PHPackages neosmart/securestore - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. neosmart/securestore ActiveLibrary[Security](/categories/security) neosmart/securestore ==================== Load and decrypt SecureStore vault secrets. 1.1.0(2mo ago)13MITPHPPHP >=8.0 Since Mar 31Pushed 2mo agoCompare [ Source](https://github.com/neosmart/securestore-php)[ Packagist](https://packagist.org/packages/neosmart/securestore)[ Docs](https://neosmart.net/SecureStore/)[ Fund](https://mqudsi.com/donate/)[ Fund](https://neosmart.net/donate/)[ RSS](/packages/neosmart-securestore/feed)WikiDiscussions master Synced 3w ago READMEChangelogDependencies (1)Versions (3)Used By (0) [![Latest Stable Version](https://camo.githubusercontent.com/348a6b6314980716964406b3f0a8797a9a025758944b42f6dd52f0682dc9f191/687474703a2f2f706f7365722e707567782e6f72672f6e656f736d6172742f73656375726573746f72652f76)](https://packagist.org/packages/neosmart/securestore) [![Latest Unstable Version](https://camo.githubusercontent.com/74ff9f574bf456bfad762e74c2fed3867a870d26be3f88f5478b1f5f716fd809/687474703a2f2f706f7365722e707567782e6f72672f6e656f736d6172742f73656375726573746f72652f762f756e737461626c65)](https://packagist.org/packages/neosmart/securestore) [![License](https://camo.githubusercontent.com/71d55b8c13e84074aa00ce9fefe7f6041548c483dede6e051ab5e89a15191f04/687474703a2f2f706f7365722e707567782e6f72672f6e656f736d6172742f73656375726573746f72652f6c6963656e7365)](https://packagist.org/packages/neosmart/securestore) [![PHP Version Require](https://camo.githubusercontent.com/d9f5fe4ecd8c0add86c98e42f258dbd26ef2d031838efd836b1d1bbb3a26cd94/687474703a2f2f706f7365722e707567782e6f72672f6e656f736d6172742f73656375726573746f72652f726571756972652f706870)](https://packagist.org/packages/neosmart/securestore) SecureStore PHP library ======================= [](#securestore-php-library) This repository/package houses a PHP implementation of the cross-platform, language-agnostic [SecureStore secrets specification](https://neosmart.net/SecureStore). In particular, this library may be used for interacting with [SecureStore](https://github.com/neosmart/securestore-rs) secrets containers, providing an easy-to-use and idiomatic interface for loading SecureStore containers and decrypting/retrieving secrets from within your existing PHP code. SecureStore [implementations for other languages](https://neosmart.net/SecureStore/) are also available. Usage ----- [](#usage) *This PHP library is largely intended to be used alongside one of the SecureStore cli companion apps, used to create SecureStore values and manage (add/remove/update) the secrets stored therein. In this example, we'll be using the [`ssclient`](https://github.com/neosmart/securestore-rs/tree/master/ssclient) cli utility to create a new store.* ### Creating a secrets vault [](#creating-a-secrets-vault) Typical SecureStore usage begins by creating a new SecureStore "vault" (an encrypted secrets container) that will store the credentials (usually both usernames and passwords) that your app will need. Begin by compiling or downloading and installing a copy of [`ssclient`](https://github.com/neosmart/securestore-rs/tree/master/ssclient), the SecureStore companion cli. While you can compile it yourself or manually download [pre-built binaries for your platform](https://github.com/neosmart/securestore-rs/releases), you might find it easiest to just install it with `npm`: ``` ~> npm install --global @neosmart/ssclient ``` after which you can proceed with the following steps: ``` ~> mkdir secure/ ~> cd secure/ ~> ssclient create --export-key secrets.key secrets.json Password: ************ Confirm Password: ************ # Now you can use `ssclient -p` with your password or # `ssclient -k secrets.key` to encrypt/decrypt with # the same keys. ``` ### Adding secrets [](#adding-secrets) Secrets may be added with your password or the equivalent encryption key file, and may be specified in-line as arguments to `ssclient` or more securely at a prompt by omitting the value when calling `ssclient create`: ``` # ssclient defaults to password-based decryption: ~> ssclient set aws:s3:accessId AKIAV4EXAMPLE7QWERT Password: ********* ``` similarly: ``` # Use `-k secrets.key` to load the encryption key and # skip the prompt for the vault password: ~> ssclient -k secrets.key set aws:s3:accessKey Value: v1Lp9X7mN2B5vR8zQ4tW1eY6uI0oP3aS5dF7gH9j ``` ### Retrieving secrets [](#retrieving-secrets) Secrets can be retrieved [at the commandline with `ssclient`](https://github.com/neosmart/securestore-rs/tree/master/ssclient) or programmatically with a SecureStore library [for your development language or framework of choice](https://neosmart.net/SecureStore). This library contains the PHP implementation