dotenvcrypt 0.4.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 281a89c7380b61972623d6d94ab5e10911b07d49abd05653974b60c83c0a243c
+  data.tar.gz: cd25bc6834e0aa6bd8927a3ca5e20fd00712967abd446c537109de7bc6a5e9ff
+SHA512:
+  metadata.gz: 3ab9cb7e645289a41a17e2f534d58ad59cd891f95d5665613d25329a11815bc154ba74e6ab8eba43f7647561f818ba177b249d42fe6078a5d7be9b8e84a2a35a
+  data.tar.gz: 6bbe096aca3355525202c64e9fdd79a6942441f7e7f7ab8457d48a81a389696e88f21c4fa9b6708ca038feca44538bce8a32209e8f3ee73fa882473a6f96591a

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Dan Loman
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,74 @@
+# dotenvcrypt 🛡️🔐
+
+**Securely encrypt, manage, and load your `.env` files in public repositories.**
+
+> Inspired by `rails credentials`, `dotenvcrypt` ensures your API keys and other `.env` secrets are encrypted while keeping your workflow simple.
+
+---
+
+## 🚀 Features
+
+- ✅ Encrypt `.env` files into `.env.enc` for safe storage in Git.
+- ✅ Decrypt and load environment variables securely into the shell.
+- ✅ Edit encrypted `.env.enc`, then re-encrypt after saving.
+
+---
+
+## 📦 Installation
+
+### Using Homebrew (recommended)
+
+```bash
+brew install namolnad/formulae/dotenvcrypt
+```
+
+## 🔧 Usage
+
+### Basic Commands
+
+```bash
+# Encrypt a .env file
+dotenvcrypt encrypt .env .env.enc
+
+# Decrypt an encrypted file
+dotenvcrypt decrypt .env.enc
+
+# Edit an encrypted file (decrypts, opens editor, re-encrypts)
+dotenvcrypt edit .env.enc
+
+# Load encrypted environment variables into your shell
+eval "$(dotenvcrypt decrypt .env.enc)"
+```
+
+### Key Management
+
+dotenvcrypt looks for your encryption key in these locations (in order):
+
+1. Command line argument: `--key YOUR_SECRET_KEY`
+1. Environment variable: `DOTENVCRYPT_KEY`
+1. File: `./.dotenvcrypt.key` (in the current directory)
+1. File: `$XDG_CONFIG_HOME/dotenvcrypt/secret.key` (or `$HOME/.config/dotenvcrypt/secret.key`)
+1. File: `$HOME/.dotenvcrypt.key`
+1. Interactive prompt (if no key is found)
+
+### Real-World Example
+
+Add this to your shell profile (`.zshrc`, `.bashrc`, etc.) to automatically load variables:
+
+```bash
+# Set up encryption key (example using 1Password CLI)
+dotenvcrypt_key_path="$XDG_CONFIG_HOME/dotenvcrypt/secret.key"
+if [[ ! -f $dotenvcrypt_key_path || ! -s $dotenvcrypt_key_path ]]; then
+  mkdir -p $(dirname $dotenvcrypt_key_path)
+  # Replace with your preferred key storage method
+  (op item get your-item-reference --fields password) > $dotenvcrypt_key_path
+  chmod 600 $dotenvcrypt_key_path
+fi
+
+# Load encrypted environment variables if envcrypt is installed
+if command -v dotenvcrypt &> /dev/null; then
+  set -a  # automatically export all variables
+  eval "$(dotenvcrypt decrypt $HOME/.env.enc)"
+  set +a  # stop automatically exporting
+fi
+```

