UNPKG

env-cipher

Version:

A module to encrypt and decrypt ENV variables

github.com/ralfbecher/env-cipher

ralfbecher/env-cipher

98 lines (89 loc) 3.17 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
'use strict'; const crypto = require('crypto'); const fs = require('fs'); const path = require('path'); const dotenv = require('dotenv'); const optionsDefault = { envFile: './.env', secret: '', secretFile: './ssl/cert.pem', algo: 'aes256', suffix: '_CIPHER', encoding: 'utf8' } const encrypt = (text, algo, key, iv) => { const cipher = crypto.createCipheriv(algo, key, iv); let encrypted = cipher.update(text, 'utf8', 'hex'); encrypted += cipher.final('hex'); return encrypted; } const decrypt = (text, algo, key, iv) => { const decipher = crypto.createDecipheriv(algo, key, iv); let decrypted = decipher.update(text, 'hex', 'utf8'); decrypted += decipher.final('utf8'); return decrypted; } const getPw = ({secret, secretFile}) => { if (secret.length === 0) { secret = fs.readFileSync(path.resolve(__dirname, secretFile)).toString().replace(/(-----(BEGIN|END) CERTIFICATE-----|[\n\r])/g, ''); } return crypto.createHash("sha256") .update(secret) .digest("hex") .substr(0, 32); } // - reads .env file and encrypts variable values // - stores encrypted values into .env-cipher and a YAML version into .env-cipher.yaml module.exports.envCipher = ({ envFile = optionsDefault.envFile, secret = optionsDefault.envFile, secretFile = optionsDefault.secretFile, algo = optionsDefault.algo, suffix = optionsDefault.suffix, encoding = optionsDefault.encoding } = {}) => { try { const pw = getPw({secret, secretFile}); const iv = pw.substr(0, 16); const parsed = dotenv.parse(fs.readFileSync(envFile, { encoding })); let envEnc = {}; Object.keys(parsed).forEach(key => { envEnc[key + suffix] = encrypt(parsed[key], algo, pw, iv); }); let resultEnv = ''; let resultYaml = 'environment:\n'; for (const [key, value] of Object.entries(envEnc)) { if (key) { resultEnv += `${key}=${String(value)}\n`; resultYaml += ` - ${key}=${String(value)}\n` } } fs.writeFileSync(envFile + '-cipher', resultEnv, { encoding }); fs.writeFileSync(envFile + '-cipher.yaml', resultYaml, { encoding }); } catch (err) { console.error(err); } } // - reads all variables with suffix from process.env and decrypt values // - stores new variable with decryped value and name without suffix into process.env module.exports.envDecipher = ({ secret = optionsDefault.envFile, secretFile = optionsDefault.secretFile, algo = optionsDefault.algo, suffix = optionsDefault.suffix } = {}) => { try { const pw = getPw({secret, secretFile}); const iv = pw.substr(0, 16); const env = process.env; let envDec = {}; Object.keys(process.env).forEach(key => { if (key.endsWith(suffix)) { const newKey = key.substring(0, key.length - suffix.length); envDec[newKey] = decrypt(env[key], algo, pw, iv); } }); return envDec; } catch (err) { console.error(err); } }