Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow (or enforce) encryption of .env file #34

Open
YPCrumble opened this issue Oct 31, 2018 · 5 comments
Open

Allow (or enforce) encryption of .env file #34

YPCrumble opened this issue Oct 31, 2018 · 5 comments

Comments

@YPCrumble
Copy link

Hi - thanks for building this great repo!

I noticed that you suggest adding .env to the .gitignore file - presumably because the config shouldn't be exposed as part of the repository?

Do you have a suggestion on how to share the .env file with members of my team?

The best answer I could find suggests checking in the .env file and encrypting it as an option.

What do maintainers think about allowing encryption of the .env file with one master password? I'd be happy to help with a PR if it would be welcomed and someone could help me think through best practice implementation.

Or, is there a better way to share the .env file with my team?
@merwok
Copy link
Contributor

merwok commented Dec 17, 2018

I think the typical way is to have .env.example in your repo, with comments to explain the settings, default values where possible (e.g. DATABASE_URL="postgres://localhost:5432/project"), and instructions for real secrets (GOOGLE_MAPS_API_KEY="ask in slack channel XYZ" or "see 1password/project/google maps key"). Then the README can instruct people to copy that file to .env and edit it.

@Pithikos
Copy link

Pithikos commented Jan 10, 2019
edited
Loading

@merwok but how would that work when you kill instances and make new ones all the time? For every new deploy you will need to manually copy the file from one place to another so that doesn't seem pragmatic.

I think encrypting the file is the more realistic. Then you have everything in one place and you only need to pass one environment variable (the decryption key) to the server.

@merwok
Copy link
Contributor

merwok commented Jan 10, 2019

Ah that’s another problem! What I said about copying .env.example to .env and changing values is for local dev, i.e. to help my coworkers set up their environment.

For server deployment, this becomes a config management issue.
If I run on Heroku, I already have an interface to define environment variables.
On another container platform, I have docker secrets.
On AWS EC2, I’ll get my secrets from SSM.
On another VM, maybe I’ll have an ansible vault that creates a .env file.

@joshgeller
Copy link

@merwok In your EC2/SSM example, do you still use this library?

@merwok
Copy link
Contributor

merwok commented May 27, 2021

No, I connect to the SSM API (using https://github.com/caravancoop/configstore/) to get settings, without writing them to an env file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Pithikos @merwok @joshgeller @YPCrumble