envoix
v3.0.0
Published
Envoix is a collaborative tool to easily share, sync and manage environment variables between developers and teams.
Downloads
11
Readme
Envoix
Envoix is a command line tool that facilitates easy and secure sharing of Environment variables among developers and teams. It removes the overhead of sending env variables to each developer in your team personally over social media, and make sure that everyone is in sync, while not leaving your terminal.
Features
- easy user authentication
- easy setup (just one command)
- remote storage for all the variables
- Encrypted and Secure
- Add other users to the project
- Manage User Permissions (Push, Pull, Admin, Add_Users, Remove_Users)
- No hassles with GUI
Prerequisites
- Nodejs (v18+)
- npm
Getting started
- Install the npm package globally
sudo npm i -g envoix
- Create new account or log in to previous account if you have one already
envoix auth signup
OR
envoix auth login
- You are all set to start using envoix in your projects
Usage
Usage: envoix [options] [command]
envoix is CLI tool for providing easy and secure way to share environment
variables among teams and developers
Options:
-h, --help display help for command
Commands:
auth Authentication commands
init Initialize new environment
list Get all environments
pull Pull environment variables
push Push environment files to server
delete Delete environment
user Handle user permissions
help [command] display help for command
Auth
This command includes all the authentication related subcommands
Login:
envoix auth login
- password
Signup:
envoix auth signup
- name
- password
Profile:
envoix auth profile
Logout:
envoix auth logout
User Permissions
- This commands follows various subcommands for managing user permissions on the environment
- The permissions allowed can be any combination of the following list of permissions:
pull
: Read the current environment variables from the serverpush
: Change/Update the environment variables on the serveradd_user
: Add a new user with certain set of permissionsremove_user
: Remove a user and their permissionsupdate_user
: Update other user permissionsadmin
: All the above permissions + some extra ones- list all users with permission
- delete the environment
Usage
Add User:
envoix user add
- permissions
- OTP (read more)
Remove User:
envoix user remove
Update User:
envoix user update
- permissions
List Users:
envoix user list
Environment Settings
- These are the core features of this library which provides functionality for managing environments
init
: Create a new environment configpush
: Push the current config to serverpull
: Pull the changes from serverlist
: List all the environment created by current userdelete
: Delete current environment
Usage
all the below subcommands requires user to confirm their password
Init:
envoix init
- Project name
- env file's relative location
Push:
envoix push
Pull:
envoix pull
List:
envoix list
Delete:
envoix delete
Security
The biggest concern of a user is security. Envoix gaurantees that all the user data including:
- password
- environment variables are securly stored (encrypted or hashed) on the server.
Password
The user's password is the most important asset in securing other relevant data, so it should be stored securly.
- User's password is not stored on server either in plain text or any other encrypted form
- bcrypt is used to hash the password and store the resulting hash in db.
Environment Variables/data
Here comes the fun part,
It took me more days to securely store the env variables than coding all the other features
Okay, so what's the keyword here ?? Its key wrapping
Why key wrapping ?
let's analyze our requirements:
- Secure
- Encryption and Decryption by more than one user
- Not storing the key(encryption/decryption) on the server
Considering above requirements, we don't have a lot of options.
RSA key pair / Asymmetric encryption
- It can implemented here but it also comes with certain limitations
- User can't move between devices(easily)
- Need to store public keys for each device of user for each user
- It can implemented here but it also comes with certain limitations
Other symmetric encryptions (password sharing, pke challenges, etc)
- Not suitable for this use case
Key wrapping
Implementing Key wrapping algorithm
all the encryption is done using
aes-256-cbc
and all the hashing is done usingsha-512
algorithms
When a new environment is initialised, An encryption key called Master Encryption Key(
MEK
) is generated on the serverMEK is used to encrypt/decrypt data using push/pull actions
encrypt the MEK using user's plain-text password passed for verification during
init
actionencrypted MEK(eMEK) or Key Encryption key(KEK) is stored in a table alongside user's permissions
When a new user(X) is added by an User(Y) with
admin
oradd_user
privilages,
- MEK = decrypt(KEK(Y), pass_Y)
- KEK(X) = encrypt(MEK, otp)
- store it alongside permissions of User(X)
Used otp to create kek(X) because we don't have pass_X
During the first pull from the user_X, OTP is also asked and then
KEK(X)
is replaced byencrypt(MEK, pass_X)
Afterwards, Each push/pull action is performed by derived MEK from User's KEK.
Proposed features
- Multiple environments like prod, dev, etc in same config
- storing env history
Self Hosting
The Envoix-server
can be self hosted and it can be integrated inside this library. See the official repo at theanuragshukla/envoix-server for detailed instructions
Contributions
If you'd like to improve the functionality and security of this library, feel free to raise an issue and then we can work on that together. Also try working on the proposed features
FAQs
Where is the server ??
- As of now, I've hosted the server at
https://envoix.anurags.tech
and It should work fine for small userbase.
- As of now, I've hosted the server at
Can it be self hosted ?
- For private use or within an organisation, I'd suggest to self host. It'll be good for my small server and your special use case.