surgiie / vault-cli
A PHP command-line interface for storing encrypted `AES-256` or `AES-128` json data using an encryption key derived from a master password.
Installs: 72
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Type:project
Requires
- php: ^8.1
- illuminate/encryption: ^10.17|^11.0
- laravel/prompts: ^0.1.1
- spatie/invade: ^2.0
- symfony/yaml: ^6.3
Requires (Dev)
- fakerphp/faker: ^1.9.1
- laravel-zero/framework: ^10.2|^11.0
- laravel/pint: ^1.13
- mockery/mockery: ^1.4.4
- pestphp/pest: ^2.10.0
This package is auto-updated.
Last update: 2024-10-29 05:47:34 UTC
README
A PHP command-line interface for storing encrypted AES-256
or AES-128
json data using an encryption key derived from a master password.
Install
To install, run the following command:
composer global require surgiie/vault-cli
Supported Storage Drivers
- Local Filesystem
Supported Ciphers
- aes-128-cbc
- aes-256-cbc
- aes-128-gcm
- aes-256-gcm
Supported PBKDF Hashing Algorithms
- sha256
- sha512
Learn more - hash_pbkdf2
Getting Started
To get started with a new vault, run the following command:
vault new <name>
Configuration
Once you have a vault to work with, you can start using the cli. The cli reads a configuration from the ~/.vault/config.yaml
file. This file will contain your vault's config and various other options for the cli to work with. For example, in order for the cli to know how to encrypt/decrypt your vault items, you will need to set the encryption options and register your vaults in the config file:
vaults: your-vault-name: algorithm: sha256 cipher: aes-128-cbc driver: local iterations: 600000
Note - The ~/.vault/config.yaml
file will be created for you when you run the vault new
command and register your vault automatically.
Selecting a Vault
To select the vault the cli should interact with, use the vault use
command:
vault use <your-vault-name>
Alternatively, you can manually update the use-vault
option in the ~/.vault/config.yaml
file:
use-vault: <your-vault-name> vaults: your-vault-name: # ... your vault options
Storing Items
To store an item in your vault, run the item:new
command:
vault item:new github_login --content="somepassword" --password="<your-encryption-password>"
This will store encrypted JSON data in the vault. When decrypted, the JSON structure for this example would be:
{ "name": "github_login", "content": "some_password", }
Loading Content From a File:
If you prefer to load the content for your vault item from a file, use the --content-file
flag instead of --content
to load the item content from a file:
vault item:new some_name --content-file="/path/to/some/file" --password="<your-encryption-password>"
Set New Item Content In Terminal Editor:
If you do not pass the --content
or --content-file
flag, you will be prompted to set the content by opening a temporary file a terminal editor (terminal-editor
in your ~/.vault/config.yaml file) as you run the command. Once you close the terminal editor, the command will create the vault item.
Storing Extra Data
If you want to store extra data along with the vault item, you can pass any arbitrary key/value options to the command:
vault item:new SOME_NAME --content="some secret content" \ --password="<your-encryption-password>" \ --something-else="example" --extra-data="foo"
Note: There are options reserved for the command itself and cannot be used for extra data, you can see those listed with the --help
menu.
This will store a json file with your content encrypted, but when decrypted the structure for this example would be:
{ "name": "SOME_NAME", "content": "some secret content", "something-else": "example", "extra-data": "foo" }
Load Content For JSON Keys From Files:
If you want to load the value for a specific key in the JSON data, use the --key-data-file
option in the format <key>:<path>
.
For example, to load the content for the extra-data
key, the command would be:
vault item:new \ some_name \ --content="some secret content" \ --password="<your-encryption-password>" \ --key-data-file="extra-data:/path/to/file/with/content"
This will store a json file with your content encrypted, but when decrypted the structure for this example would be:
{ "name": "SOME_NAME", "content": "some secret content", "something-else": "example", "extra-data": "Whatever content was in the file" }
Categorizing Vault Items With Namespaces
Vault items are grouped/categorized in the default
namespace. Namespaces are simply directories/folders or filters that vault items will go into. Namespaces are a good way to categorize and filter items based on their use cases. To specify a custom namespace for an item, use the --namespace
flag:
vault item:get some-item --namespace=other
Use ENV Variables For Passwords
If you do not want to pass the --password
option to the command, you can set the VAULT_CLI_PASSWORD
environment variable with your encryption password. The cli will use this as the default password for all commands. When working with multiple vaults, you can set the VAULT_CLI_<vault-name>_PASSWORD
environment variable to set the password for a specific vault. If not set, the cli will fallback to the global VAULT_CLI_PASSWORD
environment variable.
