Plaintext .env files have been a major attack vector,
but they've also been undeniably useful.
"Dotenvx: Reducing Secrets Risk with Cryptographic Separation
Abstract. An ideal secrets solution would not only centralize secrets but also contain the fallout of a breach. While secrets managers offer centralized storage and distribution, their design creates a large blast radius, risking exposure of thousands or even millions of secrets. We propose a solution that reduces the blast radius by splitting secrets management into two distinct components: an encrypted secrets file and a separate decryption key.
..."
Dotenvx decrypts your .env files.
Using with cryptographic separation limiting their attack vector while
retaining their benefits.
Allowing use in small projects, on virtual servers, where it is not possible to
run an external startup script for the application.
Important
But for this to be effective, the decryption keys (private key) and the application must be in separate environments, while maintaining security in each environment.
This library also provides an adapter to dump the .env values into
an array and a multi-level array.
See the documentation.
Under the hood, this is all implemented using the same public-key cryptography as Bitcoin.
📦 Available at Packagist: rodas/dotenvx
