env-cipher

Env-cipher is a module that reads encrypted environment variables with a specific suffix (default: _CIPHER) from process.env and decrypts it. The result can then be stored back into process.env and used in a node.js app as usual.

It also has a CLI to create a .env-cipher file with encrypted variable values. Additionally, a .env-cipher.yaml file is created for environment usage in the Docker or Kubernetes context.

The idea behind is to only use encrypted settings in deployment files or secrets or cloud vaults. A secret file (e.g. a certificate) can be used to encrypt the values during development or CI/CD. For decryption, the secret file can be placed inside the node.js docker container (in best case use a distroless image!) to process the decryption.

Usage

Create a certificate by running npm run certgen. It will be stored into ./ssl/cert.pem and used as default.

Create a .env file in the root directory of your project. Add environment-specific variables on new lines in the form of NAME=VALUE. For example:

ACCOUNT=hazfd783.cloudname.com
USER=fridolinhamster
PASSWORD=y0uw1lln0tbr4ek
DATABASE=hr.salaries
SCHEMA=management
ROLE=SYSADMIN
URL=localhorst:8123

Encrypt .env values

$ npm install -g env-cipher
$ npx env-cipher
# or 
$ env-cipher .env -s mySecretPassword
 

After running the CLI command the encrypted values resulting in:

ACCOUNT_CIPHER=6478b68193c03a3c0bdadec46f89a09eef5beb55077d5c4cf7e72f733d3d75b4
USER_CIPHER=17e766942fe4fa19068202c4138c517a
PASSWORD_CIPHER=1ccd001d85277b9be50da994590e5f7f
DATABASE_CIPHER=374eab00f4a46cd2276ef8b9f6ce9f27
SCHEMA_CIPHER=a4a62c29f0a2f50d06c414ff91ebd676
ROLE_CIPHER=506824248ee4729c22381fd838139c49
URL_CIPHER=31fe6850775707846d5c8aa56a5d9c84

The YAML output file .env-cipher.yaml looks like this:

environment:
  - ACCOUNT_CIPHER=6478b68193c03a3c0bdadec46f89a09eef5beb55077d5c4cf7e72f733d3d75b4
  - USER_CIPHER=17e766942fe4fa19068202c4138c517a
  - PASSWORD_CIPHER=1ccd001d85277b9be50da994590e5f7f
  - DATABASE_CIPHER=374eab00f4a46cd2276ef8b9f6ce9f27
  - SCHEMA_CIPHER=a4a62c29f0a2f50d06c414ff91ebd676
  - ROLE_CIPHER=506824248ee4729c22381fd838139c49
  - URL_CIPHER=31fe6850775707846d5c8aa56a5d9c84

Options for CLI encoding

$ env-cipher --option <VALUE> <path-to-.env-file>

To decrypt a .env-cipher file and print values to stdout run:

$ npm run decrypt

Usage in your Node.js App

$ npm install env-cipher

Place secret file (or certificate) into ./ssl.

const { envDecipher } = require('env-cipher');
const decrypted = envDecipher();
 
process.env = {
    ...process.env,
    ...decrypted
}

Options for decrytion

are the same as in CLI as object parameter except encoding:

const { envDecipher } = require('env-cipher');
const decrypted = envDecipher({
    'secretFile': './ssl/cert.pem',
    //'secret': 'mysecret'
    'algo': 'aes256',
    'suffix': '_CIPHER'
});

Dependencies

Env-cipher uses these open source projects to work properly:

• Minimist - for parsing CLI arguments
• Dotenv - for parsing .env file

License

MIT