PHPackages bentools/shh-bundle - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. bentools/shh-bundle ActiveSymfony-bundle[Security](/categories/security) bentools/shh-bundle =================== A Symfony bundle to handle secrets. 1.2.1(1y ago)313.7k—0%MITPHPPHP >=8.0CI failing Since Jan 23Pushed 1y ago2 watchersCompare [ Source](https://github.com/bpolaszek/shh-bundle)[ Packagist](https://packagist.org/packages/bentools/shh-bundle)[ RSS](/packages/bentools-shh-bundle/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (4)Dependencies (15)Versions (6)Used By (0) [![Latest Stable Version](https://camo.githubusercontent.com/ef5a4edaee114c4bc282f7d5728cf64bbe3cd6e029e23036b2d78e4c4ac079b4/68747470733a2f2f706f7365722e707567782e6f72672f62656e746f6f6c732f7368682d62756e646c652f762f737461626c65)](https://packagist.org/packages/bentools/shh-bundle)[![License](https://camo.githubusercontent.com/12933dd79c87e8156d586ca290c286ed5db334a0e1f6459c30e864bc47137df3/68747470733a2f2f706f7365722e707567782e6f72672f62656e746f6f6c732f7368682d62756e646c652f6c6963656e7365)](https://packagist.org/packages/bentools/shh-bundle)[![CI Workflow](https://github.com/bpolaszek/shh-bundle/actions/workflows/ci.yml/badge.svg)](https://github.com/bpolaszek/shh-bundle/actions/workflows/ci.yml)[![Coverage Status](https://camo.githubusercontent.com/66934bc60b53ad356875dce7efa04b8e4ab7e21235efdb8e64559cd68ee7374c/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f62706f6c61737a656b2f7368682d62756e646c652f62616467652e7376673f6272616e63683d6d6173746572)](https://coveralls.io/github/bpolaszek/shh-bundle?branch=master)[![Quality Score](https://camo.githubusercontent.com/369d3780cfdfc69d070fb5307af070cf4ad9d85b55f8a78a59a07daafa78c50f/68747470733a2f2f696d672e736869656c64732e696f2f7363727574696e697a65722f672f62706f6c61737a656b2f7368682d62756e646c652e7376673f7374796c653d666c61742d737175617265)](https://scrutinizer-ci.com/g/bpolaszek/shh-bundle)[![Total Downloads](https://camo.githubusercontent.com/71e4f74e57796673b5e41325c33e53c11dc6583af5a7e702e9b712deda6ceb8a/68747470733a2f2f706f7365722e707567782e6f72672f62656e746f6f6c732f7368682d62756e646c652f646f776e6c6f616473)](https://packagist.org/packages/bentools/shh-bundle) Shh! 🤫 ====== [](#shh-) Shh! is a proof-of-concept aiming at dealing with secrets within your Symfony application. Why? ---- [](#why) I was just reading [Storing secrets for Symfony applications](https://www.webfactory.de/blog/storing-secrets-for-symfony-applications) from [Matthias Pigulla](https://github.com/mpdude) which came with a solution using a Ruby-powered external program. Then I came up with the following question: why isn't there a PHP implementation of this? 🤔 Here are the key principles: - Storing secrets in environment variables will actually expose them through `phpinfo()`, reports, logs, and child processes. - Thanks to Symfony's [Env Var Processors](https://symfony.com/doc/current/configuration/env_var_processors.html), *Shh* will expose them **encrypted**. They will be decrypted at the very last moment. - Private key + an optional passphrase are required to decrypt secrets. They SHOULD be *.gitgnored*. - You can then commit encrypted secrets to VCS as long as the private key is stored and communicated safely. - You can change your passphrase a at any time. Installation ------------ [](#installation) ``` composer require bentools/shh-bundle:^1.0 ``` Configuration ------------- [](#configuration) - Add the bundle to your kernel (come on, you're not using Flex?). - Generate your keys: - Create a `shh` directory into your config directory `mkdir -p config/shh` (or `mkdir -p app/config/shh` for Symfony 3) - Run`php bin/console shh:generate:keys` - If you provided one, store the passphrase in the `SHH_PASSPHRASE` environment variable - Add `config/shh/private.pem` (or `app/config/shh/private.pem` for Symfony 3) to your `.gitignore` and upload it to your production server. **And you're ready to go!