envgineer
v0.1.1
Published
Pragmatic secrets management via encrypted .env files
Downloads
956
Maintainers
Readme
envgineer: Pragmatic secrets management via encrypted .env files
With envgineer you can manage secrets in a repository without external tools such as Vault or AWS Secrets Manager. Encrypted .env-files can be safely tracked by a version control system, the only secret to be remembered or added to the CI is the encryption password. Encryption is performed using Node's built-in crypto module with AES-256.
Usage
Create an
.env
file:$ cat <<EOF > .env USER=root PASS=letmein EOF
The command
envgineer e env.crypt
encrypts all values in the env-file toenv.crypt
. The encrypted file can then be added to the repository without revealing secrets. Only values are encrypted, keys are preserved in clear text for easy validation of a file's contents:$ envgineer e env.crypt Password: ********* $ cat env.crypt USER=db7NiFLSC/wsKNrfCNiFZtLKxR6Oj5xyAs2R74uitf1RvrJMbGVNZt5GYPA= PASS=R+DhEUDbhelChAUPzq9sN+niEj2MGu84clXcAwhVbnCBTmeGn78yn4OvdgCt/jU=
The command
envgineer d env.crypt
decrypts the encrypted env-file and writes its contents to.env
, which can be then consumed by e.g. dotenv or docker-compose. When used in scripts, the password can be piped into envgineer:$ rm .env $ echo secret123 | envgineer d env.crypt $ cat .env USER=root PASS=letmein
To update the encrypted file, just edit
.env
and encrypt it again. In order to have a meaningful output ofgit diff
, envgineer will decrypt every value in the encrypted file and compare it with the unencrypted value. The encrypted representation of unchanged values will be preserved:$ sed -i '' 's/letmein/a_better_password/g' .env $ cat .env USER=root PASS=a_better_password $ echo secret123 | envgineer e env.crypt $ cat env.crypt USER=db7NiFLSC/wsKNrfCNiFZtLKxR6Oj5xyAs2R74uitf1RvrJMbGVNZt5GYPA= PASS=Ljs9AaaG0UeUPJOyFJBXE/CgdK4lhxtWQlkshL4UVeOWcQxRiwexOTC/fKQU/n+VIgLJzWboUx0D