dotenvcrypt-core 0.7.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 256f81ef09fad3aee0108ae5d490cdb5c0bf3cdce712d53160b185d1b1e6b150
+  data.tar.gz: 8274f1cdffefe95628e2e3d62af81dd7f7b3286352ab8c8ef917ed74e62e21ba
+SHA512:
+  metadata.gz: 3db1b1d2c3aaa40419b3ace5e8cda5f1e0ceb7e9eeb3a19c9c986caedf180350bfd3c2acb995398f64553aa08bb24958bb374ec64d310c6974ab51e10cadbd3a
+  data.tar.gz: 320c16b44c395c9d6eda29ac194cd2ba66bb5e8d7f1a751712ece266d9ab7cdb966297fdd39ee20c47a10b7476d24c7a582c3d5b67f0fc047630a3e51d98f2ac

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Dan Loman
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,89 @@
+# dotenvcrypt-core
+
+Pure Ruby library for encrypting and decrypting .env files using AES-256-GCM encryption.
+
+## Installation
+
+```bash
+gem install dotenvcrypt-core
+```
+
+Or add to your Gemfile:
+
+```ruby
+gem 'dotenvcrypt-core'
+```
+
+## Usage
+
+### Loading Encrypted ENV Files
+
+The simplest way to use dotenvcrypt-core is to load an encrypted .env file directly into your environment:
+
+```ruby
+require 'dotenvcrypt-core'
+
+# Load encrypted .env file into ENV
+Dotenvcrypt.load_env('.env.enc', key: 'your-secret-key')
+
+# Now you can access your environment variables
+puts ENV['DATABASE_URL']
+```
+
+### Encrypting and Decrypting Manually
+
+For more control, you can use the Encryptor class directly:
+
+```ruby
+require 'dotenvcrypt-core'
+
+# Create an encryptor with your secret key
+encryptor = Dotenvcrypt::Core::Encryptor.new('your-secret-key')
+
+# Encrypt data
+plaintext = "SECRET_KEY=my-secret-value\nAPI_TOKEN=abc123"
+encrypted = encryptor.encrypt(plaintext)
+File.write('.env.enc', encrypted)
+
+# Decrypt data
+encrypted_data = File.read('.env.enc')
+decrypted = encryptor.decrypt(encrypted_data)
+puts decrypted
+```
+
+### Error Handling
+
+The library raises exceptions instead of printing to stdout or exiting:
+
+```ruby
+begin
+  Dotenvcrypt.load('.env.enc', key: 'wrong-key')
+rescue Dotenvcrypt::Core::DecryptionError => e
+  puts "Failed to decrypt: #{e.message}"
+rescue Dotenvcrypt::Core::InvalidFormatError => e
+  puts "Invalid file format: #{e.message}"
+end
+```
+
+Available exceptions:
+- `Dotenvcrypt::Core::EncryptionError` - General encryption errors
+- `Dotenvcrypt::Core::DecryptionError` - Decryption failed (wrong key, corrupted file, tampering)
+- `Dotenvcrypt::Core::InvalidFormatError` - File is not in valid base64 format
+
+## Features
+
+- **AES-256-GCM encryption** - Industry-standard authenticated encryption
+- **Pure Ruby** - No external dependencies beyond Ruby's standard library
+- **Exception-based error handling** - Integrate cleanly into your application
+- **Dotenv-compatible** - Works with standard .env file format
+
+## Security
+
+- Uses AES-256 in GCM (Galois/Counter Mode) for authenticated encryption
+- Generates secure random initialization vectors (IV) for each encryption
+- Provides tamper detection via authentication tags
+- Keys are hashed with SHA256 before use
+
+## License
+
+MIT

