PHPackages                             netresearch/nr-vault - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. netresearch/nr-vault

ActiveTypo3-cms-extension[Security](/categories/security)

netresearch/nr-vault
====================

Secure secrets management for TYPO3 with envelope encryption, access control, and audit logging

v0.4.6(2mo ago)211.1k↑189.5%[1 issues](https://github.com/netresearch/t3x-nr-vault/issues)1GPL-2.0-or-laterPHPPHP ^8.2CI failing

Since Jan 5Pushed 1mo ago1 watchersCompare

[ Source](https://github.com/netresearch/t3x-nr-vault)[ Packagist](https://packagist.org/packages/netresearch/nr-vault)[ Docs](https://github.com/netresearch/t3x-nr-vault)[ RSS](/packages/netresearch-nr-vault/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (10)Dependencies (27)Versions (21)Used By (1)

nr-vault: Secure Secrets Management for TYPO3
=============================================

[](#nr-vault-secure-secrets-management-for-typo3)

[![CI](https://github.com/netresearch/t3x-nr-vault/actions/workflows/ci.yml/badge.svg)](https://github.com/netresearch/t3x-nr-vault/actions/workflows/ci.yml)[![codecov](https://camo.githubusercontent.com/1ab15f451927f979d99fc2e31c6a8d1fa976dece916e77b25765e6997b69f8ac/68747470733a2f2f636f6465636f762e696f2f67682f6e657472657365617263682f7433782d6e722d7661756c742f67726170682f62616467652e737667)](https://codecov.io/gh/netresearch/t3x-nr-vault)[![OpenSSF Scorecard](https://camo.githubusercontent.com/3c85b46c0a05bd366db35cd78a32bcc57b6783acde06e0fe7a8c7bee32ac191c/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6e657472657365617263682f7433782d6e722d7661756c742f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/netresearch/t3x-nr-vault)[![OpenSSF Best Practices](https://camo.githubusercontent.com/b2d8999025a3b0b64efffa5e14c40c7eefd6668c347e96ace39980a6ae89b44a/68747470733a2f2f7777772e626573747072616374696365732e6465762f70726f6a656374732f31313639352f6261646765)](https://www.bestpractices.dev/projects/11695)[![TYPO3](https://camo.githubusercontent.com/2a9e26a089f5d6ad678941800c95e6380c9bc3aeaa261f81c62612119c2dcc3d/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5459504f332d31332e3425323025374325323031342d6f72616e67652e737667)](https://typo3.org/)[![PHP](https://camo.githubusercontent.com/5fe05c705bf034839bda7651781e4d0a9d42f4a840478ca5e343873a0361bb89/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048502d382e322b2d626c75652e737667)](https://www.php.net/)[![PHPStan](https://camo.githubusercontent.com/d18b9a987aa81e64470a11caecf72caa66597c9ebd6b307bd1c2cb7a752b0dff/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d6c6576656c25323031302d627269676874677265656e2e737667)](https://phpstan.org/)[![License](https://camo.githubusercontent.com/43a510dd0989747b1c3997cb691eaef0adc0f48c2ba392da31b012ef9030bf23/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d47504c2d2d322e302d2d6f722d2d6c617465722d626c75652e737667)](LICENSE)[![Latest Release](https://camo.githubusercontent.com/f4ea817946c5e92309d9c3c5285ef78ae36f31d89a4c1e9539a45debc686d3bf/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f72656c656173652f6e657472657365617263682f7433782d6e722d7661756c74)](https://github.com/netresearch/t3x-nr-vault/releases)[![Contributor Covenant](https://camo.githubusercontent.com/817d29b29dcac8a671e6670fb01f792302989c853922a3714322e78af3dc7c85/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f436f6e7472696275746f72253230436f76656e616e742d332e302d3462616161612e737667)](CODE_OF_CONDUCT.md)[![SLSA 3](https://camo.githubusercontent.com/dc294f15fb5f1c96307863a1e96860310be940504e7ee370cee94bf4400cbac9/68747470733a2f2f736c73612e6465762f696d616765732f67682d62616467652d6c6576656c332e737667)](https://slsa.dev)

*Enterprise-grade secret management without enterprise-grade complexity.*

The Problem
-----------

[](#the-problem)

Your TYPO3 site integrates with Stripe, SendGrid, Google Maps, and a dozen other services. **Where are those API keys right now?**

Probably in plain text in `LocalConfiguration.php`, unencrypted in a database field, or hardcoded somewhere accessible to every backend user.

If your database leaks, your secrets leak. If you need to rotate a compromised key, you're editing config files and redeploying.

How Secrets Are Typically Stored
--------------------------------

[](#how-secrets-are-typically-stored)

MethodSecurityOperational Reality**External Services** (HashiCorp Vault, AWS SM)⭐⭐⭐⭐⭐Infrastructure cost, network access, auth to service**Environment Variables**⭐⭐⭐Deployment/host access required, restart to change, **no rotation UI, no audit trail****Files outside webroot**⭐⭐⭐Deployment/host access required, **hard to rotate, no management interface****nr-vault (encrypted DB)**⭐⭐⭐⭐Runtime manageable via TYPO3 backend, rotate anytime, full audit trail**Plain text in config/DB**⭐❌ No protectionWhy nr-vault?
-------------

[](#why-nr-vault)

All "more secure" methods require either external infrastructure, deployment pipelines, or server access. And they all lack a management UI and audit trail.

