A PHP utility for managing secrets in the cloud using AWS KMS and DynamoDB

Overview

CredStash for PHP

This is a PHP port of original CredStash (written in python). Encryption and DynamoDB storage are compatible with python version so both can work side by side. There is an optional CLI tool as well, details below.

More information about what CredStash is, how it works, and how to set it up can be read in their README.

Installation

$ composer require gmo/credstash

PHP Usage

Create CredStash instance

The easiest way to create CredStash is with the AWS SDK object:



use CredStash\CredStash;

$sdk = new Aws\Sdk(); // config omitted

$credStash = CredStash::createFromSdk($sdk);

Getting individual secrets:

get('foo'); // Including context parameters $secret = $credStash->get('foo', ['env' => 'prod']); // By default, the latest version is used, // but a specific version can be passed in. $secret = $credStash->get('foo', [], 2);">
// Get secret for "foo" credential
$secret = $credStash->get('foo');

// Including context parameters
$secret = $credStash->get('foo', ['env' => 'prod']);

// By default, the latest version is used,
// but a specific version can be passed in.
$secret = $credStash->get('foo', [], 2);

Getting multiple secrets:

search('s?l'); // matches "ssl" and "sdl" $secrets = $credStash->search('gr[ae]y'); // matches "gray" and "grey" // Context and version can specified here as well $secrets = $credStash->search($pattern, $context, $version);">
// Get latest version of all secrets
$secrets = $credStash->getAll(); // ['foo' => 'secret', 'bar' => 'another secret'];

// Including context parameters
$secrets = $credStash->getAll(['env' => 'prod']);

// Get specific version for all secrets
$secrets = $credStash->getAll([], 2);

// Get all secrets matching pattern
$secrets = $credStash->search('ssl.*'); // matches "ssl.foo" and "ssl.bar"

// This version also allows "?" and "[]" patterns.
$secrets = $credStash->search('s?l'); // matches "ssl" and "sdl"
$secrets = $credStash->search('gr[ae]y'); // matches "gray" and "grey"

// Context and version can specified here as well
$secrets = $credStash->search($pattern, $context, $version);

Putting secrets:

// Put secret into store at the next highest version
$credStash->put('foo', 'secret');

// Including context parameters
$credStash->put('foo', 'secret', ['env' => 'prod']);

// Put secret into store at a specified version
$credStash->put('foo', 'secret', [], 2);

Deleting secrets:

$credStash->delete('foo');

Listing credentials and their latest versions:

$credentials = $credStash->listCredentials(); // ['foo' => '000000000000000002', 'bar' => '000000000000000003'];
// As you can see versions are padded to ensure sorting is consistent

// They can be optionally converted to integers though
// with the by passing false to the $pad parameter.
$credentials = $credStash->listCredentials(false); // ['foo' => 2, 'bar' => 3];

CLI Usage

Note: CLI tool requires Symfony's Console Component to be installed manually, because this is an optional dependency.

$ composer require symfony/console 

The CLI tool is compatible with the python version with a couple differences due to compatibility with Symfony's Console Application's standard commands/parameters.

Version parameter:

The python version has -v or --version to specify the version to put or get. Here it is -c or --cred-version, because Symfony uses this for the version of the console tool.

List command

The python version's list command is renamed to info here. Symfony has a list command that lists the commands available.

Other than these two differences they are exactly the same.

More info can be found in their README or by running this tool without any arguments. Info for each command can be viewed with standard help command or -h/--help parameter.

You might also like...
PHP 5.x support for random_bytes() and random_int()

random_compat PHP 5.x polyfill for random_bytes() and random_int() created and maintained by Paragon Initiative Enterprises. Although this library sho

TCrypto is a simple and flexible PHP 5.3+ in-memory key-value storage library

About TCrypto is a simple and flexible PHP 5.3+ in-memory key-value storage library. By default, a cookie will be used as a storage backend. TCrypto h

Ransomware with automatic Coinbase Commerce integration created in C# (Console) and PHP
Ransomware with automatic Coinbase Commerce integration created in C# (Console) and PHP

AWare — C# Ransomware Ransomware with automatic Coinbase Commerce integration created in C# (Console) and PHP PD: AWare is just a proof of concept, wi

A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.
A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

A (unofficial) WordPress plugin reporting PHP and JavaScript errors to Sentry.

A (unofficial) WordPress plugin to report PHP and JavaScript errors to Sentry.

