best-encrypt

Crates.iobest-encrypt
lib.rsbest-encrypt
version1.0.0
created_at2025-10-13 08:57:17.078473+00
updated_at2025-10-13 08:57:17.078473+00
descriptionA top-level secrets orchestrator. Not just another .env tool โ€” this one encrypts, locks, and sets you up for secure local and team dev.
homepagehttps://github.com/kingjethro999/best-encrypt
repositoryhttps://github.com/kingjethro999/best-encrypt
max_upload_size
id1880255
size93,847
King Jethro (kingjethro999)

documentation

README

๐Ÿ” Encrypt (Rust)

"A top-level secrets orchestrator. Not just another .env tool โ€” this one encrypts, locks, and sets you up for secure local and team dev."

๐Ÿš€ Quick Start

Installation

# Build from source
cd rust
cargo build --release

# Install globally
cargo install --path .

# Or run directly
cargo run -- init

Basic Usage

# Initialize vault
encrypt init

# Add secrets
encrypt set API_KEY=your-api-key-here
encrypt set DB_URL=postgres://localhost:5432/mydb

# Lock secrets before committing
encrypt lockup mySuperSecurePassword

# New developer setup
encrypt setup mySuperSecurePassword

๐Ÿ’ป In-Code Usage

Rust

use encrypt::{get_secret, set_secret, get_all_secrets};

// Method 1: Auto-unlock with environment variable (Recommended for production)
// Set ENCRYPT_PASSWORD=your-password in your environment
let api_key = get_secret("API_KEY")?;
let db_url = get_secret("DB_URL")?;

// Method 2: Explicit password parameter
use encrypt::sdk::SDK;
let api_key = SDK::get("API_KEY", Some("your-password"))?;

// Method 3: Works when vault is already unlocked
let api_key = SDK::get("API_KEY", None)?;

// Use in your app
let config = Config {
    api_key,
    database: db_url,
    port: std::env::var("PORT").unwrap_or_else(|_| "3000".to_string()),
};

// Set secrets
set_secret("NEW_KEY", "new_value")?;

// Get all secrets
let all_secrets = get_all_secrets()?;

Production Usage

// Set ENCRYPT_PASSWORD environment variable
// Works automatically in any environment
use encrypt::get_secret;

let api_key = get_secret("API_KEY")?;
let db_url = get_secret("DB_URL")?;

Actix Web Example

use actix_web::{web, App, HttpServer, Result};
use encrypt::get_secret;

async fn index() -> Result<&'static str> {
    let api_key = get_secret("API_KEY")?;
    // Use api_key in your handler
    Ok("Hello world!")
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    HttpServer::new(|| {
        App::new()
            .route("/", web::get().to(index))
    })
    .bind("127.0.0.1:8080")?
    .run()
    .await
}

๐Ÿงช CLI Commands

Command Description
encrypt init Create .encrypt vault
encrypt lockup <password> Encrypt and secure secrets with password
encrypt setup <password> Set up secrets on a new machine
encrypt set KEY=value Add/update a key
encrypt get KEY Fetch decrypted value
encrypt unlock Decrypt everything into .env
encrypt status Check if vault is locked, list keys
encrypt reset Remove vault (careful!)

๐Ÿ”’ Triple Encryption Phases

  1. Phase 1: AES-256-GCM Encryption Each secret value is encrypted using AES-256-GCM with a randomly generated nonce.

  2. Phase 2: Password Hashing (PBKDF2) The user's master password is used to derive an encryption key securely.

  3. Phase 3: HMAC Signatures Encrypted secrets are signed with HMAC to prevent tampering.

๐Ÿงพ Example Workflow

๐Ÿ” Initial Setup

encrypt init

Creates:

/.encrypt/
  โ”œโ”€โ”€ vault.lock (encrypted storage)
  โ”œโ”€โ”€ secrets.enc.json
  โ””โ”€โ”€ .gitignore (ensures raw secrets never get committed)

๐Ÿ”’ Lock Secrets Before Commit

encrypt lockup mySuperSecurePassword

This:

  • Encrypts all secret values in .encrypt/secrets.enc.json
  • Stores an encrypted hash of your password
  • Prevents accidental push of plaintext secrets