data/lib/dotenvcrypt/core/encryptor.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module Dotenvcrypt
+  module Core
+    class EncryptionError < StandardError; end
+    class DecryptionError < StandardError; end
+    class InvalidFormatError < DecryptionError; end
+
+    class Encryptor
+      def initialize(encryption_key)
+        @encryption_key = encryption_key
+      end
+
+      # Encrypt file
+      def encrypt(data)
+        cipher = OpenSSL::Cipher::AES256.new(:GCM)
+        cipher.encrypt
+        key = OpenSSL::Digest::SHA256.digest(encryption_key)
+        cipher.key = key
+
+        # Generate a secure random IV (12 bytes is recommended for GCM)
+        iv = cipher.random_iv
+
+        encrypted = cipher.update(data) + cipher.final
+
+        # Get the authentication tag (16 bytes)
+        auth_tag = cipher.auth_tag
+
+        # Combine IV, encrypted data, and auth tag
+        combined = iv + auth_tag + encrypted
+
+        # Convert to base64 for readability
+        Base64.strict_encode64(combined)
+      end
+
+      # Decrypt file
+      def decrypt(encoded_data)
+        begin
+          data = Base64.strict_decode64(encoded_data)
+        rescue ArgumentError
+          raise InvalidFormatError, "File is not in valid base64 format"
+        end
+
+        # For GCM mode:
+        # - IV is 12 bytes
+        # - Auth tag is 16 bytes
+        iv_size = 12
+        auth_tag_size = 16
+
+        # Extract the components
+        iv = data[0...iv_size]
+        auth_tag = data[iv_size...(iv_size + auth_tag_size)]
+        encrypted_data = data[(iv_size + auth_tag_size)..-1]
+
+        cipher = OpenSSL::Cipher::AES256.new(:GCM)
+        cipher.decrypt
+        cipher.key = OpenSSL::Digest::SHA256.digest(encryption_key)
+        cipher.iv = iv
+        cipher.auth_tag = auth_tag
+
+        cipher.update(encrypted_data) + cipher.final
+      rescue OpenSSL::Cipher::CipherError
+        raise DecryptionError, "Invalid key, corrupted file, or tampering detected"
+      end
+
+      private
+
+      attr_reader :encryption_key
+    end
+  end
+end

data/lib/dotenvcrypt/core/env_loader.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Dotenvcrypt
+  module Core
+    class EnvLoader
+      def self.load_env(encrypted_file_path, key:)
+        raise ArgumentError, "File not found: #{encrypted_file_path}" unless File.exist?(encrypted_file_path)
+
+        # Read and decrypt
+        encrypted_data = File.read(encrypted_file_path)
+        encryptor = Encryptor.new(key)
+        decrypted_content = encryptor.decrypt(encrypted_data)
+
+        # Parse and load into ENV
+        parse_and_load_env(decrypted_content)
+      end
+
+      private
+
+      def self.parse_and_load_env(content)
+        loaded = {}
+
+        content.each_line do |line|
+          line = line.strip
+
+          # Skip comments and empty lines
+          next if line.empty? || line.start_with?('#')
+
+          # Parse KEY=value format
+          if line =~ /\A([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)\z/
+            key = $1
+            value = $2
+
+            # Remove surrounding quotes if present (single or double)
+            value = value.gsub(/\A["']|["']\z/, '')
+
+            # Load into ENV
+            ENV[key] = value
+            loaded[key] = value
+          end
+        end
+
+        loaded
+      end
+    end
+  end
+end

data/lib/dotenvcrypt/core/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Dotenvcrypt
+  module Core
+    VERSION = "0.7.0"
+  end
+end

data/lib/dotenvcrypt/core.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'openssl'
+require_relative 'core/version'
+require_relative 'core/encryptor'
+require_relative 'core/env_loader'
+
+module Dotenvcrypt
+  module Core
+    # Convenience method for loading encrypted env files
+    def self.load_env(encrypted_file_path, key:)
+      EnvLoader.load_env(encrypted_file_path, key: key)
+    end
+  end
+
+  # Also expose load_env at the top level for convenience
+  def self.load_env(encrypted_file_path, key:)
+    Core.load_env(encrypted_file_path, key: key)
+  end
+end

data/lib/dotenvcrypt-core.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require_relative 'dotenvcrypt/core'

metadata

@@ -0,0 +1,52 @@
+--- !ruby/object:Gem::Specification
+name: dotenvcrypt-core
+version: !ruby/object:Gem::Version
+  version: 0.7.0
+platform: ruby
+authors:
+- Dan Loman
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2025-12-30 00:00:00.000000000 Z
+dependencies: []
+description: Pure Ruby library for encrypting and decrypting .env files using AES-256-GCM
+email:
+- daniel.loman@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/dotenvcrypt-core.rb
+- lib/dotenvcrypt/core.rb
+- lib/dotenvcrypt/core/encryptor.rb
+- lib/dotenvcrypt/core/env_loader.rb
+- lib/dotenvcrypt/core/version.rb
+homepage: https://github.com/namolnad/dotenvcrypt
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/namolnad/dotenvcrypt
+  source_code_uri: https://github.com/namolnad/dotenvcrypt
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.22
+signing_key:
+specification_version: 4
+summary: Core encryption/decryption library for dotenvcrypt
+test_files: []