of the SecureStore protocol. The implementation is fully contained within the single `SecureStore.php` file and also published to packagist for use with `composer` – use whichever option you are most comfortable with. ``` composer require neosmart/securestore ``` ``` // require_once("SecureStore.php"); // or // require __DIR__ . '/vendor/autoload.php'; use NeoSmart\SecureStore\SecretsManager; use NeoSmart\SecureStore\KeySource; // Load a vault using the decryption key file $sm = SecretsManager::fromFile( 'secure/secrets.json', KeySource::fromFile('secure/secrets.key') ); // List all secrets $allKeys = $sm->keys(); // Retrieve and decrypt secrets $accessId = $sm->get('aws:s3:accessId'); $accessKey = $sm->get('aws:s3:accessKey'); // Continue to use them as you normally would ``` While it is **strongly recommended** to only load secrets programmatically via the encryption key, an alternative `KeySource::fromPassword("your-password")` interface is also available (this can be used if you're developing an interactive tool using SecureStore, for example). Shorthand convenience methods like `loadWithPassword()` and `loadWithKeyFile()` are also provided for simpler initialization in the usual cases. API overview ============ [](#api-overview) The `SecureStore` library provides a high-level interface for decrypting and accessing secrets stored in SecureStore v3 vaults. ### `NeoSmart\SecureStore\SecretsManager` [](#neosmartsecurestoresecretsmanager) The primary class used to load vaults and retrieve decrypted secrets. MethodDescription`static fromFile(string $path, KeySource $keySource): self`**(Recommended)** Load a SecureStore vault from a SecureStore vault on disk.`static fromJson(string $json, KeySource $keySource): self`**(Recommended)** Load a SecureStore vault from raw SecureStore JSON contents.`static loadWithKeyFile(string $path, string $keyPath): self`*(Convenience)* Load and decrypt a vault using a SecureStore key file.`static loadWithPassword(string $path, string $password): self`*(Convenience)* Load and decrypt a vault with a password.`get(string $name): ?string`Retrieves and decrypts a specific secret by its key name. Returns `null` if the secret does not exist.`keys(): array`Returns an array containing the names of all secrets available in the loaded vault.--- ### `NeoSmart\SecureStore\KeySource` [](#neosmartsecurestorekeysource) An abstraction layer used to define the source of the decryption key (either a user-provided password or a cryptographic master key). MethodDescription`static fromFile(string $path): self`Loads a decryption key from a file. Supports raw binary or ASCII-armored (PEM-style) SecureStore formats.`static fromPassword(string $password): self`Initializes a key source using a password. The decryption key will be derived per the SecureStore v3 spec.`static fromKey(array|string $key): self`Loads a decryption key from a raw string or an array of bytes. ### Health Score 36 — LowBetter than 79% of packages Maintenance86 Actively maintained with recent releases Popularity5 Limited adoption so far Community6 Small or concentrated contributor base Maturity40 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~18 days Total 2 Last Release 71d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/c2643dd7c6df61aed49d9f3d917ac6d61cafbbda5f9b1619f50d3b749dca415a?d=identicon)[mqudsi](/maintainers/mqudsi) --- Top Contributors [![mqudsi](https://avatars.githubusercontent.com/u/606923?v=4)](https://github.com/mqudsi "mqudsi (17 commits)") --- Tags encryptionsecret-managementsecretsencryptionsecrets ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/neosmart-securestore/health.svg) ``` [![Health](https://phpackages.com/badges/neosmart-securestore/health.svg)](https://phpackages.com/packages/neosmart-securestore) ``` ### Alternatives [phpseclib/phpseclib PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc. 5.6k455.2M1.5k](/packages/phpseclib-phpseclib)[defuse/php-encryption Secure PHP Encryption Library 3.9k170.7M239](/packages/defuse-php-encryption)[paragonie/ciphersweet Searchable field-level encryption library for relational databases 4671.3M23](/packages/paragonie-ciphersweet)[ass/xmlsecurity The XmlSecurity library is written in PHP for working with XML Encryption and Signatures 955.6M33](/packages/ass-xmlsecurity)[pear/crypt_gpg Provides an object oriented interface to the GNU Privacy Guard (GnuPG). It requires the GnuPG executable to be on the system. 954.5M12](/packages/pear-crypt-gpg)[nzo/url-encryptor-bundle The NzoUrlEncryptorBundle is a Symfony Bundle used to Encrypt and Decrypt data and variables in the Web application or passed through URL 951.1M2](/packages/nzo-url-encryptor-bundle) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)