PHPackages                             hegelmax/env-secured - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility &amp; Helpers](/categories/utility)
4. /
5. hegelmax/env-secured

ActiveLibrary[Utility &amp; Helpers](/categories/utility)

hegelmax/env-secured
====================

Encrypted configuration manager for PHP (EnvSecured).

v1.0.17(5mo ago)05MITPHPPHP &gt;=8.1

Since Dec 8Pushed 5mo agoCompare

[ Source](https://github.com/hegelmax/php-env-secured)[ Packagist](https://packagist.org/packages/hegelmax/env-secured)[ RSS](/packages/hegelmax-env-secured/feed)WikiDiscussions main Synced 1mo ago

READMEChangelogDependenciesVersions (4)Used By (0)

📦 EnvSecured — Encrypted Configuration Manager for PHP
======================================================

[](#-envsecured--encrypted-configuration-manager-for-php)

[EnvSecured](https://github.com/hegelmax/php-env-secured) is a lightweight, secure, and self-contained PHP module for storing sensitive configuration values (API keys, database credentials, tokens, secrets) in an **encrypted file** and provides a clean interface to access them in runtime.

---

⭐ Key Features
==============

[](#-key-features)

- 🔒 **Encrypted config file** (`config.enc`)
- 🌐 **Browser-based UI** for editing settings
- 📤 **JSON export** (download)
- 📥 **JSON import** (load file into form)
- 🔑 **Automatic key generation** (`keys/*.key`)
- 🧬 **Server-bound encryption** (fingerprint-based)
- 🧩 **Zero global functions** — everything wrapped in PHP classes
- 🚀 **Drop-in integration** into any project
- ⚙️ Can be used:
    - **with Composer**
    - **without Composer**

---

🗂️ Project Structure
====================

[](#️-project-structure)

```
env_secured/
├── _init.php                    → Bootloader (entry point)
├── libs/
│   ├── EnvSecured.php           → Main config manager
│   ├── EnvSecuredCrypto.php     → Encryption engine
│   └── html/
│       ├── page_form.php        → UI template: config editor
│       ├── page_success.php     → UI template: success page
│       └── page_error.php       → UI template: error page
├── configs/                     → Encrypted config files (auto-created)
│   └── config.enc               → Main encrypted config (auto-created)
└── keys/                        → Key files (auto-created)
    ├── sodium.key               → Internal crypto key
    └── secret.key               → Master secret key

```

Both `configs/` and `keys/` directories are created automatically on first use if they do not exist.

---

📦 Installation
==============

[](#-installation)

Option A — Composer (recommended)
---------------------------------

[](#option-a--composer-recommended)

```
composer require hegelmax/env-secured
```

Option B — No Composer
----------------------

[](#option-b--no-composer)

Download the directory:

```
env_secured/

```

and place it anywhere in your project.

---

🚀 Quick Start (Composer version)
================================

[](#-quick-start-composer-version)

```
require __DIR__ . '/vendor/autoload.php';

use EnvSecured\EnvSecured;

$envRoot = __DIR__ . '/env'; // Directory for configs/ and keys/

$env = new EnvSecured($envRoot);
$env->run();

// Retrieve configuration
$config = EnvSecured::get();          // full array
$dbHost = EnvSecured::get('DB_HOST'); // single value
```

---

🚀 Quick Start (No Composer)
===========================

[](#-quick-start-no-composer)

```
require __DIR__ . '/env_secured/init.php';
```

Then read configuration via:

```
$env = EnvSecured::get();  // array
echo EnvSecured::get('API_URL');
```

---

🖥️ First Run — Creating Config
==============================

[](#️-first-run--creating-config)

When no encrypted config exists, opening your init script in a browser shows the Config Editor UI:

```
/env_secured/init.php

```

UI allows:

### ✔ Editing KEY=value rows

[](#-editing-keyvalue-rows)

### ✔ Saving encrypted config (`config.enc`)

[](#-saving-encrypted-config-configenc)

### ✔ Downloading JSON

[](#-downloading-json)

### ✔ Loading JSON into form

[](#-loading-json-into-form)

Folders created automatically:

```
env/
  configs/
    config.enc
  keys/
    sodium.key
    secret.key

```

---

🔒 Encryption Model
==================

[](#-encryption-model)

EnvSecured uses:

- 256-bit `sodium.key`
- 256-bit `secret.key`
- machine + project fingerprint
- XSalsa20-Poly1305 (libsodium)
- unique nonce per encryption
- atomic writes to prevent corruption

Conceptually:

```
fingerprint = HASH( hostname | projectRoot | secret.key )
finalKey    = HASH( fingerprint | sodium.key )
cipher      = base64( nonce | secretbox(plaintext, nonce, finalKey) )

