Secrets Logo Secrets

Store and manage secrets in an encrypted file.

Secrets are encrypted and can be version controlled.

One way to manage and safely distribute all secrets.

The Secrets plugin allows you to store and manage secrets in an encrypted file. 

Secrets CLI

Read the Storing Secrets in Craft CMS article.

There are some benefits to storing secrets this way, instead of the conventional approach of storing them as plaintext in the .env file.

  1. Secrets are encrypted and cannot be revealed without the encryption key.
  2. The encrypted file can be committed to your version control repository, meaning you avoid having to send secrets in plaintext to other developers. You also end up with a history of changes to the file.
  3. If secrets change or are rotated then there is only one file that needs to be updated. 

License #

This plugin is licensed for free under the MIT License.

Requirements #

Craft CMS 3.0.3 or later.

Installation #

To install the plugin, search for Secrets” in the Craft Plugin Store, or install manually using composer.

composer require putyourlightson/craft-secrets

Usage #

Managing Secrets #

Secrets can be managed using console commands.

#- Adds or overwrites a kay/value pair.
php craft secrets/vault/add apiSecret 1234567890wqertyuiop

#- Reveals all key/value pairs.
php craft secrets/vault/reveal

#- Reveals the value of a provided kay.
php craft secrets/vault/reveal apiSecret

#- Deletes the value of a provided kay.
php craft secrets/vault/delete apiSecret

Getting Secrets #

The values of secrets can be fetched using PHP code.

use putyourlightson\secrets\Secrets;

// Returns the value of the `apiKey` secret.
Secrets::getValue('apiKey');

// Returns the value of the `apiKey` secret, defaulting to a provided value.
Secrets::getValue('apiKey', '1234567890');

Config Settings #

Secrets comes with a config file to modify the plugin settings. To use it, copy the config.php to your project’s main config directory as secrets.php and uncomment any settings you wish to change. All of the available settings are listed and documented in the config file.

filePath #

The path of the encrypted secrets file. Defaults to /config/secrets.enc.

encryptionKey #

A cryptographically secure key to use for encryption and decryption. Defaults to the value of Craft’s SECURITY_KEY environment variable.

Considerations #

While environment variables stored in the .env file are available to PHP on every request, encrypted secrets are not. Decryption is not a particularly fast process, and so the Secrets plugin should ideally only be used to store API keys and credentials that are not required on every request.

Credits #