#env-var #environment #encryption-key #encryption #chacha20-poly1305 #security #security-key

envenc

A crate for managing encrypted environment variables using either AES or ChaCha20Poly1305

3 releases

0.0.3 Oct 6, 2024
0.0.2 Sep 28, 2024
0.0.1 Sep 28, 2024

#443 in Cryptography

MIT/Apache

20KB
177 lines

EnvEnc - Secure Environment Variable Management

EnvEnc is a Rust crate that helps you securely encrypt and decrypt environment variables using the ChaCha20-Poly1305 or AES256-GCM encryption schemes. Store sensitive information like API keys, database credentials, and other configuration secrets in your .env file in a secure, encrypted format.

Features

  • Encrypt environment variables before storing them.
  • Automatically decrypt environment variables when needed.
  • Support for secure key and nonce generation.
  • Support for multiple encryption algorithms.

Installation

Add envenc to your Cargo.toml:

[dependencies]
envenc = "0.0.3"

Usage/Examples

Below is an example of how to encrypt, decrypt, and read environment variables using EnvEnc:

use envenc::{decrypt_env, keys_generation, read_env, read_env_enc, set_enc_env, CipherType};

fn main() {
    // Choose cipher type
    let cipher_type = CipherType::AES256GCM; // or CipherType::ChaCha20Poly1305

    // Generate or retrieve encryption key and nonce
    let (key, nonce) = keys_generation(cipher_type);

    // Encrypt and set environment variables
    set_enc_env(
        "DATABASE_URL",
        "postgres://user:password@localhost/db",
        cipher_type,
        &key,
        &nonce,
    );
    set_enc_env(
        "API_KEY",
        "super_secret_api_key",
        cipher_type,
        &key,
        &nonce,
    );
    set_enc_env(
        "CACHE_SERVER",
        "redis://localhost:6379",
        cipher_type,
        &key,
        &nonce,
    );

    // Read the encrypted environment variables from the .env file
    let encrypted_env = read_env_enc();

    // Decrypt the environment variables using the key and nonce
    decrypt_env(encrypted_env, cipher_type, &key, &nonce);

    // Read the decrypted values from the environment variables
    let database_url = read_env("DATABASE_URL").unwrap_or("DATABASE_URL not found".to_string());
    let api_key = read_env("API_KEY").unwrap_or("API_KEY not found".to_string());
    let cache_server = read_env("CACHE_SERVER").unwrap_or("CACHE_SERVER not found".to_string());

    // Print the decrypted environment variables
    println!("Database URL: {}", database_url);
    println!("API Key: {}", api_key);
    println!("Cache Server: {}", cache_server);
}

Output

Database URL: postgres://user:password@localhost/db
API Key: super_secret_api_key
Cache Server: redis://localhost:6379

How It Works

  1. Key and Nonce Generation: The key and nonce are generated using the provided passwords. This ensures that each encryption is securely tied to the passwords.
  2. Encryption and Storage: Sensitive environment variables are encrypted and stored in the .env file.
  3. Decryption: The encrypted variables are decrypted and read back into the runtime environment using the same key and nonce.

Why Use EnvEnc?

  • Security: Environment variables are stored in an encrypted format, reducing the risk of exposing sensitive data.
  • Ease of Use: Encrypting and decrypting environment variables is as simple as calling a few functions.
  • Customization: You can control the passwords used for key and nonce generation, giving you flexibility in how encryption is handled.

Dependencies

~2MB
~30K SLoC