A simple PHP web backdoor allows you to retrieve directory/file contents and upload file(s) from the local machine or remote URL.
A simple PHP web backdoor allows you to retrieve directory/file contents and upload file(s) from the local machine or remote URL.

Simple PHP Web Backdoor A simple PHP web backdoor allows you to retrieve directory/file contents and upload file(s) from the local machine or remote U

Antware NinjaCrypter is an experimental username and password cookie string class for PHP

Antware NinjaCrypter is an experimental username and password cookie string class for PHP. For study case this crypter is based on password crypting ideology but can also encrypt username and password for storing cookie string that way your login details will not be exposed by hackers that search through cookie string.

JSON Object Signing and Encryption library for PHP.

NAMSHI | JOSE Deprecation notice Hi there, as much as we'd like to be able to work on all of the OSS in the world, we don't actively use this library

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.

Comments
  • HMAC missing

    HMAC missing

    Hi,

    I've been using this library and it stopped working today.

    I keep getting the following error:

    PHP Notice: Undefined index: S in PATH/vendor/gmo/credstash/src/Store/DynamoDbStore.php on line 207

    that line contains this method:

        private function createCredential($item)
        {
            $cred = (new Credential())
                ->setName($item['name']['S'])
                ->setVersion($item['version']['S'])
                ->setKey($item['key']['S'])
                ->setContents($item['contents']['S'])
                ->setHash($item['hmac']['S'])
            ;
            return $cred;
        }
    

    After further investigation, it seems that the HMAC is returned with B instead of S.

    Once i changed it to use

    $item['hmac']['B']

    that fixed it.

    I'm not sure if that's something that was changed on AWS's side.

    Thanks,

    opened by serge20 1
  • Fix deletion on large tables

    Fix deletion on large tables

    The maximum number of items to evaluate (not necessarily the number of matching items). If DynamoDB processes the number of items up to the limit while processing the results, it stops the operation and returns the matching values up to that point, and a key in LastEvaluatedKey to apply in a subsequent operation, so that you can pick up where you left off. Also, if the processed dataset size exceeds 1 MB before DynamoDB reaches this limit, it stops the operation and returns the matching values up to the limit, and a key in LastEvaluatedKey to apply in a subsequent operation to continue the operation

    Refer to https://github.com/fugue/credstash/pull/240/commits/c343a875fdf84d49483692c7552b7b0fc17f3768

    opened by damien-thiesson 0
Releases(v1.0.0)
Owner
Global Media Outreach
Sharing Jesus with the World
Global Media Outreach
EasyCrypto - A crypto managing system with a landing page and dashboard

A crypto managing system with a landing page and dashboard. This project is dedicated to private crypto companies or community crypto groups

3kp 2 Mar 20, 2022
Tool to store text encrypted in the cloud.

CryptPaste The free open source way to store encrypted text. How it works First your input is encrypted in the browser with javascript, then it is enc

null 0 Jan 10, 2022
Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core

Laravel Security Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campb

Graham Campbell 170 Nov 20, 2022
Run locally to export crypto tx data from crypto exchanges using their api connections, and process into a normalised format.

CryptoCredible The missing crypto-exchange data exporter tldr: run locally to export your crypto tx data from popular exchanges via api connections. E

Lee Overy 6 Apr 6, 2022
Fetches random integers from random.org instead of using PHP's PRNG implementation

TrulyRandom Composer-compatible library to interact with random.org's API in order to generate truly random lists of integers, sequences of integers,

Erik Wurzer 46 Nov 25, 2022
Port scanning using PHP!

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ?? Scanner Port's ?? ???? Don't forget to leave a star! ⭐ ???? Não se esqueça de deixar uma estrela! ⭐ ?? Credits | Créd

Hellen. 4 Feb 26, 2022
A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.

Current version: 1.3.5 PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted a

null 4.6k Jan 7, 2023
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application

PHPIDS PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web ap

null 752 Jan 3, 2023
Automatic Encrypt and Decrypt your database data. Tested and used on Laravel 8

Laravel Encrypt Database Automatic Encrypt and Decrypt your database data. Tested and used on Laravel 8. I'm yet building the tests. Important Note th

Wellington Barbosa 2 Dec 15, 2021
A cryptography API wrapping the Sodium library, providing a simple object interface for symmetrical and asymmetrical encryption, decryption, digital signing and message authentication.

PHP Encryption A cryptography API wrapping the Sodium library, providing a simple object interface for symmetrical and asymmetrical encryption, decryp

null 19 Dec 31, 2022