michaelschiemer/.env.secrets.example

# .env.secrets.example - Template for encrypted secrets
# Copy this file to .env.secrets and encrypt your sensitive values
# Generated for michaelschiemer.de framework

# =============================================================================
# ENCRYPTION SETUP
# =============================================================================
# 1. Generate an encryption key: php console.php secrets:generate-key
# 2. Add ENCRYPTION_KEY to your .env file (never commit this!)
# 3. Encrypt secrets: php console.php secrets:encrypt "your-secret-value"
# 4. Store encrypted values below with ENC[...] format

# =============================================================================
# DATABASE SECRETS
# =============================================================================
# Production database password (encrypted)
# SECRET_DB_PASSWORD=ENC[base64encodedencryptedvalue]

# Database backup encryption key
# SECRET_DB_BACKUP_KEY=ENC[backupencryptionkey]

# =============================================================================
# API SECRETS
# =============================================================================
# Shopify webhook secret
# SECRET_SHOPIFY_WEBHOOK_SECRET=ENC[shopifywebhooksecret]

# RapidMail API credentials
# SECRET_RAPIDMAIL_USERNAME=ENC[rapidmailusername]
# SECRET_RAPIDMAIL_PASSWORD=ENC[rapidmailpassword]

# External API keys
# SECRET_PAYMENT_API_KEY=ENC[paymentapikey]
# SECRET_ANALYTICS_API_KEY=ENC[analyticsapikey]

# =============================================================================
# AUTHENTICATION SECRETS
# =============================================================================
# JWT signing secret
# SECRET_JWT_SECRET=ENC[jwtsigningsecret]

# OAuth client secrets
# SECRET_OAUTH_GOOGLE_SECRET=ENC[googleoauthsecret]
# SECRET_OAUTH_GITHUB_SECRET=ENC[githuboauthsecret]

# Session encryption key
# SECRET_SESSION_KEY=ENC[sessionencryptionkey]

# =============================================================================
# INFRASTRUCTURE SECRETS
# =============================================================================
# Redis password
# SECRET_REDIS_PASSWORD=ENC[redispassword]

# SMTP credentials
# SECRET_SMTP_USERNAME=ENC[smtpusername]
# SECRET_SMTP_PASSWORD=ENC[smtppassword]

# SSL certificate passwords
# SECRET_SSL_CERT_PASSWORD=ENC[sslcertpassword]

# =============================================================================
# THIRD-PARTY INTEGRATIONS
# =============================================================================
# CDN API secrets
# SECRET_CDN_API_KEY=ENC[cdnapikey]

# Monitoring service tokens
# SECRET_MONITORING_TOKEN=ENC[monitoringtoken]

# Backup service credentials
# SECRET_BACKUP_ACCESS_KEY=ENC[backupaccesskey]
# SECRET_BACKUP_SECRET_KEY=ENC[backupsecretkey]

# =============================================================================
# DEVELOPMENT NOTES
# =============================================================================
# 
# Commands for secret management:
# 
# Generate encryption key:
#   php console.php secrets:generate-key
# 
# Encrypt a value:
#   php console.php secrets:encrypt "my-secret-value"
# 
# Decrypt a value (for debugging):
#   php console.php secrets:decrypt "ENC[encrypted-value]"
# 
# Rotate all secrets:
#   php console.php secrets:rotate
# 
# Validate secrets setup:
#   php console.php secrets:validate
# 
# =============================================================================
# SECURITY NOTES
# =============================================================================
# 
# 1. Never commit .env.secrets to version control
# 2. Store ENCRYPTION_KEY securely (environment variable, secret manager)
# 3. Use different encryption keys for different environments
# 4. Regularly rotate secrets and encryption keys
# 5. Monitor secret access through audit logs
# 6. Use HTTPS in production for additional security
# 7. Consider using hardware security modules (HSM) for production
#