PHPackages                             hegelmax/env-secured - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility & Helpers](/categories/utility)
4. /
5. hegelmax/env-secured

ActiveLibrary[Utility & Helpers](/categories/utility)

hegelmax/env-secured
====================

Encrypted configuration manager for PHP (EnvSecured).

v1.0.17(5mo ago)05MITPHPPHP >=8.1

Since Dec 8Pushed 5mo agoCompare

[ Source](https://github.com/hegelmax/php-env-secured)[ Packagist](https://packagist.org/packages/hegelmax/env-secured)[ RSS](/packages/hegelmax-env-secured/feed)WikiDiscussions main Synced 1mo ago

READMEChangelogDependenciesVersions (4)Used By (0)

📦 EnvSecured — Encrypted Configuration Manager for PHP
======================================================

[](#-envsecured--encrypted-configuration-manager-for-php)

[EnvSecured](https://github.com/hegelmax/php-env-secured) is a lightweight, secure, and self-contained PHP module for storing sensitive configuration values (API keys, database credentials, tokens, secrets) in an **encrypted file** and provides a clean interface to access them in runtime.

---

⭐ Key Features
==============

[](#-key-features)

- 🔒 **Encrypted config file** (`config.enc`)
- 🌐 **Browser-based UI** for editing settings
- 📤 **JSON export** (download)
- 📥 **JSON import** (load file into form)
- 🔑 **Automatic key generation** (`keys/*.key`)
- 🧬 **Server-bound encryption** (fingerprint-based)
- 🧩 **Zero global functions** — everything wrapped in PHP classes
- 🚀 **Drop-in integration** into any project
- ⚙️ Can be used:
    - **with Composer**
    - **without Composer**

---

🗂️ Project Structure
====================

[](#️-project-structure)

```
env_secured/
├── _init.php                    → Bootloader (entry point)
├── libs/
│   ├── EnvSecured.php           → Main config manager
│   ├── EnvSecuredCrypto.php     → Encryption engine
│   └── html/
│       ├── page_form.php        → UI template: config editor
│       ├── page_success.php     → UI template: success page
│       └── page_error.php       → UI template: error page
├── configs/                     → Encrypted config files (auto-created)
│   └── config.enc               → Main encrypted config (auto-created)
└── keys/                        → Key files (auto-created)
    ├── sodium.key               → Internal crypto key
    └── secret.key               → Master secret key

```

Both `configs/` and `keys/` directories are created automatically on first use if they do not exist.

---

📦 Installation
==============

[](#-installation)

Option A — Composer (recommended)
---------------------------------

[](#option-a--composer-recommended)

```
composer require hegelmax/env-secured
```

Option B — No Composer
----------------------

[](#option-b--no-composer)

Download the directory:

```
env_secured/

```

and place it anywhere in your project.

---

🚀 Quick Start (Composer version)
================================

[](#-quick-start-composer-version)

```
require __DIR__ . '/vendor/autoload.php';

use EnvSecured\EnvSecured;

$envRoot = __DIR__ . '/env'; // Directory for configs/ and keys/

$env = new EnvSecured($envRoot);
$env->run();

// Retrieve configuration
$config = EnvSecured::get();          // full array
$dbHost = EnvSecured::get('DB_HOST'); // single value
```

---

🚀 Quick Start (No Composer)
===========================

[](#-quick-start-no-composer)

```
require __DIR__ . '/env_secured/init.php';
```

Then read configuration via:

```
$env = EnvSecured::get();  // array
echo EnvSecured::get('API_URL');
```

---

🖥️ First Run — Creating Config
==============================

[](#️-first-run--creating-config)

When no encrypted config exists, opening your init script in a browser shows the Config Editor UI:

```
/env_secured/init.php

```

UI allows:

### ✔ Editing KEY=value rows

[](#-editing-keyvalue-rows)

### ✔ Saving encrypted config (`config.enc`)

[](#-saving-encrypted-config-configenc)

### ✔ Downloading JSON

[](#-downloading-json)

### ✔ Loading JSON into form

[](#-loading-json-into-form)

Folders created automatically:

```
env/
  configs/
    config.enc
  keys/
    sodium.key
    secret.key

```

---

🔒 Encryption Model
==================

[](#-encryption-model)

EnvSecured uses:

- 256-bit `sodium.key`
- 256-bit `secret.key`
- machine + project fingerprint
- XSalsa20-Poly1305 (libsodium)
- unique nonce per encryption
- atomic writes to prevent corruption

