secure-config-vault
v1.0.0
Published
Encrypt and decrypt .env configuration files using AES-256-GCM. Store encrypted vault files safely in Git.
Maintainers
Readme
secure-config-vault
Encrypt and decrypt .env configuration files using AES-256-GCM encryption. Store encrypted .env.vault files safely in Git — no more leaking secrets!
Uses only Node.js built-in crypto module — zero external dependencies.
Features
- 🔐 AES-256-GCM Encryption — military-grade authenticated encryption.
- 🔑 Key or Password — use a random 256-bit key or any password string (PBKDF2 derived).
- 📦 Vault Files — encrypt
.env→.env.vault, commit safely to Git. - 🔓 Runtime Decryption — decrypt vault at runtime and inject into
process.env. - 🔄 Smart Loader —
loadConfig()tries vault first, falls back to.envautomatically. - 🛡️ Tamper Detection — GCM auth tags detect any tampering of the encrypted file.
- 🧹 Clean API — also exports raw
encrypt()/decrypt()for any use case.
Installation
npm install secure-config-vaultQuick Start
1. Generate a Key
const { generateKey } = require('secure-config-vault');
const key = generateKey();
console.log('Your vault key:', key);
// Save this somewhere safe (NOT in your repo)2. Encrypt your .env file
const { encryptFile } = require('secure-config-vault');
encryptFile('your-64-char-hex-key', {
envPath: '.env',
vaultPath: '.env.vault'
});
// .env.vault is now safe to commit to Git!3. Decrypt at Runtime
const { loadConfig } = require('secure-config-vault');
// Set VAULT_KEY as an environment variable in production
// e.g., VAULT_KEY=abc123... node app.js
loadConfig();
console.log(process.env.DATABASE_URL); // Decrypted valueAlternative: Use a Password
const { encryptFile, decryptFile } = require('secure-config-vault');
// Encrypt with password
encryptFile('my-super-secret-password', { envPath: '.env' });
// Decrypt with same password
const config = decryptFile('my-super-secret-password');
console.log(config);API
generateKey() → string
Returns a random 64-character hex key (256 bits).
encrypt(plaintext, keyOrPassword) → string
Encrypts a string. Returns salt:iv:authTag:ciphertext (hex encoded).
decrypt(payload, keyOrPassword) → string
Decrypts a payload from encrypt().
encryptFile(keyOrPassword, options) → { envPath, vaultPath, variables }
Encrypts a .env file to a .env.vault file.
decryptFile(keyOrPassword, options) → Object
Decrypts a .env.vault file and returns parsed key-value pairs.
| Option | Default | Description |
|---|---|---|
| vaultPath | '.env.vault' | Path to vault file. |
| inject | false | Inject into process.env. |
| override | false | Override existing env vars. |
loadConfig(options) → Object
Smart loader: tries vault first, falls back to .env.
| Option | Default | Description |
|---|---|---|
| key | process.env.VAULT_KEY | Decryption key. |
| vaultPath | '.env.vault' | Vault file path. |
| envPath | '.env' | Fallback .env path. |
| inject | true | Inject into process.env. |
| override | false | Override existing vars. |
parseEnv(content) → Object
Parses .env file content into key-value pairs.
serializeEnv(obj) → string
Converts an object back to .env format.
License
MIT
