Envoix is a command line tool that facilitates easy and secure sharing of Environment variables among developers and teams. It removes the overhead of sending env variables to each developer in your team personally over social media, and make sure that everyone is in sync, while not leaving your terminal.
- easy user authentication
- easy setup (just one command)
- remote storage for all the variables
- Encrypted and Secure
- Add other users to the project
- Manage User Permissions (Push, Pull, Admin, Add_Users, Remove_Users)
- No hassles with GUI
- Nodejs (v18+)
- npm
- Install the npm package globally
sudo npm i -g envoix
- Create new account or log in to previous account if you have one already
envoix auth signup
OR
envoix auth login
- You are all set to start using envoix in your projects
Usage: envoix [options] [command]
envoix is CLI tool for providing easy and secure way to share environment
variables among teams and developers
Options:
-h, --help display help for command
Commands:
auth Authentication commands
init Initialize new environment
list Get all environments
pull Pull environment variables
push Push environment files to server
delete Delete environment
user Handle user permissions
help [command] display help for command
This command includes all the authentication related subcommands
-
Login:
envoix auth login
- password
-
Signup:
envoix auth signup
- name
- password
-
Profile:
envoix auth profile
-
Logout:
envoix auth logout
- This commands follows various subcommands for managing user permissions on the environment
- The permissions allowed can be any combination of the following list of permissions:
-
pull
: Read the current environment variables from the server -
push
: Change/Update the environment variables on the server -
add_user
: Add a new user with certain set of permissions -
remove_user
: Remove a user and their permissions -
update_user
: Update other user permissions -
admin
: All the above permissions + some extra ones- list all users with permission
- delete the environment
-
-
Add User:
envoix user add
- permissions
- OTP (read more)
-
Remove User:
envoix user remove
-
Update User:
envoix user update
- permissions
-
List Users:
envoix user list
- These are the core features of this library which provides functionality for managing environments
-
init
: Create a new environment config -
push
: Push the current config to server -
pull
: Pull the changes from server -
list
: List all the environment created by current user -
delete
: Delete current environment
-
all the below subcommands requires user to confirm their password
-
Init:
envoix init
- Project name
- env file's relative location
-
Push:
envoix push
-
Pull:
envoix pull
-
List:
envoix list
-
Delete:
envoix delete
The biggest concern of a user is security. Envoix gaurantees that all the user data including:
- password
- environment variables are securly stored (encrypted or hashed) on the server.
The user's password is the most important asset in securing other relevant data, so it should be stored securly.
- User's password is not stored on server either in plain text or any other encrypted form
- bcrypt is used to hash the password and store the resulting hash in db.
Here comes the fun part,
It took me more days to securely store the env variables than coding all the other features
Okay, so what's the keyword here ?? Its key wrapping
let's analyze our requirements:
- Secure
- Encryption and Decryption by more than one user
- Not storing the key(encryption/decryption) on the server
Considering above requirements, we don't have a lot of options.
-
RSA key pair / Asymmetric encryption
- It can implemented here but it also comes with certain limitations
- User can't move between devices(easily)
- Need to store public keys for each device of user for each user
- It can implemented here but it also comes with certain limitations
-
Other symmetric encryptions (password sharing, pke challenges, etc)
- Not suitable for this use case
-
Key wrapping
all the encryption is done using
aes-256-cbc
and all the hashing is done usingsha-512
algorithms
-
When a new environment is initialised, An encryption key called Master Encryption Key(
MEK
) is generated on the server -
MEK is used to encrypt/decrypt data using push/pull actions
-
encrypt the MEK using user's plain-text password passed for verification during
init
action -
encrypted MEK(eMEK) or Key Encryption key(KEK) is stored in a table alongside user's permissions
-
When a new user(X) is added by an User(Y) with
admin
oradd_user
privilages,
- MEK = decrypt(KEK(Y), pass_Y)
- KEK(X) = encrypt(MEK, otp)
- store it alongside permissions of User(X)
Used otp to create kek(X) because we don't have pass_X
-
During the first pull from the user_X, OTP is also asked and then
KEK(X)
is replaced byencrypt(MEK, pass_X)
-
Afterwards, Each push/pull action is performed by derived MEK from User's KEK.
- Multiple environments like prod, dev, etc in same config
- storing env history
The Envoix-server
can be self hosted and it can be integrated inside this library. See the official repo at theanuragshukla/envoix-server for detailed instructions
If you'd like to improve the functionality and security of this library, feel free to raise an issue and then we can work on that together. Also try working on the proposed features
-
Where is the server ??
- As of now, I've hosted the server at
https://envoix.anurags.tech
and It should work fine for small userbase.
- As of now, I've hosted the server at
-
Can it be self hosted ?
- For private use or within an organisation, I'd suggest to self host. It'll be good for my small server and your special use case.