hegelmax/env-secured

Encrypted configuration manager for PHP (EnvSecured).

Maintainers

Details

github.com/hegelmax/php-env-secured

Source

Issues

Installs: 4

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 0

Forks: 0

Open Issues: 0

pkg:composer/hegelmax/env-secured

v1.0.17 2025-12-08 15:30 UTC

Requires

MIT 821c6103f03a1b9a77fea9445723cea14437184c

This package is auto-updated.

Last update: 2025-12-08 15:31:26 UTC

README

EnvSecured is a lightweight, secure, and self-contained PHP module for storing sensitive configuration values (API keys, database credentials, tokens, secrets) in an encrypted file and provides a clean interface to access them in runtime.

โญ Key Features

  • ๐Ÿ”’ Encrypted config file (config.enc)
  • ๐ŸŒ Browser-based UI for editing settings
  • ๐Ÿ“ค JSON export (download)
  • ๐Ÿ“ฅ JSON import (load file into form)
  • ๐Ÿ”‘ Automatic key generation (keys/*.key)
  • ๐Ÿงฌ Server-bound encryption (fingerprint-based)
  • ๐Ÿงฉ Zero global functions โ€” everything wrapped in PHP classes
  • ๐Ÿš€ Drop-in integration into any project
  • โš™๏ธ Can be used:
    • with Composer
    • without Composer

๐Ÿ—‚๏ธ Project Structure

env_secured/
โ”œโ”€โ”€ _init.php                    โ†’ Bootloader (entry point)
โ”œโ”€โ”€ libs/
โ”‚   โ”œโ”€โ”€ EnvSecured.php           โ†’ Main config manager
โ”‚   โ”œโ”€โ”€ EnvSecuredCrypto.php     โ†’ Encryption engine
โ”‚   โ””โ”€โ”€ html/
โ”‚       โ”œโ”€โ”€ page_form.php        โ†’ UI template: config editor
โ”‚       โ”œโ”€โ”€ page_success.php     โ†’ UI template: success page
โ”‚       โ””โ”€โ”€ page_error.php       โ†’ UI template: error page
โ”œโ”€โ”€ configs/                     โ†’ Encrypted config files (auto-created)
โ”‚   โ””โ”€โ”€ config.enc               โ†’ Main encrypted config (auto-created)
โ””โ”€โ”€ keys/                        โ†’ Key files (auto-created)
    โ”œโ”€โ”€ sodium.key               โ†’ Internal crypto key
    โ””โ”€โ”€ secret.key               โ†’ Master secret key

Both configs/ and keys/ directories are created automatically on first use if they do not exist.

๐Ÿ“ฆ Installation

Option A โ€” Composer (recommended)

composer require hegelmax/env-secured

Option B โ€” No Composer

Download the directory:

env_secured/

and place it anywhere in your project.

๐Ÿš€ Quick Start (Composer version)

require __DIR__ . '/vendor/autoload.php';

use EnvSecured\EnvSecured;

$envRoot = __DIR__ . '/env'; // Directory for configs/ and keys/

$env = new EnvSecured($envRoot);
$env->run();

// Retrieve configuration
$config = EnvSecured::get();          // full array
$dbHost = EnvSecured::get('DB_HOST'); // single value

๐Ÿš€ Quick Start (No Composer)

require __DIR__ . '/env_secured/init.php';

Then read configuration via:

$env = EnvSecured::get();  // array
echo EnvSecured::get('API_URL');

๐Ÿ–ฅ๏ธ First Run โ€” Creating Config

When no encrypted config exists, opening your init script in a browser shows the Config Editor UI:

/env_secured/init.php

UI allows:

โœ” Editing KEY=value rows

โœ” Saving encrypted config (config.enc)

โœ” Downloading JSON

โœ” Loading JSON into form

Folders created automatically:

env/
  configs/
    config.enc
  keys/
    sodium.key
    secret.key

๐Ÿ”’ Encryption Model

EnvSecured uses:

  • 256-bit sodium.key
  • 256-bit secret.key
  • machine + project fingerprint
  • XSalsa20-Poly1305 (libsodium)
  • unique nonce per encryption
  • atomic writes to prevent corruption

Conceptually:

fingerprint = HASH( hostname | projectRoot | secret.key )
finalKey    = HASH( fingerprint | sodium.key )
cipher      = base64( nonce | secretbox(plaintext, nonce, finalKey) )

๐Ÿ›ก๏ธ Why It's Safe

  • Keys stored outside web root (in env_secured/keys/)
  • Config stored encrypted (env_secured/configs/config.enc)
  • No plaintext config on server
  • No global functions โ†’ no name collisions
  • Atomic writes for safe file operations
  • Encryption relies on libsodium (modern & secure)

โš™๏ธ Configuration in Code

Once EnvSecured loads the config:

1๏ธโƒฃ Array access

$config = EnvSecured::get();
echo $config['DB_HOST'];

2๏ธโƒฃ Single value

echo EnvSecured::get('API_TOKEN');

3๏ธโƒฃ Global constants

If constant autodefine is enabled:

echo API_TOKEN;

Enable via:

const ENV_SECURED_CONFIG_DEFINE_CONST = true;

๐Ÿ› ๏ธ Optional Constants

Place them before calling EnvSecured.

const ENV_SECURED_CONFIG_SCHEMA       = 'prod';
const ENV_SECURED_CONFIG_ALLOW_EDIT   = false;
const ENV_SECURED_CONFIG_ALLOW_SESSION = true;
const ENV_SECURED_CONFIG_DEFINE_CONST = true;

const ENV_SECURED_DEFAULTS = [
    ['key' => 'DB_HOST', 'value' => 'localhost'],
    ['key' => 'API_URL', 'value' => 'https://localhost/api'],
];

๐Ÿ”ง Requirements

  • PHP 8.1+
  • ext-sodium enabled
  • Writable directory for:
    • configs/
    • keys/

๐Ÿ’ป JSON Import / Export

EnvSecured supports configuration migration via JSON file, that can be useful for:

  • migrations
  • backups
  • moving configs between servers
  • Dev โ†’ Prod workflows

Export (Download JSON)

Downloads a readable .json file containing all config values.

Import (Load JSON)

Loads a .json file directly in the browser and fills the config form.

No data is sent to the server until Save (encrypted) is pressed.

๐Ÿ“ค Migrating Between Servers

  1. On old server โ†’ open UI โ†’ Download JSON
  2. Transfer the downloaded file to the new server
  3. On new server โ†’ open UI โ†’ Load JSON
  4. Click Save (encrypted)

A new encrypted config is generated automatically for the new environment; secret keys remain private.

๐Ÿงช Self-Test (Optional)

Temporary snippet:

require_once __DIR__ . '/env_secured/_init.php';

$cipher = (new EnvSecuredCrypto(__DIR__ . '/env_secured'))->encrypt("test");
var_dump($cipher);

Then ensure:

(new EnvSecuredCrypto(__DIR__ . '/env_secured'))->decrypt($cipher) === "test";

๐Ÿ“„ License

MIT License. Free for commercial use.

ยฉ 2025 Maxim Hegel