** If you want a different configuration, check out the [configuration reference](#configuration-reference) to discover the available options. Usage ----- [](#usage) ### Check the environment is properly configured [](#check-the-environment-is-properly-configured) ``` bin/console shh:check // Will check that encryption / decryption work - both private and public keys are needed. ``` ``` bin/console shh:check --encrypt-only // Will check that encryption works - only public key is needed? ``` ### Encrypt a value (public key needed) [](#encrypt-a-value-public-key-needed) ``` bin/console shh:encrypt ``` ### Decrypt a value (public key + private key needed) [](#decrypt-a-value-public-key--private-key-needed) ``` bin/console shh:decrypt ``` ### Decrypt secrets in environment variables [](#decrypt-secrets-in-environment-variables) This library ships with an environment variable processor. You can use it like this: ``` # config/services.yaml parameters: some_secret_thing: '%env(shh:SOME_ENCRYPTED_SECRET)%' ``` ### Working with a secrets file [](#working-with-a-secrets-file) You can store your encrypted secrets in a `.secrets.json` file at the root of your project directory (you can set a different path in the `SHH_SECRETS_FILE` environment variable). This file can safely be committed to VCS (as soon as the private key isn't). To encrypt and register a secret in this file, run the following command: ``` bin/console shh:register:secret my_secret # You will be prompted for the value of "my_secret" ``` You can then use your secrets in your configuration files in the following way: ``` # config/services.yaml parameters: my_secret: '%env(shh:key:my_secret:json:file:SHH_SECRETS_FILE)%' ``` ### Changing passphrase [](#changing-passphrase) You can change your passphrase if needed: this will result in a new private key being generated. The public key remains unchanged. ``` bin/console shh:change:passphrase ``` As a result, a new private key will be regenerated. You just have to update it everywhere it is used, and update the `SHH_PASSPHRASE` environment variable as well. You may do this every time an employee leaves the company, for instance. Configuration reference ----------------------- [](#configuration-reference) ``` # config/packages/shh.yaml parameters: env(SHH_SECRETS_FILE): '%kernel.project_dir%/.secrets.json' shh: private_key_file: '%kernel.project_dir%/config/shh/private.pem' public_key_file: '%kernel.project_dir%/config/shh/public.pem' passphrase: '%env(SHH_PASSPHRASE)%' ``` Tests ----- [](#tests) ``` ./vendor/bin/phpunit ``` Feedback -------- [](#feedback) Don't hesitate to ping me on Symfony Slack: **@bpolaszek**. License ------- [](#license) MIT ### Health Score 39 — LowBetter than 86% of packages Maintenance38 Infrequent updates — may be unmaintained Popularity27 Limited adoption so far Community10 Small or concentrated contributor base Maturity65 Established project with proven stability Bus Factor1 Top contributor holds 71.4% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~441 days Total 5 Last Release 542d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/acdd1a8ee0e657ddd06cf11f98a32100ef7121afb8aa270a5b295f5c29c038b3?d=identicon)[bpolaszek](/maintainers/bpolaszek) --- Top Contributors [![misaert](https://avatars.githubusercontent.com/u/12974251?v=4)](https://github.com/misaert "misaert (5 commits)")[![bpolaszek](https://avatars.githubusercontent.com/u/5569077?v=4)](https://github.com/bpolaszek "bpolaszek (2 commits)") --- Tags symfonyencryptionencryptdecryptPrivate Keypublic keyopensslsecretsecretsdecryptionpassphraseopenrsa ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StylePHP\_CodeSniffer Type Coverage Yes ### Embed Badge ![Health badge](/badges/bentools-shh-bundle/health.svg) ``` [![Health](https://phpackages.com/badges/bentools-shh-bundle/health.svg)](https://phpackages.com/packages/bentools-shh-bundle) ``` ### Alternatives [sulu/sulu Core framework that implements the functionality of the Sulu content management system 1.3k1.3M152](/packages/sulu-sulu)[tilleuls/url-signer-bundle Create and validate signed URLs with a limited lifetime in Symfony 81340.1k](/packages/tilleuls-url-signer-bundle)[nzo/url-encryptor-bundle The NzoUrlEncryptorBundle is a Symfony Bundle used to Encrypt and Decrypt data and variables in the Web application or passed through URL 961.0M2](/packages/nzo-url-encryptor-bundle)[vlucas/pikirasa PKI public/private RSA key encryption using the OpenSSL extension 104101.1k1](/packages/vlucas-pikirasa)[poly-crypto/poly-crypto High-level cryptographic functions that are interoperable between NodeJS and PHP 7.1+ 127.8k1](/packages/poly-crypto-poly-crypto) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)