ixnode/php-vault 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

ixnode/php-vault

Composer 安装命令:

composer require ixnode/php-vault

包简介

Secure PHP Vault

README 文档

README

CI workflow PHP PHPStan LICENSE

PHPVault is a PHP library that can create, read, encrypt and decrypt environment files (so-called dotenv files). For example is .env a plain file, .env.enc an encrypted file, etc. Within your project you can automatically load these encrypted environment variables from .env.enc into getenv(), $_ENV and $_SERVER. The corresponding key-value pairs within these dotenv files are encrypted and decrypted using an asymmetric encryption method (Public-key cryptography). Private keys are only available on productive systems for decrypting dotenv values. The public key, on the other hand, can be safely checked into the repository and is used everywhere to encrypt new values.

The strict separation of configuration and code is a fundamental principle of software development and is based on the The Twelve-Factor App methodology. One way to do this is to store these data into separate configuration files such as the dotenv files mentioned above. These are mostly unencrypted, but usually contain very sensitive data such as database access and API keys. They must therefore never be checked into the code repository! Since these are usually files within the project, there is still a risk that this could happen by mistake.

The PHPVault approach preserves the principle of separation and goes one step further: It encrypts plain dotenv files and allows them to be checked into the code repository. To decrypt and use the data on a productive system, simply exchange the private key. This approach is great for providing secure and automated deployment processes (CI/CD, etc.).

To start simply run:

$ composer require ixnode/php-vault

This requires Composer, a dependency manager for PHP.

Command line command vendor/bin/php-vault

The basis of all operations is the command line tool vendor/bin/php-vault. Help can be displayed at any time:

$ vendor/bin/php-vault --help
PHPVault command line interpreter.
PHPVault, version v1.0.7

Commands:
  decrypt-file  df    Decrypts a given file. Requires a private key.
  display       d     Displays the environment variables from given file.
  display-env   de    Displays the environment variables from server.
  encrypt-file  ef    Encrypts a given file. Requires a public key.
  generate-keys gk    Generates and displays a private and public key.
  info          i     Shows information.
  set           s     Sets or updates a new variable. Needs a public key.

Run `<command> --help` for specific help
$ vendor/bin/php-vault --version
v1.0.7

On development system

Usually, you need the public key in this environment. Examples can be found below. There are several ways to pass the public key to the php-vault interpreter. In the following, the key is loaded from the .keys directory (--public-key).

Generate keys

$ vendor/bin/php-vault generate-keys --persist

The key pair is written to folder ".keys"

Never add the private key to the repository!
  • Attention!:
    • Keep the private key safe for the productive systems (.keys/private.key).
      • Delete the private key file .keys/private.key if you have saved it and submitted it to the admin for the productive system.
    • Use the public key on development and local systems (.keys/public.key).

Create environment file

  • Add key-value pair DB_USER=secret.user with description "DB Configs"
  • Add key-value pair DB_PASS=secret.pass
  • Add key-value pair DB_HOST=secret.host
  • Add key-value pair DB_NAME=secret.name
  • Use public key (--public-key → read from .keys/public.key).
# Create file .env.enc
$ vendor/bin/php-vault set .env.enc DB_USER secret.user "DB Configs" --public-key --create
# Adds values to .env.enc
$ vendor/bin/php-vault set .env.enc DB_PASS secret.pass --public-key
$ vendor/bin/php-vault set .env.enc DB_HOST secret.host --public-key
$ vendor/bin/php-vault set .env.enc DB_NAME secret.name --public-key

Display the environment file

  • The contents displayed are encrypted.
  • Do not need any key.
$ vendor/bin/php-vault display .env.enc --load-encrypted
...

On production system

Usually, you need the private key in this environment. Examples can be found below. There are several ways to pass the private key to the php-vault interpreter. In the following, the key is loaded from the .keys directory (--private-key).