Conceptually:

```
fingerprint = HASH( hostname | projectRoot | secret.key )
finalKey    = HASH( fingerprint | sodium.key )
cipher      = base64( nonce | secretbox(plaintext, nonce, finalKey) )

```

---

🛡️ Why It's Safe
================

[](#️-why-its-safe)

- Keys stored outside web root (in `env_secured/keys/`)
- Config stored encrypted (`env_secured/configs/config.enc`)
- No plaintext config on server
- No global functions → no name collisions
- Atomic writes for safe file operations
- Encryption relies on libsodium (modern & secure)

---

⚙️ Configuration in Code
========================

[](#️-configuration-in-code)

Once EnvSecured loads the config:

### 1️⃣ Array access

[](#1️⃣-array-access)

```
$config = EnvSecured::get();
echo $config['DB_HOST'];
```

### 2️⃣ Single value

[](#2️⃣-single-value)

```
echo EnvSecured::get('API_TOKEN');
```

### 3️⃣ Global constants

[](#3️⃣-global-constants)

If constant autodefine is enabled:

```
echo API_TOKEN;
```

Enable via:

```
const ENV_SECURED_CONFIG_DEFINE_CONST = true;
```

---

🛠️ Optional Constants
=====================

[](#️-optional-constants)

Place them **before** calling EnvSecured.

```
const ENV_SECURED_CONFIG_SCHEMA       = 'prod';
const ENV_SECURED_CONFIG_ALLOW_EDIT   = false;
const ENV_SECURED_CONFIG_ALLOW_SESSION = true;
const ENV_SECURED_CONFIG_DEFINE_CONST = true;

const ENV_SECURED_DEFAULTS = [
    ['key' => 'DB_HOST', 'value' => 'localhost'],
    ['key' => 'API_URL', 'value' => 'https://localhost/api'],
];
```

---

🔧 Requirements
==============

[](#-requirements)

- PHP **8.1+**
- `ext-sodium` enabled
- Writable directory for:
    - `configs/`
    - `keys/`

---

💻 JSON Import / Export
======================

[](#-json-import--export)

EnvSecured supports configuration migration via JSON file, that can be useful for:

- migrations
- backups
- moving configs between servers
- Dev → Prod workflows

### Export (Download JSON)

[](#export-download-json)

Downloads a readable `.json` file containing all config values.

### Import (Load JSON)

[](#import-load-json)

Loads a `.json` file directly in the browser and fills the config form.

> No data is sent to the server until **Save (encrypted)** is pressed.

---

📤 Migrating Between Servers
===========================

[](#-migrating-between-servers)

1. On old server → open UI → **Download JSON**
2. Transfer the downloaded file to the new server
3. On new server → open UI → **Load JSON**
4. Click **Save (encrypted)**

A new encrypted config is generated automatically for the new environment; secret keys remain private.

---

🧪 Self-Test (Optional)
======================

[](#-self-test-optional)

Temporary snippet:

```
require_once __DIR__ . '/env_secured/_init.php';

$cipher = (new EnvSecuredCrypto(__DIR__ . '/env_secured'))->encrypt("test");
var_dump($cipher);
```

Then ensure:

```
(new EnvSecuredCrypto(__DIR__ . '/env_secured'))->decrypt($cipher) === "test";
```

---

📄 License
=========

[](#-license)

MIT License. Free for commercial use.

---

© 2025 Maxim Hegel

###  Health Score

35

—

LowBetter than 79% of packages

Maintenance78

Regular maintenance activity

Popularity4

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity45

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~0 days

Total

3

Last Release

151d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/c1c37ceb7a2d3b94918e51813c9ffe93c84729b9c0a79e92d0f6857a5e4dd3e2?d=identicon)[hegelmax](/maintainers/hegelmax)

---

Top Contributors

[![hegelmax](https://avatars.githubusercontent.com/u/12549926?v=4)](https://github.com/hegelmax "hegelmax (11 commits)")

### Embed Badge

![Health badge](/badges/hegelmax-env-secured/health.svg)

```
[![Health](https://phpackages.com/badges/hegelmax-env-secured/health.svg)](https://phpackages.com/packages/hegelmax-env-secured)
```

###  Alternatives

[yavin/symfony-form-tree

create select field with indentation for tree structure

1591.1k1](/packages/yavin-symfony-form-tree)[spatie/laravel-help-space

Integrate Helpspace in your Laravel app

2333.7k](/packages/spatie-laravel-help-space)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)