ChallengeEnv Vars / Filesnr-vault**Rotate a compromised API key**Call DevOps, redeploy, restartClick in backend, done**See who accessed a secret**Check deploy logs (if any)Full audit log with timestamps**Emergency credential revocation**Wait for deployment pipelineImmediate via backend module**Non-technical editor updates SMTP password**Create support ticketSelf-service in backend**Compliance audit: prove access history**Manually correlate logsExport tamper-evident audit trailSolution
--------

[](#solution)

nr-vault provides:

- **Envelope encryption** with AES-256-GCM via libsodium
- **Master key management** (file, environment variable, or derived)
- **Per-secret access control** via backend user groups with context scoping
- **Audit logging** of all secret access with tamper-evident hash chain
- **Key rotation** support for both secrets and master key
- **TCA integration** via custom `vaultSecret` field type
- **Vault HTTP Client** - make authenticated API calls without exposing secrets
- **CLI commands** for DevOps automation
- **Pluggable adapter architecture** (external vault adapters planned for future releases)

Architecture
------------

[](#architecture)

 ```
flowchart TB
    subgraph TYPO3["TYPO3 Backend"]
        subgraph Entry["Entry Points"]
            TCA["TCA Field(vaultSecret)"]
            Backend["Backend Module(Secrets Manager)"]
            CLI["CLI Commands"]
        end

        TCA & Backend & CLI --> VaultService

        subgraph VaultService["VaultService"]
            API["store() | retrieve() | rotate() | delete() | list() | http()"]
        end

        VaultService --> AccessControl["AccessControlService"]
        VaultService --> Encryption["EncryptionService"]
        VaultService --> Audit["AuditLogService"]

        Encryption --> Adapters

        subgraph Adapters["Vault Adapters"]
            Local["LocalDatabase(DEFAULT)"]
            Future["Future: HashiCorp,AWS, Azure"]
        end
    end
```

      Loading Encryption Model
----------------

[](#encryption-model)

Uses **envelope encryption** (same pattern as AWS KMS, Google Cloud KMS):

 ```
flowchart TB
    MK["🔐 Master Key(stored outside database)"]
    DEK["🔑 Data Encryption Key (DEK)(unique per secret)"]
    Secret["📄 Secret Value(API key, password, token)"]

    MK -->|encrypts| DEK
    DEK -->|encrypts| Secret
```

      Loading Benefits:

- Master key rotation only requires re-encrypting DEKs (fast)
- Each secret has unique encryption
- Compromise of one secret doesn't expose others

Quick Start
-----------

[](#quick-start)

### Store and Retrieve Secrets

[](#store-and-retrieve-secrets)

```
use Netresearch\NrVault\Service\VaultServiceInterface;

class MyService
{
    public function __construct(
        private readonly VaultServiceInterface $vault,
    ) {}

    public function storeApiKey(string $provider, string $apiKey): void
    {
        $this->vault->store(
            identifier: "my_extension_{$provider}_api_key",
            secret: $apiKey,
            options: [
                'owner' => $GLOBALS['BE_USER']->user['uid'],
                'groups' => [1, 2],  // Admin, Editor groups
                'context' => 'payment',  // Permission scoping
                'expiresAt' => time() + 86400 * 90,  // 90 days
            ]
        );
    }

    public function getApiKey(string $provider): ?string
    {
        return $this->vault->retrieve("my_extension_{$provider}_api_key");
    }
}
```

### Vault HTTP Client

[](#vault-http-client)

Make authenticated API calls without exposing secrets to your code:

```
use GuzzleHttp\Psr7\Request;
use Netresearch\NrVault\Http\SecretPlacement;
use Netresearch\NrVault\Http\VaultHttpClientInterface;

class PaymentService
{
    public function __construct(
        private readonly VaultHttpClientInterface $httpClient,
    ) {}

    public function chargeCustomer(array $payload): array
    {
        // Configure vault-based authentication (returns a new immutable client)
        $client = $this->httpClient->withAuthentication('stripe_api_key', SecretPlacement::Bearer);

        // Send a standard PSR-7 request - the secret is injected automatically
        $request = new Request(
            'POST',
            'https://api.stripe.com/v1/charges',
            ['Content-Type' => 'application/json'],
            json_encode($payload),
        );
        $response = $client->sendRequest($request);

        return json_decode($response->getBody()->getContents(), true);
    }
}
```

Secret placement options: `Bearer`, `BasicAuth`, `Header`, `QueryParam`, `BodyField`, `ApiKey`, `OAuth2`.

