kunalpanchal / secure-env Goto Github PK

View Code? Open in Web Editor NEW

64.0 5.0 20.0 135 KB

Env encryption tool that will help you prevent attacks from npm-malicious-packages.

Home Page: https://www.npmjs.com/package/secure-env

License: MIT License

JavaScript 100.00%

environment-variables node-env npm-package

secure-env's Introduction

secure-env

Secure-env is a module that loads environment variables from a .env.enc file.A encryption tool that would helps you prevent attacks from npm-malicious-packages.

Usage

Create a .env file in the root directory of your project. Add environment-specific variables on new lines in the form of NAME=VALUE. For example:

DB_HOST=localhost:27017
DB_USER=scott
DB_PASS=tiger

Encrypt .env

$ npm install -g secure-env
$ secure-env .env -s mySecretPassword

Alternatively if you want this installed locally run the command as follows:

$ ./node_modules/secure-env/dist/es5/lib/cli.js .env -s mySecretPassword

If you are running NPM > v5.2. You can use npx:

$ npx secure-env .env -s mySecretPassword

A new encrypted file .env.enc will be created in your project root directory.You can delete the .env file after this,to prevent stealing.

Decrypt .env.enc

As early as possible in your application, require and configure dotenv.

let secureEnv = require('secure-env');
global.env = secureEnv({secret:'mySecretPassword'});

That's it.

global.env now has the keys and values you defined in your .env file.

var db = require('db')
db.connect({
  host: global.env.DB_HOST,
  username: global.env.DB_USER,
  password: global.env.DB_PASS
})

Options

Encryption

$ secure-env --option <VALUE> <file-path-which-is-to-be-encrypted>

Option	What does it do	Defaults
--secret	Specify the secret Key which would be later used to decrypt the file.	`mySecret`
--out	The encrypted file path that would be created.	`env.enc`
--algo	The encryption algorithm that is to be used to encrypt the env file.	`aes256`
--decrypt	prints the decrypted text to stdout

Decryption

Path

Default: .env

You can specify a custom path if your file containing environment variables is named or located differently.

require('secure-env')({path:'/custom/path/to/your/env/vars'});

Decryption Algorithm

Default: aes256

You may specify the encryption algorithm for your file containing environment variables using this option.

require('secure-env')({enc_algo:'aes256'});

Secret

Default: mySecret

Specify the secret Key which was used during encryption of raw file.Having a salt-hashed secret key is recommended.

require('secure-env')({secret:'mySecretPassword'});

Parse rules

Refer https://github.com/motdotla/dotenv/blob/master/README.md#parse

The parsing engine currently supports the following rules:

BASIC=basic becomes {BASIC: 'basic'}
empty lines are skipped
lines beginning with # are treated as comments
empty values become empty strings (EMPTY= becomes {EMPTY: ''})
single and double quoted values are escaped (SINGLE_QUOTE='quoted' becomes {SINGLE_QUOTE: "quoted"})
new lines are expanded if in double quotes (MULTILINE="new\nline" becomes

{MULTILINE: 'new
line'}

inner quotes are maintained (think JSON) (JSON={"foo": "bar"} becomes {JSON:"{\"foo\": \"bar\"}")
whitespace is removed from both ends of the value (see more on trim) (FOO=" some value " becomes {FOO: 'some value'}) G.md)

License

See LICENSE

Dependencies

Source-env uses these open source projects to work properly:

Minimist - Argument parser without all the fanciful decoration.

Contributors

Acknowledgements

Source-env is inspired from and also uses code references from these open source projects:

Dotenv

secure-env's People

Contributors

Stargazers

Watchers

Forkers

1mike12 danishack orkeren21 ralfbecher jonton11 katochimoto uicandy sarawee fsevenm johannbuscail richawasan jackkinsella bdphil86 devdevdany astoratust milind23

secure-env's Issues

Problem in Decrypting

I have a problem decrypting the file that I create after encrypting it.

Could you please provide me with a full example of a directory + the commands to encrypt and decrypt some file, with both JS code and terminal commands?

Deprecation Warning on runtime: crypto.createDecipher

Thanx for the repo,
getting a deprecation warning [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated. Any update possible as this concerns security?

important security bug

why if add console.log(global.env.token)
console show me my token not encrypted
this is big security Probleme

Decryt file is not specified by out option

Content

When I decrypt an encrypted file using command line

npx secure-env -d -o config/credentials/development.env.enc -s development_key

I encountered the following error.

Secure-env :  ERROR OCCURED .env.enc does not exist.

It seems like that the following line causes this error.
https://github.com/kunalpanchal/secure-env/blob/master/lib/cryptography.js#L17

It is fixed by modifying the line as follows. Could you include this fix in the next release?

    var inputFile = options.file || options.outputFile || '.env.enc';

then how to store & use the encryption key?

Issues with Minimist version

I ran a vulnerability scan and this was flagged out, is it possible to update the minimist version and reupload into npm. Thanks!

wrong repo

This issue was meant to be for another repo.
Sorry :(

Getting corrupted .env file after decryption

I used this command to decrypt.
npx secure-env --decrypt .env.enc -s xsecretx > .env
The file was decrypted properly.
Then without making any changes, i encrypted it again.
npx secure-env .env -s xsecretx
Now if i'm decrypting again im getting a currepted file

can you help me solve this issue

Is there away to decrypt the env.enc back into a .env plaintext?

The use case is that developers and production servers each have copies of a private key. The env.enc is committed to the git repository, and assuming the developer knows the private key they can add or remove from the env.enc. Ideally a server such as heroku or aws would only need one env varaible which is the secret key to get the rest of the env variables.

At the moment however, it appears as though once someone locks and commits the env.enc, the other developers have no way of reading the env variables even if they know the secret key because the file can only be unencrypted programmatically and not with a cli

Install it locally (by project)

Hi there,

Is there any way to install it locally in my project?
I have tried yarn add secure-env and then when I try to execute from the root folder of my project I get the message below.

$ secure-env .env -s mySecret
bash: secure-env: command not found

Env variable is displaying as Undefined.

Hi @kunalpanchal ,
I'm using your npm package with react js application. it is not working properly.
I followed the below steps,

Installed it locally like :
In package.json it looks like:
Created .env file in the root directory and added below key values
CLIENT_ID=1234
API_KEY=4455
My current npm version is :
It is greater than v5.2, so I ran the below command.
npx secure-env .env -s SecretkeyHelloWorld
After that it is created env.enc file. and I deleted .env file to prevent stealing.
I have added below lines in index.js,
let secureEnv = require('secure-env');
global.env = secureEnv({secret:'SecretkeyHelloWorld'});
When I hover on packages it shows some warning message:
I start the application using below command
npm start
The env variables is displaying as undefined: