PHPackages jardissupport/secret - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. jardissupport/secret ActiveLibrary[Security](/categories/security) jardissupport/secret ==================== Secret resolution for encrypted configuration values using AES-256-GCM and Sodium with key provider abstraction v1.0.0(1mo ago)00PolyForm-Noncommercial-1.0.0PHPPHP >=8.2CI passing Since Mar 18Pushed 1mo agoCompare [ Source](https://github.com/jardisSupport/secret)[ Packagist](https://packagist.org/packages/jardissupport/secret)[ Docs](https://github.com/jardisSupport/secret)[ RSS](/packages/jardissupport-secret/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (1)Dependencies (4)Versions (3)Used By (0) Jardis Secret ============= [](#jardis-secret) [![Build Status](https://github.com/jardisSupport/secret/actions/workflows/ci.yml/badge.svg)](https://github.com/jardisSupport/secret/actions/workflows/ci.yml/badge.svg)[![License: PolyForm Shield](https://camo.githubusercontent.com/d8fb46c82be4c5312bf3e372ac734dfdf6a8b328e9c2b2856af671adbb0600a5/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d506f6c79466f726d253230536869656c642d626c75652e737667)](LICENSE.md)[![PHP Version](https://camo.githubusercontent.com/a68b290dcc313d698dc138a1111aa83eee2f143605449d7e8b5416ea6f88558f/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d253345253344382e322d3737374242342e737667)](https://www.php.net/)[![PHPStan Level](https://camo.githubusercontent.com/c51bda247654363d3e30bc352674dd761a9557803a14af0226eb411d6dc0006b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d4c6576656c253230382d627269676874677265656e2e737667)](phpstan.neon)[![PSR-12](https://camo.githubusercontent.com/34b10db0caa29bacd49bda5c437a8de95385f036f3230b31fa605326e18da22c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f436f64652532305374796c652d5053522d2d31322d626c75652e737667)](phpcs.xml)[![Coverage](https://camo.githubusercontent.com/8a8debaaf2a8c8f3ec42ea8765f0d761b91f9b71333f8355f437132278e86eec/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f436f7665726167652d39352e31342532352d627269676874677265656e2e737667)](https://github.com/jardisSupport/secret) > Part of the **[Jardis Business Platform](https://jardis.io)** — Enterprise-grade PHP components for Domain-Driven Design Secret resolution for encrypted configuration values. Encrypt secrets with AES-256-GCM or Sodium, store them safely in `.env` files, and decrypt transparently at load time. Plugs into the DotEnv cast chain — no manual decryption calls needed. --- Features -------- [](#features) - **AES-256-GCM Encryption** — authenticated encryption via OpenSSL; `AesSecretResolver` handles encrypt and decrypt - **Sodium XSalsa20-Poly1305** — libsodium-based encryption via `SodiumSecretResolver` with explicit `sodium:` prefix - **DotEnv Integration** — `SecretHandler` plugs directly into `DotEnv::addHandler()` as a prepended cast handler - **Resolver Chain** — `SecretResolverChain` delegates to the first resolver whose prefix matches the encrypted value - **Key Providers** — `FileKeyProvider` reads a 32-byte key from a file; `EnvKeyProvider` reads from an environment variable; both auto-detect base64 encoding - **Makefile Tooling** — `make generate-key-file`, `make encrypt`, and `make encrypt-sodium` for setup and secret rotation - **Typed Exceptions** — `InvalidKeyException` and `DecryptionFailedException` for precise error handling --- Installation ------------ [](#installation) ``` composer require jardissupport/secret ``` Quick Start ----------- [](#quick-start) ### 1. Generate a key and encrypt a value [](#1-generate-a-key-and-encrypt-a-value) ``` make generate-key-file # Creates support/secret.key make encrypt VALUE="my-database-password" # Outputs: secret(base64...) ``` ### 2. Store the encrypted value in `.env` [](#2-store-the-encrypted-value-in-env) ``` DB_PASSWORD=secret(base64encodedEncryptedValue) ``` ### 3. Integrate with DotEnv [](#3-integrate-with-dotenv) ``` use JardisSupport\DotEnv\DotEnv; use JardisSupport\Secret\Handler\SecretHandler; use JardisSupport\Secret\KeyProvider\FileKeyProvider; $dotEnv = new DotEnv(); $dotEnv->addHandler( new SecretHandler(new FileKeyProvider('support/secret.key')), prepend: true, ); $config = $dotEnv->loadPrivate('/path/to/app'); // $config['DB_PASSWORD'] → decrypted plaintext, no secret() wrapper ``` Advanced Usage -------------- [](#advanced-usage) ``` use JardisSupport\Secret\Handler\SecretHandler; use JardisSupport\Secret\Handler\SecretResolverChain; use JardisSupport\Secret\KeyProvider\EnvKeyProvider; use JardisSupport\Secret\KeyProvider\FileKeyProvider; use JardisSupport\Secret\Resolver\AesSecretResolver; use JardisSupport\Secret\Resolver\SodiumSecretResolver; use JardisSupport\DotEnv\DotEnv; // Key from environment variable instead of a file // EnvKeyProvider auto-detects base64-encoded keys $keyProvider = new EnvKeyProvider('APP_SECRET_KEY'); // Build a custom resolver chain with explicit ordering // Sodium resolver matches 'sodium:...' prefix; AES is the catch-all fallback $chain = (new SecretResolverChain()) ->addResolver(new SodiumSecretResolver($keyProvider)) ->addResolver(new AesSecretResolver($keyProvider)); // Encrypt a Sodium value (e.g. in a setup script) // make encrypt-sodium VALUE="my-api-key" → secret(sodium:base64...) // .env with mixed encryption algorithms: // DB_PASSWORD=secret(base64AesEncryptedValue) // API_KEY=secret(sodium:base64SodiumEncryptedValue) // PLAIN=no-encryption-needed $dotEnv = new DotEnv(); $dotEnv->addHandler(new SecretHandler($keyProvider), prepend: true); // SecretHandler automatically wires both AES and Sodium resolvers; // use a manual chain only when you need fine-grained resolver control $config = $dotEnv->loadPrivate('/path/to/app'); // DB_PASSWORD → AES-decrypted string // API_KEY → Sodium-decrypted string // PLAIN → 'no-encryption-needed' (passed through unchanged) ``` Documentation ------------- [](#documentation) Full documentation, guides, and API reference: **[jardis.io/docs/support/secret](https://jardis.io/docs/support/secret)** License ------- [](#license) This package is licensed under the [PolyForm Shield License 1.0.0](LICENSE.md). Free for all use except building competing frameworks or developer tooling. --- **[Jardis](https://jardis.io)** · [Documentation](https://jardis.io/docs) · [Headgent](https://headgent.com) ### Health Score 39 — LowBetter than 85% of packages Maintenance96 Actively maintained with recent releases Popularity0 Limited adoption so far Community6 Small or concentrated contributor base Maturity47 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 52d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/e07a1b668e9e01ee6d1b85de7b3be1c2513f68aae9494b2011d1592104d5daa0?d=identicon)[jardis](/maintainers/jardis) --- Top Contributors [![Headgent](https://avatars.githubusercontent.com/u/245725954?v=4)](https://github.com/Headgent "Headgent (1 commits)") --- Tags encryptionaesenvironmentdotenvDomain Driven DesignsecretsodiumHeadgentJardisPortjardisjardisSupport ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StylePHP\_CodeSniffer Type Coverage Yes ### Embed Badge ![Health badge](/badges/jardissupport-secret/health.svg) ``` [![Health](https://phpackages.com/badges/jardissupport-secret/health.svg)](https://phpackages.com/packages/jardissupport-secret) ``` ### Alternatives [phpseclib/phpseclib PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc. 5.6k434.8M1.3k](/packages/phpseclib-phpseclib)[defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M212](/packages/defuse-php-encryption)[johnathanmiller/secure-env-php Encrypt environment files for production use. 6054.3k2](/packages/johnathanmiller-secure-env-php)[nzo/url-encryptor-bundle The NzoUrlEncryptorBundle is a Symfony Bundle used to Encrypt and Decrypt data and variables in the Web application or passed through URL 961.0M2](/packages/nzo-url-encryptor-bundle)[mmeyer2k/dcrypt A petite library of encryption functionality for PHP 98727.2k1](/packages/mmeyer2k-dcrypt)[psecio/secure_dotenv An encrypted environment configuration handler 11537.7k2](/packages/psecio-secure-dotenv) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)