README
¶
envenc
Description
Secures your .env files with a password. Works similarly to ansible-vault.
A user friendly CLI interface to create and manage .env.vault files.
In addition provides a convenient web based user interface to manage your .env.vault files.
CLI Usage
-
Leave your public variables in your
.envfile. -
Create a new
.env.vaultfile using envenc.
$> ./envenc init .env.vault
- Add your private variables to the
.env.vaultfile.
$> ./envenc key-set .env.vault
- Use the vault file in your project.
$> keys := env.KeyListFromFile(password, ".env.vault")
Web UI Usage
The web ui is a simple user interface to manage your .env.vault files.
It provides a convenient and fast way to visually manage your keys.
To run the web ui use:
$> ./envenc ui .env.vault
Screenshots
The web interface is simple and straightforward to use.
- Login Screen
- Add New Key
- List Keys
- Update Key
- Delete Key
Installation
Installation as a standalone executable (binary)
-
Download the binary for your platform from the latest release
-
You may install it globally, or use as standalone executable
-
To use it globally on Linux, add to your
$PATH
$> mkdir -p ~/.local/bin
$> cp envenc ~/.local/bin
$> chmod +x ~/.local/bin/envenc
- To use it globally on Windows, add to your
$PATH
$> mkdir -p %USERPROFILE%\.local\bin
$> cp envenc.exe %USERPROFILE%\.local\bin
Installation as a module in your project
- Install the module with
go get
$> go get github.com/dracory/envenc
Example Usage:
- To create a new vault file
$> ./envenc init .env.vault
- To set a new key-value pair
$> ./envenc key-set .env.vault
- To list all key-value pairs
$> ./envenc key-list .env.vault
- To remove a key-value pair
$> ./envenc key-remove .env.vault
- To obfuscate a string
$> ./envenc obfuscate
- To deobfuscate a string
$> ./envenc deobfuscate
TODO
Similar
Documentation
¶
Index ¶
- func Decrypt(input string, password string) (string, error)
- func Deobfuscate(input string) (string, error)
- func DeriveKey(envencPublicKey string, envencPrivateKey string) (string, error)
- func Encrypt(input string, password string) (string, error)
- func HydrateEnvFromFile(vaultFilePath, vaultPassword string) error
- func HydrateEnvFromString(vaultContent, vaultPassword string) error
- func Init(vaultFilePath string, vaultPassword string) error
- func KeyExists(vaultFilePath string, vaultPassword string, key string) (bool, error)
- func KeyGet(vaultFilePath string, vaultPassword string, keyName string) (string, error)
- func KeyListFromFile(vaultFilePath string, vaultPassword string) (map[string]string, error)
- func KeyListFromString(vaultString string, vaultPassword string) (map[string]string, error)
- func KeyRemove(vaultFilePath string, vaultPassword string, keyName string) error
- func KeySet(vaultFilePath string, vaultPassword string, keyName string, keyValue string) error
- func Obfuscate(input string) (string, error)
- type Cli
- func (c *Cli) AskKeyName() (string, errorMessage string)
- func (c *Cli) AskKeyValue() (string, errorMessage string)
- func (c *Cli) AskVaultPassword() (string, errorMessage string)
- func (c *Cli) AskVaultPasswordWithConfirm() (string, errorMessage string)
- func (c *Cli) AskVaultPath() (string, errorMessage string)
- func (c *Cli) Decrypt(args []string)
- func (c *Cli) Deobfuscate(args []string)
- func (c *Cli) Encrypt(args []string)
- func (c *Cli) FindVaultPathFromArgs(args []string) (filePath string, errorMessage string)
- func (c *Cli) Help(_ []string)
- func (c *Cli) Obfuscate(args []string)
- func (c *Cli) Run(args []string)
- func (c *Cli) UI(args []string)
- func (c *Cli) VaultInit(args []string)
- func (c *Cli) VaultKeyGet(args []string)
- func (c *Cli) VaultKeyList(args []string)
- func (c *Cli) VaultKeyRemove(args []string)
- func (c *Cli) VaultKeySet(args []string)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Deobfuscate ¶
Deobfuscate deobfuscates an ASCII string (not-compatible with Unicode)
Parameters:
- input: string to deobfuscate
Returns:
- string: deobfuscated string
- error: error if any
func DeriveKey ¶ added in v1.2.0
DeriveKey: Derives the final envenc encryption key from a public and private key pair.
This is an optional helper function intended for end users. It is not required for the internal functioning of this package.
This function generates the final encryption key used for securing an envenc vault file. It combines a private key with a public key, performs a secure hashing operation, and returns the resulting hash as the encryption key.
Business Logic:
- Public Key Retrieval and Deobfuscation: - The function receives the public key. - It then deobfuscates the public key using the envenc.Deobfuscate function. This step adds a layer of security against reverse engineering.
