stechstudio / keep
Toolkit for collaborative, secure management of secrets across applications, environments, and teams.
Requires
- php: ^8.3
- illuminate/console: ^12.25
- illuminate/container: ^12.25
- illuminate/events: ^12.25
- illuminate/support: ^10.0||^11.0||^12.0
- laravel/prompts: ^0.1.0||^0.2.0||^0.3.0
- symfony/console: ^6.0||^7.0
- vlucas/phpdotenv: ^5.6
Requires (Dev)
- aws/aws-sdk-php: ^3.354
- laravel/pint: ^1.24
- mockery/mockery: ^1.5
- pestphp/pest: ^4.0
- phpstan/extension-installer: ^1.3
- phpstan/phpstan: ^2.0
- phpstan/phpstan-phpunit: ^2.0
- phpunit/phpunit: ^12.0
- symfony/var-dumper: ^7.3
Suggests
- aws/aws-sdk-php: Required to use AWS SSM and Secrets Manager vault drivers.
README
Keep is your toolkit for collaborative, secure management of secrets across applications, environments, and teams.
Key Features:
- CLI Commands - Manage individual secrets, import/export in bulk, view history and diffs, all via artisan commands
- Multi-Vault Support - Driver-based system, currently supporting AWS SSM Parameter Store and AWS Secrets Manager
- Environment Isolation - Separate secrets by environment (local, staging, production) with access controls
- Unified Export System - Direct export, template processing, and encrypted caching all in one command
- Template System - Replace placeholders in templates with vault secrets while preserving formatting
- Team Collaboration - Share secret management across team members with proper access controls
- CI/CD Integration - Export secrets for deployment pipelines and automated workflows
The package provides a secure, organized way to manage application secrets without storing them in version control or sharing them insecurely.
Quick Start
Install and configure Keep
Install the package via composer:
composer require stechstudio/keep
This will install a command in your vendor/bin
directory called keep
. Run keep configure
to configure Keep and your first vault.
./vendor/bin/keep configure
You should now have Keep configured with a default vault. Run keep verify
to check your setup and ensure you have necessary permissions.
./vendor/bin/keep verify
Manage secrets
You can add secrets using keep set
:
# You will be prompted for the stage and secret value ./vendor/bin/keep set DB_PASSWORD # Or specify the stage and value directly ./vendor/bin/keep set DB_PASSWORD --stage=production --value="supersecretpassword"
This will store the DB_PASSWORD
secret in AWS SSM under the path /[namespace]/production/DB_PASSWORD
.
Check that the secret was added:
# Retrieve a single secret ./vendor/bin/keep get DB_PASSWORD --stage=production # List all secrets for production ./vendor/bin/keep list --stage=production
Using secrets in your application
Direct Export - Generate complete .env
file from secrets
If all your environment variables are managed via Keep, export them directly to a .env file:
# Export all secrets from all vaults ./vendor/bin/keep export --stage=production --file=.env # Export from specific vaults only ./vendor/bin/keep export --stage=production --vault=ssm,secrets --file=.env # Export as JSON format ./vendor/bin/keep export --stage=production --format=json --file=config.json
Template Mode - Merge secrets into a template file
Use a template file with placeholders for sensitive values:
Example .env.template
:
# Application Config APP_NAME=MyApp APP_ENV=production # Database - sensitive values from vaults DB_HOST={aws-ssm:database/host} DB_PORT=3306 # Static value DB_PASSWORD={aws-secrets:db-password} # API Keys API_KEY={vault1:api/key}
Then process the template:
# Replace placeholders with actual secrets ./vendor/bin/keep export --stage=production --template=.env.template --file=.env # Include ALL vault secrets (template + additional) ./vendor/bin/keep export --stage=production --template=.env.template --all --file=.env # Handle missing secrets gracefully ./vendor/bin/keep export --stage=production --template=.env.template --missing=blank --file=.env
Encrypted Cache - For Laravel Integration
Export secrets to an encrypted cache for use with Laravel's config caching:
./vendor/bin/keep export --stage=production --cache
This creates an encrypted cache file in .keep/cache/
and adds the decryption key to your .env
file.
License
The MIT License (MIT). Please see License File for more information.