npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

entourage

v3.0.1

Published

A Secure production ready entourage for ENV variables

Downloads

83

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

active9active9

Keywords

envenvironmentsecureproductionententourage

Readme

Entourage

A Secure production ready entourage for ENV variables

Requirements

Node 11.12.0+

Installing Entourage

Using npm

npm install --save entourage

Setup

Entourage is a secure Environment Variable loader for production use. Before we begin there are a few things to take note of:

First, Never Ever Ever Never commit your .env or .ent files to your repo or any other version control system. Utilize .gitignore to exclude *.env or *.ent files. These files should be hand delivered during development or devops delivered during deployment in production. You should not use different .ent files according to NODE_ENV. Only setup your .ent files for a single environment (production, development, test, debug, ect).

Second, Entourage requires you to set an Environment Variable named ENTOURAGE_KEY. The value of this variable will be at least 16 digits and should be the most random set of characters you can generate.

An easy way to generate a random string of digits for your Entourage Key on linux is:

echo "$(< /dev/urandom tr -dc A-Za-z0-9 | head -c 32)"

Once you have your 16+ digit key you can set it as follows:

On Windows:

set ENTOURAGE_KEY=[your key here without brackets]

On Linux / Mac:

export ENTOURAGE_KEY=[your key here without brackets]

Usage

There are two parts, the Generator and the Config. The Generator helps you easily convert .env files to .ent files. .env files are ini files without headers (comments are still allowed if the line starts with a semicolon ;)

To get started make yourself an .env file if you have no already. Inside put the contents:

TEST_ENV=true

Next create a deploy.js script and inside put the following:

var entourage = require('entourage');
entourage.generate('**/*.env', '.ent', function() {
	
	// Done Generating .ENT
	console.log('Encrypted ENV (ENT) Generated');
});

This will use glob patterns to find all .env files within the current and sub directories. If a .env file is found it will generate an encrypted .ent file in the same location.

Using your encrypted environment file .ent is just as easy. Note: any env var loaded by Entourage will not override set environment variables on the system. This is done to protect the integrity of a systems environment variables by only appending newly found .ent vars.

//  Call Entourage Config Loading by *.ent
entourage.config('**/*.ent', function() {
		
	// Done Loading .ENT
	console.log('ENV Test', process.env.TEST_ENV);
});

The output will be:

ENV Test true

Strict Mode allows you to run the same call as above but with an optional options object with a strict object boolean. Strict being enabled will remove any .env files that match the glob .ent pattern. For example:

//  Call Entourage Config Loading by *.ent
entourage.config('**/*.ent', {
	strict: true
},function() {
		
	// Done Loading .ENT
	console.log('ENV Test', process.env.TEST_ENV);
});

Any .env files found matching the glob pattern will be found and removed with strict enabled.

The system deletes all found **/*.env files

The output will be:

ENV Test true

API

You can manually tie into the encrypt and decrypt features. By default if a key is passed as null the env ENTOURAGE_KEY will be used.

Encrypting

// Encrypt An Entourage Encrypted String
var encrypted = entourage.encrypt(null, 'raw .env file data here');

Decrypting

// Decrypt An Entourage Encrypted String
var decrypted = entourage.decrypt(null, 'encrypted .ent file data here');

Options

Strict: boolean This option will remove any found .env files good for use in production environments where you want to ensure no .env files exist on the server running this module.

Conclusion

Providing you create a secure enough key for Entourage to use and the user of your system is never exploited by a hacker to read your ENTOURAGE_KEY then, this should be secure enough to use in production environments. This has been tested and is in use in a production environment however, there is no guarantee your environment variables will remain secure since the decryption key is stored as an environment variable on the system you wish to deploy to. Use at your own risk. But!!! it should be safe so long as you can lock down your user level console on your deployed operating system (block ssh from public, disable PAM , and use a vpn for key based access).