Skip to content

vault

stable

Secrets and environment variable management plugin with AES-256-GCM encryption, SHA-256 hashing, base64 encoding, and .env file loading.

use plugin vault::{get_env, require_env, get_env_or, …}
15 functions Database
/ filter jk navigate Esc clear
Functions (15)
  1. get_env Read an environment variable, returns nil if unset
  2. require_env Read an env var, errors if unset
  3. get_env_or Read an env var with a fallback default
  4. mask Mask a secret string for safe display
  5. load_env_file Parse a .env file into a table
  6. env_names List all environment variable names
  7. encrypt_value Encrypt a string with AES-256-GCM
  8. decrypt_value Decrypt an AES-256-GCM ciphertext
  9. generate_key Generate a random 32-byte encryption key
  10. hash_value Compute a SHA-256 hex digest
  11. set_env Set an environment variable
  12. unset_env Remove an environment variable
  13. constant_time_eq Compare two strings in constant time
  14. encode_base64 Base64-encode a string
  15. decode_base64 Base64-decode a string

get_env(name) string | nil

Read an environment variable, returns nil if unset

Reads the environment variable name. Returns the string value if set, or nil if the variable does not exist. Use require_env when the variable is mandatory.

zolo▶ Playground
use plugin vault::{get_env}

let db_url = get_env("DATABASE_URL")
if db_url == nil {
  print("DATABASE_URL is not set")
}

require_env(name) string

Read an env var, errors if unset

Reads the environment variable name and errors at runtime if it is not set. Use this at startup to fail fast for required configuration.

zolo▶ Playground
use plugin vault::{require_env}

let api_key = require_env("API_KEY")
print("Key loaded")

get_env_or(name, default) string

Read an env var with a fallback default

Reads the environment variable name, returning default if it is not set.

zolo▶ Playground
use plugin vault::{get_env_or}

let port = get_env_or("PORT", "8080")
print("Listening on port {port}")

mask(value) string

Mask a secret string for safe display

Masks a secret string for display — shows the first 2 and last 2 characters and replaces the middle with asterisks. Strings of 4 characters or fewer become "****".

zolo▶ Playground
use plugin vault::{get_env, mask}

let token = get_env("API_TOKEN")
print("Token: {mask(token)}")

load_env_file(path) table

Parse a .env file into a table

Parses a .env file at path into a table of key-value string pairs. Blank lines and # comments are skipped. Surrounding single or double quotes are stripped from values.

zolo▶ Playground
use plugin vault::{load_env_file}

let env = load_env_file(".env")
print(env["DATABASE_URL"])

env_names() table

List all environment variable names

Returns a list of all environment variable names currently set in the process. Values are not included.

zolo▶ Playground
use plugin vault::{env_names}

let names = env_names()
print(names[1])

encrypt_value(plaintext, key_hex) string

Encrypt a string with AES-256-GCM

Encrypts plaintext using AES-256-GCM with a 32-byte key supplied as 64 hex characters. Returns a hex string containing the 12-byte nonce prepended to the ciphertext. Use generate_key to create a key.

zolo▶ Playground
use plugin vault::{encrypt_value, decrypt_value, generate_key}

let key = generate_key()
let ct = encrypt_value("my secret", key)
let pt = decrypt_value(ct, key)
print(pt)

decrypt_value(ciphertext_hex, key_hex) string

Decrypt an AES-256-GCM ciphertext

Decrypts a hex-encoded AES-256-GCM ciphertext (as produced by encrypt_value) back to the original plaintext string.

zolo▶ Playground
use plugin vault::{decrypt_value}

let plain = decrypt_value(stored_ciphertext, require_env("ENCRYPTION_KEY"))
print(plain)

generate_key() string

Generate a random 32-byte encryption key

Generates a cryptographically random 32-byte AES key and returns it as 64 lowercase hex characters. Store this key securely — it is required for decryption.

zolo▶ Playground
use plugin vault::{generate_key}

let key = generate_key()
print("Save this key: {key}")

hash_value(value) string

Compute a SHA-256 hex digest

Computes the SHA-256 digest of value and returns it as a 64-character lowercase hex string.

zolo▶ Playground
use plugin vault::{hash_value}

let digest = hash_value("password123")
print(digest)

set_env(name, value) nil

Set an environment variable

Sets the environment variable name to value for the current process.

zolo▶ Playground
use plugin vault::{set_env, get_env}

set_env("MY_VAR", "hello")
print(get_env("MY_VAR"))

unset_env(name) nil

Remove an environment variable

Removes the environment variable name from the current process environment.

zolo▶ Playground
use plugin vault::{set_env, unset_env, get_env}

set_env("TEMP_VAR", "x")
unset_env("TEMP_VAR")
print(get_env("TEMP_VAR"))

constant_time_eq(a, b) bool

Compare two strings in constant time

Compares two strings in constant time to prevent timing-based side-channel attacks. Always use this instead of == when comparing secret tokens or hashes.

zolo▶ Playground
use plugin vault::{hash_value, constant_time_eq}

let expected = hash_value("correct-password")
let provided = hash_value(user_input)
if constant_time_eq(expected, provided) {
  print("Authenticated")
}

encode_base64(value) string

Base64-encode a string

Encodes a string as standard base64 (with padding).

zolo▶ Playground
use plugin vault::{encode_base64, decode_base64}

let encoded = encode_base64("Hello, World!")
let decoded = decode_base64(encoded)
print(decoded)

decode_base64(encoded) string

Base64-decode a string

Decodes a base64 string back to its original UTF-8 string value.

zolo▶ Playground
use plugin vault::{decode_base64}

let raw = decode_base64("SGVsbG8sIFdvcmxkIQ==")
print(raw)
View source code
enespt-br