Neuron-PHP

SecretManager
in package

Manages encrypted credentials and secrets

Provides functionality to create, edit, and manage encrypted credential files similar to Rails encrypted credentials. Supports environment-specific secrets and secure key management.

Table of Contents

Properties

$encryptor  : IEncryptor
$fs  : IFileSystem

Methods

__construct()  : mixed
edit()  : bool
Edit encrypted credentials file
encrypt()  : bool
Encrypt plaintext credentials
generateKey()  : string
Generate a new encryption key
rotateKey()  : bool
Rotate encryption keys
show()  : string
Show decrypted credentials
validate()  : bool
Validate that credentials can be decrypted
ensureKey()  : string
Ensure key exists, create if needed
generateSecureToken()  : string
Generate a cryptographically secure random token for temporary files
normalizePath()  : string
Normalize a file path for comparison
readKey()  : string
Read a key from file or environment variable

Properties

Methods

__construct()

public __construct([IEncryptor|null $encryptor = null ][, IFileSystem|null $fs = null ]) : mixed
Parameters
$encryptor : IEncryptor|null = null

Encryption implementation (defaults to OpenSSLEncryptor)

$fs : IFileSystem|null = null

File system implementation (defaults to RealFileSystem)

edit()

Edit encrypted credentials file

public edit(string $credentialsPath, string $keyPath[, string $editor = 'vi' ]) : bool

Opens the decrypted credentials in an editor, then re-encrypts on save. Similar to Rails' credentials:edit command.

Parameters
$credentialsPath : string

Path to encrypted credentials file

$keyPath : string

Path to encryption key file

$editor : string = 'vi'

Editor command to use (default: vi)

Tags
throws
Exception

If editing fails

Return values
bool

True if edit was successful

encrypt()

Encrypt plaintext credentials

public encrypt(string $plaintextPath, string $credentialsPath, string $keyPath) : bool
Parameters
$plaintextPath : string

Path to plaintext YAML file

$credentialsPath : string

Path where encrypted file will be saved

$keyPath : string

Path to encryption key file

Tags
throws
Exception

If encryption fails

Return values
bool

True if successful

generateKey()

Generate a new encryption key

public generateKey(string $keyPath[, bool $force = false ]) : string
Parameters
$keyPath : string

Path where key will be saved

$force : bool = false

Overwrite existing key if true

Tags
throws
Exception

If key generation fails or file exists and force is false

Return values
string

The generated key

rotateKey()

Rotate encryption keys

public rotateKey(string $credentialsPath, string $oldKeyPath, string $newKeyPath) : bool

Re-encrypts credentials with a new key in an atomic operation to prevent data loss if any step fails. The old key and credentials are preserved until the entire operation succeeds.

Parameters
$credentialsPath : string

Path to encrypted credentials file

$oldKeyPath : string

Path to current encryption key

$newKeyPath : string

Path where new key will be saved

Tags
throws
Exception

If rotation fails

Return values
bool

True if successful

show()

Show decrypted credentials

public show(string $credentialsPath, string $keyPath) : string
Parameters
$credentialsPath : string

Path to encrypted credentials file

$keyPath : string

Path to encryption key file

Tags
throws
Exception

If decryption fails

Return values
string

The decrypted YAML content

validate()

Validate that credentials can be decrypted

public validate(string $credentialsPath, string $keyPath) : bool
Parameters
$credentialsPath : string

Path to encrypted credentials file

$keyPath : string

Path to encryption key file

Return values
bool

True if valid, false otherwise

ensureKey()

Ensure key exists, create if needed

private ensureKey(string $keyPath) : string
Parameters
$keyPath : string

Path to key file

Tags
throws
Exception

If key cannot be created or read

Return values
string

The key

generateSecureToken()

Generate a cryptographically secure random token for temporary files

private generateSecureToken([int $length = 16 ]) : string

This method generates a secure random token suitable for use in temporary file names. The token is URL-safe and filesystem-safe.

Parameters
$length : int = 16

Number of random bytes (will produce 2x hex characters)

Tags
throws
Exception

If secure random generation fails

Return values
string

A secure random hex string

normalizePath()

Normalize a file path for comparison

private normalizePath(string $path) : string

This method normalizes a path without requiring the file to exist, unlike realpath() which returns false for non-existent files.

Parameters
$path : string

The path to normalize

Return values
string

The normalized absolute path

readKey()

Read a key from file or environment variable

private readKey(string $keyPath) : string
Parameters
$keyPath : string

Path to key file

Tags
throws
Exception

If key not found in file or environment

Return values
string

The key content


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results