- Temporary Key Generation: - The function concatenates the public key with the private key. - Key Concatenation Order: The order of concatenation (public key + private key) is vital and MUST be consistent across all key generation and validation processes.
3. Secure Hashing:
- The function calculates the SHA256 hash of the temporary key.
- SHA256 is a robust one-way hashing algorithm. This ensures that the original keys cannot be recovered from the generated hash, providing strong cryptographic security.
4. Final Key Formatting:
- The resulting hash (a byte array) is converted into a hexadecimal string representation.
5. Key Return:
- The function returns the hexadecimal string, which is the final encryption key.
Parameters: - envencPublicKey (string): The public key used in the encryption key derivation. This key is expected to be obfuscated. - envencPrivateKey (string): The private key used in the encryption key derivation. This key MUST be kept strictly confidential and handled with extreme care.
Returns: - string: The final envenc encryption key as a hexadecimal string. - error: Returns an error if the public key deobfuscation fails.
Security Considerations: - Private Key Protection: The `envencPrivateKey` is the most sensitive piece of information. It should never be stored in plain text or committed to version control. Use secure environment variables or configuration management systems. - Public Key Obfuscation: The public key is deobfuscated to prevent it from being easily extracted from compiled applications. While not as sensitive as the private key, obfuscation adds an extra layer of security. - One-Way Hashing: The use of SHA256 ensures that the key derivation process is one-way. It is computationally infeasible to derive the original private and public keys from the generated hash. - Key Generation Dynamics: The final encryption key is generated dynamically each time it is needed. It should not be stored persistently. - CSPRNG: Ensure the private and public keys are generated using a cryptographically secure pseudorandom number generator (CSPRNG). - Zeroize tempKey: The tempKey variable should be overwritten as soon as the hash is generated.
Example: publicKey := "your_public_key" privateKey := "your_private_key" finalKey, err := DeriveKey(publicKey, privateKey) if err != nil { // Handle error } // Use finalKey for encryption
func HydrateEnvFromFile ¶ added in v1.0.0
HydrateEnvFromFile decrypts keys from an encrypted vault file at vaultFilePath using password, and writes them into the current process environment via os.Setenv. Existing variables will be overwritten.
Parameters:
vaultFilePath: Path to the encrypted vault file vaultPassword: Password to decrypt the vault file
Returns:
error: If any step fails
func HydrateEnvFromString ¶ added in v1.0.0
HydrateEnvFromString decrypts keys from the provided encrypted vault content using password, and writes them into the current process environment via os.Setenv. Existing variables will be overwritten.
Parameters:
vaultContent: Encrypted vault content as string vaultPassword: Password to decrypt the vault content
Returns:
error: If any step fails
func KeyExists ¶
KeyExists checks if a key exists in the vault
Buisiness logic:
- Open the vault file
- Check if the key exists in the vault
Parameters:
- vaultFilePath: The path to the vault file
- vaultPassword: The password to use for the vault
- key: The name of the key to check
Returns:
- bool: True if the key exists, false otherwise
- error: An error if the key could not be retrieved
func KeyGet ¶
KeyGet gets a key from the vault
Buisiness logic:
- Open the vault file
- Get the key from the vault
- Save the vault file
Parameters:
- vaultFilePath: The path to the vault file
- vaultPassword: The password to use for the vault
- keyName: The name of the key to get
Returns:
- string: The value of the key
- error: An error if the key could not be retrieved
func KeyListFromFile ¶
KeyListFromFile lists all keys in the vault
Buisiness logic:
- Open the vault file
- Get the keys from the vault
Parameters:
- vaultFilePath: The path to the vault file
- vaultPassword: The password to use for the vault
Returns:
- map[string]string: A map of keys and their values
- error: An error if the keys could not be retrieved
func KeyListFromString ¶
KeyListFromString lists all keys in the vault
Buisiness logic:
- Open the vault from string
- Get the keys from the vault
Parameters:
- vaultString: The string representation of the vault
- vaultPassword: The password to use for the vault
Returns:
- map[string]string: A map of keys and their values
- error: An error if the keys could not be retrieved
func KeyRemove ¶
KeyRemove removes a key from the vault
Buisiness logic:
- Open the vault file
- Remove the key from the vault
- Save the vault file
Parameters:
- vaultFilePath: The path to the vault file
- vaultPassword: The password to use for the vault
- keyName: The name of the key to remove
Returns:
- error: An error if the key could not be removed
func KeySet ¶
KeySet sets a key in the vault
Buisiness logic:
- Open the vault file
- Set the key in the vault (if it doesn't exist, create it, otherwise update it)
- Save the vault file
Parameters:
- vaultFilePath: The path to the vault file
