Laravel Vault Suite connects your Laravel applications to dedicated secrets backends such as HashiCorp Vault and OpenBao. It ships with an extensible driver system, an expressive facade, and artisan tooling so you can read, write, and manage secrets without copying values into .env files.
📘 Documentation: https://omar-karray.github.io/laravel-vault-suite/
- Command-first operations – Ship-ready Artisan commands (
vault:unseal,vault:enable-engine, …) for the tasks operators and developers run every day. - Fluent PHP API – Fetch, write, list, and delete secrets through a clean service/facade when you need programmatic access.
- Multi-backend driver manager – Vault and OpenBao out of the box with an extensible contract for additional backends.
- Configuration & bootstrap blueprint – Centralise driver settings today and hydrate Laravel configuration at runtime as the bootstrapper lands.
- Documentation site – Guides on GitHub Pages cover installation, commands, configuration, and the API surface.
composer require deepdigs/laravel-vault-suitePublish the configuration file to tailor drivers and bootstrap behaviour:
php artisan vendor:publish --tag="vault-suite-config"Add the relevant environment variables in your .env file (or server configuration):
VAULT_SUITE_DRIVER=vault
VAULT_ADDR=http://127.0.0.1:8200
VAULT_TOKEN=your-root-or-app-token
VAULT_ENGINE_MOUNT=secret
VAULT_ENGINE_VERSION=2Read a secret as an array:
use Deepdigs\LaravelVaultSuite\Facades\LaravelVaultSuite;
$database = LaravelVaultSuite::fetch('apps/laravel/database');Read a specific key from the secret payload:
$password = LaravelVaultSuite::fetch('apps/laravel/database', 'password');Write or update a secret:
LaravelVaultSuite::put('apps/laravel/database', [
'username' => 'laravel',
'password' => 'new-password',
]);List secret keys beneath a path:
$keys = LaravelVaultSuite::list('apps/laravel');vault:unseal– Submit key shards (from CLI or a file) and track progress until Vault is unsealed.php artisan vault:unseal --file=storage/keys/unseal.txt --reset
vault:enable-engine– Mount and configure secrets engines with typed options.php artisan vault:enable-engine secret/apps --option=version=2 --local
See docs/commands.md for the full option reference.
- Use a multi-root VS Code workspace that includes this package and your Laravel app.
- Register the package as a Composer path repository for hot-linked development.
- Only run
composer update deepdigs/laravel-vault-suiteafter changing this package’scomposer.jsonor autoloading configuration. - When tagging for production use, publish to Packagist and update your application to use the release tag instead of the path repository.
composer testProject docs are powered by MkDocs. Preview locally with:
pip install mkdocs mkdocs-material
mkdocs serveThe documentation source lives in docs/ and can be deployed to GitHub Pages via mkdocs gh-deploy --clean.
Please see CHANGELOG for more information on what has changed recently.
Please see CONTRIBUTING for details.
The MIT License (MIT). Please see License File for more information.
- Install & publish config (see Installation above). Populate
VAULT_ADDR,VAULT_TOKEN, and mount settings in.envor your secret manager. - Verify connectivity
php artisan vault:status php artisan vault:enable-engine secret/apps --option=version=2
- Load existing secrets or commit new ones
Write new values from PHP:
php artisan vault:read secret/apps/database --json
use Deepdigs\LaravelVaultSuite\LaravelVaultSuite; app(LaravelVaultSuite::class)->put('secret/apps/database', [ 'username' => 'laravel', 'password' => Str::random(32), ]);
- Script it – combine commands in deployment pipelines (e.g. run
vault:listto confirm a rotation, then fetch credentials for tests).
Until the bootstrapper ships, load secrets in a service provider or dedicated config loader:
use Deepdigs\LaravelVaultSuite\LaravelVaultSuite;
class VaultConfigServiceProvider extends ServiceProvider
{
public function boot(LaravelVaultSuite $vault): void
{
if (! app()->environment('production')) {
return;
}
$database = $vault->fetch('secret/apps/database');
config([
'database.connections.mysql.username' => $database['username'],
'database.connections.mysql.password' => $database['password'],
]);
}
}ℹ️ When the bootstrapper lands, you will be able to map these keys directly inside
config/vault-suite.phpand hydrate them duringconfig:cache.
- Create/mount a KV engine dedicated to database credentials:
php artisan vault:enable-engine database/credentials --type=kv --option=version=2
- Store the credentials from an operator machine or CI job:
Or programmatically via Laravel Vault Suite:
php artisan vault:read database/credentials/mysql-root --json # verify$vault->put('database/credentials/mysql-app', [ 'username' => 'app', 'password' => Str::random(40), ]);
- Load credentials into Laravel at runtime (see provider example above) or inject them into environment variables before
config:cache. - Rotate safely: rotate the credential in Vault (
putnew password), then redeploy the application so it fetches the updated secret. Combine with Vault’s DB secrets engine if you want automated rotation.
- Run
php artisan vault:statusduring health checks. - If Vault is sealed, run
vault:unsealwith the key shards available to your SRE team or automation. - Re-run
config:cacheafter updating configuration if you load secrets at boot.
- Never check tokens or key shards into source control. Use your CI/CD secret store.
- Grant the Laravel application a limited token (e.g. via AppRole) scoped to the paths it needs.
- Combine the suite with Vault’s audit logging to track access.