๐Ÿ‘ค New Developer Setup

git clone your-repo
cd your-repo
encrypt setup mySuperSecurePassword

This:

  • Prompts for password
  • Decrypts secrets into memory
  • Your app works ๐ŸŽ‰

๐Ÿ”ง Development

# Build in development mode
cargo build

# Run tests
cargo test

# Run examples
cargo run --example test_crypto
cargo run --example example
cargo run --example test_auto_converter
cargo run --example production_example

# Run demo
cargo run -- init
cargo run -- setup mypassword
cargo run -- set API_KEY=sk-1234567890abcdef
cargo run -- status

๐Ÿ“ Project Structure

src/
โ”œโ”€โ”€ lib.rs           # Main library and convenience functions
โ”œโ”€โ”€ main.rs          # CLI entry point
โ”œโ”€โ”€ cli.rs           # CLI interface using clap
โ”œโ”€โ”€ crypto.rs        # Triple-layer encryption implementation
โ”œโ”€โ”€ vault.rs         # Vault management and file operations
โ”œโ”€โ”€ sdk.rs           # Runtime SDK for in-code usage
โ””โ”€โ”€ error.rs         # Error types and handling

examples/
โ”œโ”€โ”€ test_crypto.rs           # Crypto tests
โ”œโ”€โ”€ example.rs               # Basic usage example
โ”œโ”€โ”€ test_auto_converter.rs   # Auto-converter tests
โ””โ”€โ”€ production_example.rs    # Production usage example

.encrypt/                # Encrypted vault directory (created at runtime)
โ”œโ”€โ”€ vault.lock           # Vault configuration and password hash
โ”œโ”€โ”€ secrets.enc.json     # Encrypted secrets storage
โ””โ”€โ”€ vault.unlocked       # Lock file indicating vault status

๐Ÿงช Testing

# Test encryption/decryption
cargo run --example test_crypto

# Test runtime SDK
cargo run --example example

# Test auto-converter
cargo run --example test_auto_converter

# Test production usage
cargo run --example production_example

๐Ÿ›ก๏ธ Security Features

  • Triple-layer encryption for maximum security
  • Password-based key derivation using PBKDF2
  • HMAC signatures to prevent tampering
  • Memory-only decryption (secrets never written to disk when unlocked)
  • Git-safe (only encrypted files are committed)
  • Zero-copy operations where possible for performance

๐Ÿš€ Production Deployment

Environment Variable Method (Recommended)

Set the ENCRYPT_PASSWORD environment variable in your production environment:

# Docker
ENV ENCRYPT_PASSWORD=your-production-password

# Kubernetes
env:
- name: ENCRYPT_PASSWORD
  valueFrom:
    secretKeyRef:
      name: encrypt-secrets
      key: password

# Heroku
heroku config:set ENCRYPT_PASSWORD=your-password

# AWS Lambda
# Set ENCRYPT_PASSWORD in environment variables

Your Application Code

// Works automatically with ENCRYPT_PASSWORD environment variable
use encrypt::get_secret;

let api_key = get_secret("API_KEY")?;
let db_url = get_secret("DB_URL")?;

// No need to manually unlock the vault!

Rocket Example

use rocket::{get, launch, routes, State};
use encrypt::get_secret;

#[get("/")]
fn index() -> &'static str {
    let api_key = get_secret("API_KEY").unwrap();
    // Use api_key in your handler
    "Hello, world!"
}

#[launch]
fn rocket() -> _ {
    rocket::build().mount("/", routes![index])
}

Security Benefits

  • โœ… Secrets remain encrypted in .encrypt/ folder
  • โœ… Only decrypted in memory during runtime
  • โœ… No plaintext secrets ever written to disk
  • โœ… Environment-specific passwords for dev/staging/prod
  • โœ… Zero configuration required in your app code
  • โœ… Memory-safe with Rust's ownership system

๐Ÿš€ Why Encrypt?

  • .env files are static and hard to share securely
  • GitHub secrets don't help in local development
  • Vault tools like HashiCorp are overkill for small projects
  • You want an easy way to lock your dev secrets before pushing and onboard teammates easily

This tool solves that problem in a slick, dev-friendly way with Rust's performance and safety guarantees.

๐Ÿ“„ License

MIT

Commit count: 0

cargo fmt