- vaultPassword: The password to use for the vault
- keyName: The name of the key to set
- keyValue: The value of the key to set
Returns:
- error: An error if the key could not be set
Types ¶
type Cli ¶
type Cli struct {
// contains filtered or unexported fields
}
func (*Cli) AskKeyName ¶
AskKeyName asks the user to enter the name of the key
Buisiness logic:
- Ask the user to enter the name of the key
- If the user enters an empty name, return an error
- If the name contains spaces, return an error
- Otherwise return the name
func (*Cli) AskKeyValue ¶
AskKeyValue asks the user to enter the value of the key
Buisiness logic:
- Ask the user to enter the value of the key (allowing multiline)
- If the user enters an empty value, do not return an error, it is ok
- Otherwise return the value
func (*Cli) AskVaultPassword ¶
AskVaultPassword asks the user to enter a password
Buisiness logic:
- Ask the user to enter a password
- If the user enters an empty password, return an error
- Otherwise return the password
func (*Cli) AskVaultPasswordWithConfirm ¶
AskVaultPasswordWithConfirm asks the user to enter a password and confirm it
Buisiness logic:
- Ask the user to enter a password
- If the user enters an empty password, return an error
- Confirm the password to avoid any spelling mistakes
- If the password and confirmation do not match, return an error
- Otherwise return the password
func (*Cli) AskVaultPath ¶
AskVaultPath asks the user to enter the path to the vault file
Buisiness logic:
- Ask the user to enter the path to the vault file
- If the user enters an empty path, return an error
- To confirm its a .vault file, we check the extension
- If the extension is not .vault, return an error
- Otherwise return the file path
func (*Cli) Deobfuscate ¶
func (*Cli) FindVaultPathFromArgs ¶
FindVaultPathFromArgs finds the file path from the arguments, if provided
Buisiness logic:
- If the arguments are empty, return an empty file path
- We expect the first argument to be the file path
- To confirm its a .vault file, we check the extension
- If the extension is not .vault, return an error
- Otherwise return the file path
Parameters:
- args: The command line arguments (excluding the executable, and the command names)
Returns:
- filePath: The file path
- errorMessage: The error message
func (*Cli) Run ¶
Run executes the command
It expects a command with the second argument being the command ¶
Buisiness logic:
- Parse command line arguments
- First argument is the name of the executable, ignore it
- Second argument is the command
- If there is no command, help is shown as default
- If the command is unknown, help is shown as default
- Otherwise execute the command
Parameters
- args: The command line arguments
Returns
- None
func (*Cli) UI ¶
UI is the web user interface
Example: $> envenc ui $> envenc ui 123.vault $> envenc ui 123.vault --address 127.0.0.1:38080
func (*Cli) VaultInit ¶
VaultInit initializes a new vault file
Buisiness logic:
- If the vault file is provided as an argument, use it
- If the vault file is not provided, ask for it
- Check that the vault file does not exist already
- Ask for the password to use for the vault
- Confirm the password to avoid any spelling mistakes
- Create the vault file
Examples: $> envenc init $> envenc init 123.vault
func (*Cli) VaultKeyGet ¶
VaultKeyGet gets a key from the vault
Buisiness logic:
- If the vault file is provided as an argument, use it
- If the vault file is not provided, ask for it
- Check that the vault file exists
- Ask for the password to use for the vault
- Open the vault file, to confirm the password is correct
- Ask for the key's name to get
- Get the key from the vault
Examples: $> envenc key-get $> envenc key-get 123.vault
func (*Cli) VaultKeyList ¶
VaultKeyList lists the keys in the vault
Buisiness logic:
- If the vault file is provided as an argument, use it
- If the vault file is not provided, ask for it
- Check that the vault file exists
- Ask for the password to use for the vault
- Open the vault file, to confirm the password is correct
- List the keys in the vault
Example: $> envenc vault-key-list $> envenc vault-key-list 123.vault
func (*Cli) VaultKeyRemove ¶
VaultKeyRemove removes a key from the vault
Buisiness logic:
- If the vault file is provided as an argument, use it
- If the vault file is not provided, ask for it
- Check that the vault file exists
- Ask for the password to use for the vault
- Open the vault file, to confirm the password is correct
- Ask for the key's name to remove
- Remove the key from the vault
Examples: $> envenc key-remove $> envenc key-remove 123.vault
func (*Cli) VaultKeySet ¶
VaultKeySet sets a key in the vault
Buisiness logic:
- If the vault file is provided as an argument, use it
- If the vault file is not provided, ask for it
- Check that the vault file exists
- Ask for the password to use for the vault
- Open the vault file, to confirm the password is correct
- Ask for the key's name to set
- Ask for the key's value to set (must support multiline)
- Set the key in the vault
- Close the vault file
- Ask the user if he wants to add another key
- If the user wants to add another key, repeat the process
Examples: $> envenc key-set $> envenc key-set 123.vault
Source Files
Directories