PHPackages                             code16/occulta - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. code16/occulta

ActiveLibrary[Security](/categories/security)

code16/occulta
==============

Store an encrypted with kms and versioned copy of .env

v2.0.0(10mo ago)0393↑91.5%[3 PRs](https://github.com/code16/occulta/pulls)MITPHPPHP ^8.3CI passing

Since May 4Pushed 1mo ago1 watchersCompare

[ Source](https://github.com/code16/occulta)[ Packagist](https://packagist.org/packages/code16/occulta)[ Docs](https://github.com/code16/occulta)[ RSS](/packages/code16-occulta/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (1)Dependencies (11)Versions (15)Used By (0)

Occulta
=======

[](#occulta)

Purpose
-------

[](#purpose)

Save a versioned and encrypted copy of .env on a storage disk (eg: S3)

How it works
------------

[](#how-it-works)

Occulta uses [AWS KMS](https://aws.amazon.com/kms/) and [Envelope encryption strategy](https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#enveloping) to encrypt your `.env` file and store it on a given laravel disk (eg: S3). It also keeps a versioned history of your encrypted `.env` files, so you can restore previous versions if needed.
Occulta will create an archive containing your encrypted environment file and an encrypted key file, which will be used by occulta to decrypt your env when needed.

Installation
------------

[](#installation)

This package requires Laravel 11.x or higher, php's extensions openssl and zip.

You can install the package via composer:

```
composer require code16/occulta
```

Next you should publish the config file :

```
php artisan vendor:publish --tag=occulta-config
```

and setup your values (especially the kms `key_id` and `destination disk`) in your `config/occulta.php` file :

```
return [
        // kms key id as seen in aws's kms dashboard (usually it looks like an uuid)
        'key_id' => '0904c439-ff1f-4e9d-8a26-4e32ced6fe0x',

        [...]

        'destination_disk' => 's3_backup',
        'destination_path' => null, // defaults to 'dotenv/'

        // If you want to backup an env file with a suffix such as .env.production, you can set this to your desired suffix
        'env_suffix' => null, // eg: 'production'

        [...]
    ];
```

Then, you should setup credentials to the proper aws user [allowed](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-users) to "use" the given kms key, by adding a kms section in your `config/services.php` file :

```
    'kms' => [
        'key' => env('AWS_ACCESS_KEY_ID'),
        'secret' => env('AWS_SECRET_ACCESS_KEY'),
        'region' => 'eu-central-1',
    ],
```

Now you should schedule tasks for backup and cleanup in `app/Console/Kernel.php` (`bootstrap/app.php` since Laravel 11) :

```
    protected function schedule(Schedule $schedule)
    {
        $schedule->command('occulta:encrypt')->dailyAt('01:00');
        $schedule->command('occulta:clean')->dailyAt('02:00');
    }
```

### Decrypting an encrypted env archive

[](#decrypting-an-encrypted-env-archive)

If you need to decrypt an encrypted env archive, you can use the `occulta:decrypt` command:

```
php artisan occulta:decrypt path/to/encrypted/archive.zip
```

Occulta will use your KMS configuration and AWS access and secret keys to decrypt your env file.

Important

It is likely that these credentials where in your lost .env, then, you can follow the [recovery procedure](docs/RECOVERY.md) to restore your environment.

Testing
-------

[](#testing)

The package comes with a comprehensive test suite. To run the tests, you can use the following command:

```
composer test
```

The tests cover:

- The main `Occulta` class functionality for encrypting and decrypting values and files
- The `EncryptFileWithKmsCommand` for encrypting .env files and storing them
- The `DecryptFileWithKmsCommand` for extracting and decrypting .env files from zip archives
- The `CleanupEncryptedDotenvsCommand` for managing the history of encrypted .env files

The tests use mocks for AWS KMS to avoid actual AWS calls during testing.

###  Health Score

47

—

FairBetter than 93% of packages

Maintenance79

Regular maintenance activity

Popularity16

Limited adoption so far

Community11

Small or concentrated contributor base

Maturity70

Established project with proven stability

 Bus Factor2

2 contributors hold 50%+ of commits

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~114 days

Total

11

Last Release

320d ago

Major Versions

v1.2.3 → v2.x-dev2025-06-23

PHP version history (5 changes)v1.0.0PHP ^8.1

v1.1.0PHP ^8.1|^8.2

v1.2.1PHP ^8.1|^8.2|^8.3

v1.2.2PHP ^8.1|^8.2|^8.3|^8.4

v2.x-devPHP ^8.3

### Community

Maintainers

![](https://www.gravatar.com/avatar/f97dcdc942d25d5b5720b790d5f28e6accc6f05370cf5a6b52b78abc60c29e57?d=identicon)[code16](/maintainers/code16)

---

Top Contributors

[![PatrickePatate](https://avatars.githubusercontent.com/u/16721134?v=4)](https://github.com/PatrickePatate "PatrickePatate (23 commits)")[![smknstd](https://avatars.githubusercontent.com/u/2412608?v=4)](https://github.com/smknstd "smknstd (11 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (7 commits)")[![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4)](https://github.com/github-actions[bot] "github-actions[bot] (7 commits)")

---

Tags

laravelcode16occulta

###  Code Quality

TestsPest

### Embed Badge

![Health badge](/badges/code16-occulta/health.svg)

```
[![Health](https://phpackages.com/badges/code16-occulta/health.svg)](https://phpackages.com/packages/code16-occulta)
```

###  Alternatives

[spatie/laravel-ciphersweet

Use ciphersweet in your Laravel project

416718.4k1](/packages/spatie-laravel-ciphersweet)[hirethunk/verbs

An event sourcing package that feels nice.

513162.9k6](/packages/hirethunk-verbs)[wnx/laravel-backup-restore

A package to restore database backups made with spatie/laravel-backup.

203330.1k2](/packages/wnx-laravel-backup-restore)[spatie/laravel-site-search

A site search engine

300129.1k](/packages/spatie-laravel-site-search)[vormkracht10/laravel-mails

Laravel Mails can collect everything you might want to track about the mails that has been sent by your Laravel app.

24149.7k](/packages/vormkracht10-laravel-mails)[nativephp/desktop

NativePHP for Desktop

34020.6k3](/packages/nativephp-desktop)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)