data/bin/dotenvcrypt

@@ -0,0 +1,67 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'dotenvcrypt'
+require 'optparse'
+
+# CLI Commands with argument parsing
+options = {}
+command = nil
+
+UNENCRYPTED_FILE = '.env'.freeze
+ENCRYPTED_FILE = '.env.enc'.freeze
+
+opt_parser = OptionParser.new do |opts|
+  opts.banner = "Usage: dotenvcrypt <command> [options]"
+
+  opts.separator ""
+  opts.separator "Commands:"
+  opts.separator "  encrypt [input_file] [output_file]  Encrypt .env file (default: #{UNENCRYPTED_FILE} to #{ENCRYPTED_FILE})"
+  opts.separator "  decrypt [file]                      Decrypt to stdout (default: #{ENCRYPTED_FILE})"
+  opts.separator "  edit [file]                         Edit encrypted file (default: #{ENCRYPTED_FILE})"
+
+  opts.separator ""
+  opts.separator "Options:"
+
+  opts.on("-k", "--key KEY", "Encryption key") do |key|
+    options[:key] = key
+  end
+
+  opts.on("-h", "--help", "Show this help message") do
+    puts opts
+    exit
+  end
+
+  opts.on("-v", "--version", "Show version") do
+    puts Dotenvcrypt::VERSION
+    exit
+  end
+end
+
+# Parse global options first
+opt_parser.order!(ARGV)
+
+# Get the command
+command = ARGV.shift
+
+if command.nil?
+  puts opt_parser
+  exit 1
+end
+
+dotenvcrypt = Dotenvcrypt::Manager.new(options[:key])
+
+case command
+when 'encrypt'
+  input_file = ARGV[0] || UNENCRYPTED_FILE
+  output_file = ARGV[1] || ENCRYPTED_FILE
+  dotenvcrypt.encrypt_env(input_file, output_file)
+when 'decrypt'
+  dotenvcrypt.decrypt_env(ARGV[0] || ENCRYPTED_FILE)
+when 'edit'
+  dotenvcrypt.edit_env(ARGV[0] || ENCRYPTED_FILE)
+else
+  puts "Unknown command: #{command}"
+  puts opt_parser
+  exit 1
+end

