README
Ciphenv
Ciphenv (Ciphered Env) is a simple CLI tool to encrypt/cipher your .env files using prefixes to indicate whether you want the value to be encrypted using a given secret.
Install
npm install --save ciphenv
or
npm install -g ciphenv
Usage
Create one or many .env file(s) and add some values in following the dotenv pattern, e.g.
DB_HOST="localhost"
DB_USER="root"
DB_PASS="s1mpl32"
Encryption
For the values that you want to be encrypted add a prefix of DEC: (which indicates it is decrypted) to the value. For example, taking the previous example and assuming the DB_PASS would want to be encrypted:
DB_HOST="localhost"
DB_USER="root"
DB_PASS="DEC:s1mpl32"
Then, all that is needed is to run:
$ npx ciphenv encrypt -F --secret superSecret
# `.env.enc` file created
and the output in the .env.enc file would be:
DB_HOST="localhost"
DB_USER="root"
DB_PASS="ENC:********"
Encrypting Entire Files
Ciphenv is also able to encrypt whole files through the use of another special prefix, being DEC_FILE_PATH: (path to the decrypted file). This can be especially useful for PEM keys and other multiline values that require encryption.
Following from the example above, the syntax would look like this:
DB_HOST="localhost"
DB_USER="root"
DB_PASS="DEC:s1mpl32"
PEM="DEC_FILE_PATH:./keys/super-secret.pem"
after encryption, the resultant .env file would end up as so:
DB_HOST="localhost"
DB_USER="root"
DB_PASS="ENC:********"
PEM="ENC:********"
Decryption
At Runtime
To decrypt at runtime Ciphenv provides two utility functions getDecryptedValues and getDecryptedValue.
/**
* @param secret the secret used to encrypt the values
* @param env the parsed output from `dotenv` for the specified `.env*` file
* @returns the unencrypted env object (without the `DEC:` prefix on the values)
*/
function getDecryptedValues(secret: string, env: { [key: string]: any }): { [key: string]: any };
/**
* @param secret the secret used to encrypt the values.
* @param value the value to decrypt
* @returns the decrypted value (without the `DEC:` prefix)
*/
function getDecryptedValue(secret: string, value: string): string;
Here is an example of this usage:
import dotenv from "dotenv";
import { getDecryptedValues } from "ciphenv";
const config = getDecryptedValues(process.env.SECRET, dotenv.config({ path: `.env.${NODE_ENV}.enc` }).parsed);
Using the CLI
To decrypt the encrypted .env file from the CLI you can then just run:
$ npx ciphenv decrypt -F --secret superSecret
# `.env.dec` file created
and the output would be:
DB_HOST="localhost"
DB_USER="root"
DB_PASS="DEC:s1mpl32"
Just remember to not commit the decrypted .env file(s)!
Here are .gitignore entries which could be used to avoid committing the decrypted .env files when using the default naming pattern:
.env.*
!.env.*.enc
Decrypting Entire Files
Decrypting entire files places the decrypted file path back in to the .env file like so:
DB_HOST="localhost"
DB_USER="root"
DB_PASS="DEC:s1mpl32"
PEM="DEC_FILE_PATH:./keys/super-secret.pem"
and also creates the super-secret.pem file with it's decrypted contents again.
The above occurs partly to avoid any issues with re-encrypting the decrypted .env file as the value would be multiline, but also to have the behaviour that you may expect, where something decrypted should match the original used during encryption.
CLI Options
| Option, [alias] | Description | Value Type | Default |
|---|---|---|---|
--version |
Show version number | boolean |
|
-R, --replace |
Overwrite the specified .env* file with new contents |
boolean |
false |
-S, --secret |
Secret to use for encryption | string* |
(required) |
-F, --file |
Path to .env* |
string or boolean |
false or .env if value is true |
-V, --value |
Value to be encrypted | string |
|
-h, --help |
Show help | boolean |