Retrieve Items From Vault
To output the content of an item, use the item:get
command:
vault item:get some_item_name
This will output the decrypted content out.
Remove Items From Vault
Items maybe removed from the selected vault with the item:remove
command:
vault item:remove --name="some_item_name"
Note The --name
option maybe passed multiple times to remove several items in a single command call.
Retrieve Full JSON
By default, only the content
field is printed to the terminal. To print the entire vault item JSON, run the command with the --json
flag:
vault item:get some_item_name --json
Reencrypting Vault Items
To reencrypt all items in the vault with a new password, use the reencrypt
command:
vault reencrypt --old-password=<old-password> --password=<new-password>
Rencrypting With New Encryption Options
If you are updating encryption options, such as switching hashing algorithms or changing iterations, you can overwrite configuration options with the following command line options:
vault reencrypt # old options to decrypt the items first --decrypt-algorithm=sha256 \ --decrypt-iterations=100000 \ --old-password=<old-password> # new options to encrypt the items with --algorithm=sha512 \ --iterations=210000 \ --cipher=aes-256-cbc \ --password=<your-new-master-password>
Note - This command will automatically save your new options to the ~/.vault/config.yaml
file.
Copy to item content clipboard
To copy a vault item's content
json key to the clipboard, use the --copy
flag:
vault item:get some_item_name --copy
To copy a specific key from the json, simply pass the json key to the --json-key
option along with the --copy
flag:
vault item:get some_name --copy --json-key=some-key
To copy the full json payload, set the --json-key
option to *
to specify all keys in the json payload to be copied to the clipboard. For example:
vault item:get some_item_name --copy --json-key="*"
Note: The default binary program used for this is copy.exe
on windows/WSL2 and xclip
on linux. Both of these are assumed to be installed. If you want to use a custom command to copy the vault item to clipboard set the VAULT_CLI_COPY_COMMAND
environment variable with the :value:
placeholder. e.g someprogram :value:
.
Copying to Clipboard in Docker
The above method only works if you are running the cli on your host machine. If you are running the cli in a container, you will need to use a different method to copy to the clipboard manually since the clipboard is not shared between your host and the docker container. You can store the output of the vault item:get
command to a variable and then pipe it to the clipboard program. For example:
output=$(vault-cli item:get example --password=example); echo $output | clip.exe output=$(vault-cli item:get example --password=example); echo $output | xclip -sel clip output=$(vault-cli item:get example --json-key="some-key" --password=example); echo $output | clip.exe output=$(vault-cli item:get example --json-key="*" --password=example); echo $output | xclip -sel clip
Exporting Vault Item Content to Env Files
To export the content
field of vault items to an env file, use the export:env-file
command. For example:
vault export:env-file --export="some-item-name" --export="some-other-item-name"
This will export the vault item values to a .env
file in the current directory
In the above example, your .env
file would have the following variables written:
SOME_ITEM_NAME="The content"
SOME_OTHER_ITEM_NAME="The other content"
Note This will append to an existing .env
file or create one if it doesn't exist, and overwrite any variables that previously exist. By default, this will add/create to .env in the current directory. To specify a custom name/path, use the --env-file
option.
Aliasing/Custom Env Names
If the names of the vault items are not the ones desired for the .env file, you can use aliases by using the <vault-item-name>:<env-var-name>
format when passing the --export
options. For example:
vault export:env-file --export="some-item-name:SOME_CUSTOM_NAME" --export="some-other-item-name:SOME_OTHER_CUSTOM_NAME"
will generate the .env file with the custom env names instead of names of the vault items:
SOME_CUSTOM_NAME="The content"
SOME_OTHER_CUSTOM_NAME="The other content"
Including Other/Non-Vault Env Variables In Export.
If you want to include some other env variables in your env file that are not your vault items in the exported .env
file, you can use the --include
option:
vault export:env-file --export="some-item-name" --include="SOME_ENV_VARIABLE_NAME:THE_VALUE
In this example, SOME_ENV_VARIABLE_NAME="THE_VALUE"
will be included in your exported .env file.
Run With Docker:
If you don't have or want to install php, you can run use the provided docker script to spin up a container which you can utilize the cli with.
Install Docker Script:
cd /tmp
wget https://raw.githubusercontent.com/surgiie/vault-cli/master/docker
chmod +x ./docker
mv ./docker /usr/local/bin/vault
vault --help
Note - Your ~/.vault
directory will be copied to the container. Your current env variables will also be passed to the container. The ~/.vault
directory will also be copied back to your host machine after you execute a command. This is so any changes made to the ~/.vault
directory in the container are persisted on your host machine and things are kept in sync.