data/lib/dotenvcrypt/manager.rb

@@ -0,0 +1,144 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'base64'
+require 'tty-prompt'
+require 'tty-command'
+require 'tempfile'
+require 'optparse'
+
+module Dotenvcrypt
+  class Manager
+    # Determine config directory following XDG Base Directory Specification
+    CONFIG_HOME = ENV['XDG_CONFIG_HOME'] || "#{ENV['HOME']}/.config"
+    CONFIG_DIR = "#{CONFIG_HOME}/dotenvcrypt".freeze
+
+    # Check multiple locations in order of preference
+    ENCRYPTION_KEY_LOCATIONS = [
+      "#{Dir.pwd}/.dotenvcrypt.key",             # Project-specific key (current directory)
+      "#{CONFIG_DIR}/secret.key",                # XDG standard location
+      "#{ENV['HOME']}/.dotenvcrypt.key"          # Legacy location (for backward compatibility)
+    ].freeze
+
+    def initialize(encryption_key = nil)
+      @encryption_key = encryption_key
+    end
+
+    # Encrypt an existing `.env` file
+    def encrypt_env(unencrypted_file, encrypted_file)
+      unless File.exist?(unencrypted_file)
+        puts "❌ File not found: #{unencrypted_file}"
+        exit(1)
+      end
+
+      encrypt(unencrypted_file, encrypted_file)
+
+      puts "🔒 Encrypted #{unencrypted_file} → #{encrypted_file}"
+    end
+
+    # Decrypt an encrypted `.env` file and print to stdout
+    def decrypt_env(encrypted_file)
+      puts decrypt(encrypted_file)
+    end
+
+    # Edit decrypted env, then re-encrypt
+    def edit_env(encrypted_file)
+      temp_file = Tempfile.new('dotenvcrypt')
+
+      File.open(temp_file.path, 'w') do |f|
+        f.write decrypt(encrypted_file)
+      end
+
+      puts "Waiting for file to be saved. Abort with Ctrl-C."
+
+      system("#{ENV['EDITOR'] || 'vim'} #{temp_file.path}")
+
+      encrypt(temp_file.path, encrypted_file)
+
+      puts "🔒 Encrypted and saved #{encrypted_file}"
+    ensure
+      temp_file.unlink if temp_file
+    end
+
+    private
+
+    attr_reader :encryption_key
+
+    # Encrypt file
+    def encrypt(input_file, output_file)
+      cipher = OpenSSL::Cipher::AES256.new(:GCM)
+      cipher.encrypt
+      key = OpenSSL::Digest::SHA256.digest(fetch_key)
+      cipher.key = key
+
+      # Generate a secure random IV (12 bytes is recommended for GCM)
+      iv = cipher.random_iv
+
+      data = File.read(input_file)
+      encrypted = cipher.update(data) + cipher.final
+
+      # Get the authentication tag (16 bytes)
+      auth_tag = cipher.auth_tag
+
+      # Combine IV, encrypted data, and auth tag
+      combined = iv + auth_tag + encrypted
+
+      # Convert to base64 for readability
+      base64_data = Base64.strict_encode64(combined)
+
+      File.open(output_file, 'w') do |f|
+        f.write(base64_data)
+      end
+    end
+
+    # Decrypt file
+    def decrypt(input_file)
+      # Read the encrypted file
+      begin
+        base64_data = File.read(input_file)
+        data = Base64.strict_decode64(base64_data)
+      rescue ArgumentError
+        puts "❌ Decryption failed. File is not in valid base64 format."
+        exit(1)
+      end
+
+      # For GCM mode:
+      # - IV is 12 bytes
+      # - Auth tag is 16 bytes
+      iv_size = 12
+      auth_tag_size = 16
+
+      # Extract the components
+      iv = data[0...iv_size]
+      auth_tag = data[iv_size...(iv_size + auth_tag_size)]
+      encrypted_data = data[(iv_size + auth_tag_size)..-1]
+
+      cipher = OpenSSL::Cipher::AES256.new(:GCM)
+      cipher.decrypt
+      cipher.key = OpenSSL::Digest::SHA256.digest(fetch_key)
+      cipher.iv = iv
+      cipher.auth_tag = auth_tag
+
+      cipher.update(encrypted_data) + cipher.final
+    rescue OpenSSL::Cipher::CipherError
+      puts "❌ Decryption failed. Invalid key, corrupted file, or tampering detected."
+      exit(1)
+    end
+
+    # Get encryption key: From CLI arg OR encryption-key file OR securely prompt from stdin
+    def fetch_key
+      return encryption_key if encryption_key && !encryption_key.empty?
+      return ENV['DOTENVCRYPT_KEY'] if ENV['DOTENVCRYPT_KEY'] && !ENV['DOTENVCRYPT_KEY'].empty?
+      ENCRYPTION_KEY_LOCATIONS.each do |key_file|
+        return File.read(key_file).strip if File.exist?(key_file)
+      end
+
+      prompt.ask("Enter encryption key:", echo: false)
+    end
+
+    def prompt
+      @prompt ||= TTY::Prompt.new
+    end
+  end
+end
+

data/lib/dotenvcrypt/version.rb

@@ -0,0 +1,3 @@
+module Dotenvcrypt
+  VERSION = "0.4.0"
+end

data/lib/dotenvcrypt.rb

@@ -0,0 +1,2 @@
+require_relative "dotenvcrypt/manager"
+require_relative "dotenvcrypt/version"

metadata

@@ -0,0 +1,81 @@
+--- !ruby/object:Gem::Specification
+name: dotenvcrypt
+version: !ruby/object:Gem::Version
+  version: 0.4.0
+platform: ruby
+authors:
+- Dan Loman
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2025-03-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: tty-prompt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.23.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.23.1
+- !ruby/object:Gem::Dependency
+  name: tty-command
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.10.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.10.1
+description: dotenvcrypt ensures any API keys in your .env files are encrypted - enabling
+  storage of these files directly within Git.
+email:
+- daniel.loman@gmail.com
+executables:
+- dotenvcrypt
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- bin/dotenvcrypt
+- lib/dotenvcrypt.rb
+- lib/dotenvcrypt/manager.rb
+- lib/dotenvcrypt/version.rb
+homepage: https://github.com/namolnad/dotenvcrypt
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/namolnad/dotenvcrypt
+  source_code_uri: https://github.com/namolnad/dotenvcrypt
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.22
+signing_key:
+specification_version: 4
+summary: Securely encrypt, manage, and store your .env files in Git
+test_files: []