength checking utility
PHP
21
star
10

secure-api

Repository for the "Building a Secure API" series on Websec.io
PHP
16
star
11

csrf

CSRF Token Generation Library
PHP
13
star
12

uri

A secure URI generation and validation library
PHP
12
star
13

verify

Framework Agnostic Authentication & Authorization
PHP
11
star
14

protected-env-example

An example (Docker environment) showing the protection of sensitive information from PHP's file read
PHP
10
star
15

rift

A vulnerable application for teaching the basics of web application security
CSS
9
star
16

security-bundle

A bundle of recommended PHP security libraries
8
star
17

validation

A simple little validation library
PHP
7
star
18

dbot

Discord bot platform for PHP
PHP
7
star
19

session-encrypt

An encrypted session handler
6
star
20

fortify

Fortify provides a single, simple interface for handling authentication and authorization
PHP
6
star
21

notch

Notch: A Vulnerable Application
PHP
4
star
22

oauth2-discord

A Discord provider for the League OAuth2 Client
PHP
4
star
23

gatekeeper-ui

A web interface for the Gatekeeper Access Control System
JavaScript
3
star
24

gatekeeper-cli

A command line tool for the Gatekeeper auth framework
PHP
2
star
25

authorize

A comprehensive authorization library (ACL, RBAC, PBAC)
PHP
1
star
26

phpsecinfo

Code for the phpsecinfo.com site
PHP
1
star
27

userappio

An API library for using the UserApp.io Service
PHP
1
star
28

securingphp

Source for the Securing PHP website
PHP
1
star
29

vaultlib

A simple Vault client for PHP
PHP
1
star
30

statext

A PHP static site generator
PHP
1
star