TCA Integration
---------------

[](#tca-integration)

```
'api_key' => [
    'label' => 'API Key',
    'config' => [
        'type' => 'input',
        'renderType' => 'vaultSecret',
        'size' => 30,
    ],
],
```

CLI Commands
------------

[](#cli-commands)

```
# Initialize vault (create master key)
vendor/bin/typo3 vault:init

# List secrets (respects access control)
vendor/bin/typo3 vault:list

# Rotate a secret
vendor/bin/typo3 vault:rotate my_secret_id --reason="Scheduled rotation"

# Rotate master key (re-encrypts all DEKs)
vendor/bin/typo3 vault:rotate-master-key --new-key=/path/to/new.key --confirm

# View audit log
vendor/bin/typo3 vault:audit --identifier=my_secret_id --days=30
```

Requirements
------------

[](#requirements)

- **TYPO3**: v13.4 / v14.0+
- **PHP**: ^8.2
- **Extensions**: `ext-sodium` (bundled with PHP)
- **CPU**: AES-NI support recommended (XChaCha20-Poly1305 fallback available)

Documentation
-------------

[](#documentation)

Full documentation is available in the `Documentation/` folder and can be rendered with the TYPO3 documentation tools.

### Render locally

[](#render-locally)

```
docker run --rm -v $(pwd):/project ghcr.io/typo3-documentation/render-guides:latest --progress Documentation
# Open Documentation-GENERATED-temp/Index.html
```

### Planning documents

[](#planning-documents)

Internal development documents are available in `docs/`:

- [Architecture](docs/architecture.md) - System architecture overview
- [API Reference](docs/api.md) - Service API documentation
- [Database Schema](docs/database.md) - Database structure
- [Security Considerations](docs/security.md) - Security design decisions
- [Use Cases](docs/use-cases.md) - Supported use cases

Feature Comparison
------------------

[](#feature-comparison)

Featurenr-vaultDrupal KeyLaravel SecretsSymfony SecretsEnvelope encryptionYesNoNoNoPer-secret DEKsYesNoNoNoExternal vault supportPlannedPluggableLimitedHashiCorpAccess controlBE groups + contextBy keyN/AN/AAudit loggingFull + hash chainLimitedNoneNoneTCA/Form integrationNativeForm APIN/AN/AKey rotation CLIYesManualYesYesHTTP clientYesNoNoNoOAuth auto-refreshYesNoNoNoRoadmap
-------

[](#roadmap)

- **Phase 1-5**: Core functionality (current focus)
- **Phase 6**: External adapters (HashiCorp, AWS, Azure) + Optional Rust FFI for zero-PHP-exposure
- **Phase 7**: Service Registry - abstract away both credentials AND endpoints

Installation
------------

[](#installation)

```
composer require netresearch/nr-vault
```

Or in DDEV:

```
ddev start
ddev install-v14
ddev vault-init
```

License
-------

[](#license)

GPL-2.0-or-later

---

**\[n\]** Developed by [Netresearch DTT GmbH](https://www.netresearch.de/) - Enterprise TYPO3 Solutions

###  Health Score

45

—

FairBetter than 93% of packages

Maintenance78

Regular maintenance activity

Popularity31

Limited adoption so far

Community14

Small or concentrated contributor base

Maturity46

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 79.6% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~5 days

Total

12

Last Release

72d ago

PHP version history (2 changes)v0.1.0PHP ^8.5

v0.4.0PHP ^8.2

### Community

Maintainers

![](https://www.gravatar.com/avatar/acffee6a64e18f21593794b335dd8786001148f7df89fd8372a54d3dd09d91a4?d=identicon)[netresearch](/maintainers/netresearch)

---

Top Contributors

[![CybotTM](https://avatars.githubusercontent.com/u/326348?v=4)](https://github.com/CybotTM "CybotTM (467 commits)")[![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4)](https://github.com/renovate[bot] "renovate[bot] (83 commits)")[![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4)](https://github.com/github-actions[bot] "github-actions[bot] (33 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (4 commits)")

---

Tags

typo3-extensionsecurityencryptionvaulttypo3secretscredentialsapi keys

###  Code Quality

Static AnalysisPHPStan, Rector

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/netresearch-nr-vault/health.svg)

```
[![Health](https://phpackages.com/badges/netresearch-nr-vault/health.svg)](https://phpackages.com/packages/netresearch-nr-vault)
```

###  Alternatives

[phpseclib/phpseclib

PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc.

5.6k434.8M1.3k](/packages/phpseclib-phpseclib)[defuse/php-encryption

Secure PHP Encryption Library

3.9k162.4M214](/packages/defuse-php-encryption)[ass/xmlsecurity

The XmlSecurity library is written in PHP for working with XML Encryption and Signatures

955.6M30](/packages/ass-xmlsecurity)[nzo/url-encryptor-bundle

The NzoUrlEncryptorBundle is a Symfony Bundle used to Encrypt and Decrypt data and variables in the Web application or passed through URL

961.0M2](/packages/nzo-url-encryptor-bundle)[leuchtfeuer/secure-downloads

"Secure Download": Apply TYPO3 access rights to ALL file assets (PDFs, TGZs or JPGs etc. - configurable) - protect them from direct access.

22234.7k1](/packages/leuchtfeuer-secure-downloads)[tilleuls/url-signer-bundle

Create and validate signed URLs with a limited lifetime in Symfony

81340.1k](/packages/tilleuls-url-signer-bundle)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)