```

---

🛡️ Why It's Safe
================

[](#️-why-its-safe)

- Keys stored outside web root (in `env_secured/keys/`)
- Config stored encrypted (`env_secured/configs/config.enc`)
- No plaintext config on server
- No global functions → no name collisions
- Atomic writes for safe file operations
- Encryption relies on libsodium (modern &amp; secure)

---

⚙️ Configuration in Code
========================

[](#️-configuration-in-code)

Once EnvSecured loads the config:

### 1️⃣ Array access

[](#1️⃣-array-access)

```
$config = EnvSecured::get();
echo $config['DB_HOST'];
```

### 2️⃣ Single value

[](#2️⃣-single-value)

```
echo EnvSecured::get('API_TOKEN');
```

### 3️⃣ Global constants

[](#3️⃣-global-constants)

If constant autodefine is enabled:

```
echo API_TOKEN;
```

Enable via:

```
const ENV_SECURED_CONFIG_DEFINE_CONST = true;
```

---

🛠️ Optional Constants
=====================

[](#️-optional-constants)

Place them **before** calling EnvSecured.

```
const ENV_SECURED_CONFIG_SCHEMA       = 'prod';
const ENV_SECURED_CONFIG_ALLOW_EDIT   = false;
const ENV_SECURED_CONFIG_ALLOW_SESSION = true;
const ENV_SECURED_CONFIG_DEFINE_CONST = true;

const ENV_SECURED_DEFAULTS = [
    ['key' => 'DB_HOST', 'value' => 'localhost'],
    ['key' => 'API_URL', 'value' => 'https://localhost/api'],
];
```

---

🔧 Requirements
==============

[](#-requirements)

- PHP **8.1+**
- `ext-sodium` enabled
- Writable directory for:
    - `configs/`
    - `keys/`

---

💻 JSON Import / Export
======================

[](#-json-import--export)

EnvSecured supports configuration migration via JSON file, that can be useful for:

- migrations
- backups
- moving configs between servers
- Dev → Prod workflows

### Export (Download JSON)

[](#export-download-json)

Downloads a readable `.json` file containing all config values.

### Import (Load JSON)

[](#import-load-json)

Loads a `.json` file directly in the browser and fills the config form.

> No data is sent to the server until **Save (encrypted)** is pressed.

---

📤 Migrating Between Servers
===========================

[](#-migrating-between-servers)

1. On old server → open UI → **Download JSON**
2. Transfer the downloaded file to the new server
3. On new server → open UI → **Load JSON**
4. Click **Save (encrypted)**

A new encrypted config is generated automatically for the new environment; secret keys remain private.

---

🧪 Self-Test (Optional)
======================

[](#-self-test-optional)

Temporary snippet:

```
require_once __DIR__ . '/env_secured/_init.php';

$cipher = (new EnvSecuredCrypto(__DIR__ . '/env_secured'))->encrypt("test");
var_dump($cipher);
```

Then ensure:

```
(new EnvSecuredCrypto(__DIR__ . '/env_secured'))->decrypt($cipher) === "test";
```

---

📄 License
=========

[](#-license)

MIT License. Free for commercial use.

---

© 2025 Maxim Hegel

###  Health Score

34

—

LowBetter than 77% of packages

Maintenance71

Regular maintenance activity

Popularity4

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity46

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~0 days

Total

3

Last Release

161d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/c1c37ceb7a2d3b94918e51813c9ffe93c84729b9c0a79e92d0f6857a5e4dd3e2?d=identicon)[hegelmax](/maintainers/hegelmax)

---

Top Contributors

[![hegelmax](https://avatars.githubusercontent.com/u/12549926?v=4)](https://github.com/hegelmax "hegelmax (11 commits)")

### Embed Badge

![Health badge](/badges/hegelmax-env-secured/health.svg)

```
[![Health](https://phpackages.com/badges/hegelmax-env-secured/health.svg)](https://phpackages.com/packages/hegelmax-env-secured)
```

###  Alternatives

[freshbitsweb/laratables

Ajax support of DataTables for Laravel

4871.1M3](/packages/freshbitsweb-laratables)[ahand/mobileesp

Since 2008, MobileESP provides web site developers an easy-to-use and lightweight API for detecting whether visitors are using a mobile device, and if so, what kind. The APIs provide simple boolean results ('true' or 'false') for identifying individual device categories (such as iPhone, BlackBerry, Android, and Windows Mobile), device capabilities (e.g., J2ME), and broad classes of devices, such as 'iPhone Tier' (iPhone/Android/Tizen) or 'Tablet Tier.' APIs are available in PHP, JavaScript, Java, C#, Ruby Python, and more.

174491.4k7](/packages/ahand-mobileesp)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)