Display an encrypted file

  • Use private key (--private-key → read from .keys/private.key).
$ vendor/bin/php-vault display .env.enc --load-encrypted --display-decrypted --private-key
+---------+-------------+-------------+
| Key     | Value       | Description |
+---------+-------------+-------------+
| DB_USER | secret.user | DB Configs  |
| DB_PASS | secret.pass |             |
| DB_HOST | secret.host |             |
| DB_NAME | secret.name |             |
+---------+-------------+-------------+

Decrypt an encrypted file

  • Never add the produced decrypted file .env to the repository!
  • Use private key (--private-key → load from .keys/private.key).
$ vendor/bin/php-vault decrypt-file .env.enc --private-key

The file was successfully written to ".env".

Display the decrypted file without encryption

  • Do not need any key.
$ vendor/bin/php-vault display .env --display-decrypted
+---------+-------------+-------------+
| Key     | Value       | Description |
+---------+-------------+-------------+
| DB_USER | secret.user | DB Configs  |
| DB_PASS | secret.pass |             |
| DB_HOST | secret.host |             |
| DB_NAME | secret.name |             |
+---------+-------------+-------------+

Using the PHPVault class

Load the private key from a given file

<?php

require 'vendor/autoload.php';

use Ixnode\PhpVault\PHPVault;

/* Path to private key and .env.enc */
$pathToPrivateKey = __DIR__.'/.keys/private.key';
$pathToEncryptedEnv = __DIR__.'/.env.enc';

/* - Initiate PHPVault Core.
 * - Load private key.
 * - Load the encrypted env file.
 */
$phpVault = new PHPVault();
$phpVault->loadPrivateKeyFromFile($pathToPrivateKey);
$phpVault->importEncryptedEnvFile($pathToEncryptedEnv);

/* Usage */
$dbUser = getenv('PHPVAULT_DB_USER');
$dbPass = getenv('PHPVAULT_DB_PASS');
$dbHost = getenv('PHPVAULT_DB_HOST');
$dbName = getenv('PHPVAULT_DB_NAME');

Load the private key from the server environment variable PRIVATE_KEY

For options to set the environment variable, see here.

<?php

require 'vendor/autoload.php';

use Ixnode\PhpVault\PHPVault;

/* Path to private key and .env.enc */
$pathToEncryptedEnv = __DIR__.'/.env.enc';

/* - Initiate PHPVault Core and use the PRIVATE_KEY environment variable.
 * - Load the encrypted env file.
 */
$phpVault = new PHPVault();
$phpVault->importEncryptedEnvFile($pathToEncryptedEnv);

/* Usage */
$dbUser = getenv('PHPVAULT_DB_USER');
$dbPass = getenv('PHPVAULT_DB_PASS');
$dbHost = getenv('PHPVAULT_DB_HOST');
$dbName = getenv('PHPVAULT_DB_NAME');

Run tests

The part is only available if the project is checked out directly for development:

$ git clone https://github.com/ixnode/php-vault.git && cd php-vault
$ composer install

PHPUnit tests

$ composer run tests
> phpunit tests
PHPUnit 9.5.4 by Sebastian Bergmann and contributors.

...............................................................  63 / 154 ( 40%)
............................................................... 126 / 154 ( 81%)
............................                                    154 / 154 (100%)

Time: 00:00.136, Memory: 8.00 MB

OK (154 tests, 274 assertions)

Static code analysis (PHPStan)

$ composer run analyse
> phpstan analyse src --level max --no-progress

 [OK] No errors

> phpstan analyse tests --level max --no-progress

 [OK] No errors

Continuous integration

Runs @analyse and @tests:

$ composer run ci

Security

If you discover a security vulnerability within this package, please send an email to Björn Hempel at bjoern@hempel.li. All security vulnerabilities will be promptly addressed. You may view our full security policy here.

License

PHPVault is licensed under MIT.

ixnode/php-vault 适用场景与选型建议

ixnode/php-vault 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 99 次下载、GitHub Stars 达 4, 最近一次更新时间为 2021 年 04 月 18 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「security」 「cryptography」 「encryption」 「deployment」 「environment」 「decryption」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 ixnode/php-vault 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 ixnode/php-vault 我们能提供哪些服务?
定制开发 / 二次开发

基于 ixnode/php-vault 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 99
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 4
  • 点击次数: 17
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 4
  • Watchers: 1
  • Forks: 2
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2021-04-18