# .env.secrets.example - Template for encrypted secrets # Copy this file to .env.secrets and encrypt your sensitive values # Generated for michaelschiemer.de framework # ============================================================================= # ENCRYPTION SETUP # ============================================================================= # 1. Generate an encryption key: php console.php secrets:generate-key # 2. Add ENCRYPTION_KEY to your .env file (never commit this!) # 3. Encrypt secrets: php console.php secrets:encrypt "your-secret-value" # 4. Store encrypted values below with ENC[...] format # ============================================================================= # DATABASE SECRETS # ============================================================================= # Production database password (encrypted) # SECRET_DB_PASSWORD=ENC[base64encodedencryptedvalue] # Database backup encryption key # SECRET_DB_BACKUP_KEY=ENC[backupencryptionkey] # ============================================================================= # API SECRETS # ============================================================================= # Shopify webhook secret # SECRET_SHOPIFY_WEBHOOK_SECRET=ENC[shopifywebhooksecret] # RapidMail API credentials # SECRET_RAPIDMAIL_USERNAME=ENC[rapidmailusername] # SECRET_RAPIDMAIL_PASSWORD=ENC[rapidmailpassword] # External API keys # SECRET_PAYMENT_API_KEY=ENC[paymentapikey] # SECRET_ANALYTICS_API_KEY=ENC[analyticsapikey] # ============================================================================= # AUTHENTICATION SECRETS # ============================================================================= # JWT signing secret # SECRET_JWT_SECRET=ENC[jwtsigningsecret] # OAuth client secrets # SECRET_OAUTH_GOOGLE_SECRET=ENC[googleoauthsecret] # SECRET_OAUTH_GITHUB_SECRET=ENC[githuboauthsecret] # Session encryption key # SECRET_SESSION_KEY=ENC[sessionencryptionkey] # ============================================================================= # INFRASTRUCTURE SECRETS # ============================================================================= # Redis password # SECRET_REDIS_PASSWORD=ENC[redispassword] # SMTP credentials # SECRET_SMTP_USERNAME=ENC[smtpusername] # SECRET_SMTP_PASSWORD=ENC[smtppassword] # SSL certificate passwords # SECRET_SSL_CERT_PASSWORD=ENC[sslcertpassword] # ============================================================================= # THIRD-PARTY INTEGRATIONS # ============================================================================= # CDN API secrets # SECRET_CDN_API_KEY=ENC[cdnapikey] # Monitoring service tokens # SECRET_MONITORING_TOKEN=ENC[monitoringtoken] # Backup service credentials # SECRET_BACKUP_ACCESS_KEY=ENC[backupaccesskey] # SECRET_BACKUP_SECRET_KEY=ENC[backupsecretkey] # ============================================================================= # DEVELOPMENT NOTES # ============================================================================= # # Commands for secret management: # # Generate encryption key: # php console.php secrets:generate-key # # Encrypt a value: # php console.php secrets:encrypt "my-secret-value" # # Decrypt a value (for debugging): # php console.php secrets:decrypt "ENC[encrypted-value]" # # Rotate all secrets: # php console.php secrets:rotate # # Validate secrets setup: # php console.php secrets:validate # # ============================================================================= # SECURITY NOTES # ============================================================================= # # 1. Never commit .env.secrets to version control # 2. Store ENCRYPTION_KEY securely (environment variable, secret manager) # 3. Use different encryption keys for different environments # 4. Regularly rotate secrets and encryption keys # 5. Monitor secret access through audit logs # 6. Use HTTPS in production for additional security # 7. Consider using hardware security modules (HSM) for production #