DEV Community

Kay Gosho
Kay Gosho

Posted on • Updated on

dotenv-vault: No dependency .env encrypt tool

tl;dr

dotenv-vault is a simple dotenv management tool, keeping tokens secret.

GitHub logo acro5piano / dotenv-vault

[deprecated] simple dotenv encrypt & decrypt tool inspired by yaml_vault

Use git-crypt https://github.com/AGWA/git-crypt

No more maintained. Use other tools.

CircleCI

dotenv-vault

simple dotenv encrypt tool inspired by yaml_vault

Default cipher is aes-256-cbc. Default sign digest is SHA256.

Install

For MacOS:

git clone https://github.com/acro5piano/dotenv-vault ~/.dotenv-vault
ln -sfnv ~/.dotenv-vault/bin/dotenv-vault /usr/local/bin/dotenv-vault

For Linux:

git clone https://github.com/acro5piano/dotenv-vault ~/.dotenv-vault
sudo ln -sfnv ~/.dotenv-vault/bin/dotenv-vault /usr/bin/dotenv-vault

Requirements

dotenv-vault requires the following:

  • Bash >= 2
  • Openssl >= 2
  • Perl >= 5

Almost all machine does not need any additional installation process.

Usage

Encrypt

Input file (.env):

NODE_ENV=development
API_KEY=123456789

Command:

$ dotenv-vault -e API_KEY -k foobarbaz encrypt .env

where -e specify the key you encrypt.

Output:

NODE_ENV=development
API_KEY=U2FsdGVkX186T6zdupR27pXHO0Hdnz9rqZfVdgqBEqk=

Decrypt

Input file (.env.encrypted):

NODE_ENV=development
API_KEY=U2FsdGVkX186T6zdupR27pXHO0Hdnz9rqZfVdgqBEqk=

Command:

$ dotenv-vault -e API_KEY -k foobarbaz decrypt .env

Output:

NODE_ENV=development
API_KEY=123456789

Create Encrypt env

dotenv-vault create command is convenient to create new entry:

$ bin/dotenv-vault -k foobarbaz create 'SOME_KEY=123456'
# => SOME_KEY=U2FsdGVkX18tEclKImEV30HSG0b7IOu3dyO3MpceCd4=

You can paste or redirect to register new entry like this:

$ bin/dotenv-vault
…

Why

How do you manage .env file in your repository?

The file may contain some secret tokens. In OSS, those information must not open. Even in private repository, we shouldn't include secret information into Git repository, because a lot of stakeholder including out-source developers will commit the code.

However, secret information is needed in applications so we may want to include them to the repository.

According to this article, major option is to use KMS, Key Management Service. Major cloud service such as AWS and GCP provide the service.

https://www.reddit.com/r/devops/comments/52pl5c/how_do_you_manage_env_dotenv_files/

However, I would like to manage them more simple way without any plugins and dependencies.

Options

yaml_vault is a good tool to keep YAML files secret.

GitHub logo joker1007 / yaml_vault

Yaml file encryption/decryption helper.

YamlVault

Gem Version Build Status

Yaml file encryption/decryption helper.

Breaking Change from 0.x to 1.0

  • Output YAML file keeps alias & anchor syntax & tag info. (But empty line is trimmed)
  • --key format is changed. (Need $ as root document at first)
  • --key supports new formats. (Root Doc, Wildcard, Regexp, Quote)

Encryption Algorithm

yaml_vault uses ActiveSupport::MessageEncryptor.

Default cipher is aes-256-cbc Default sign digest is SHA256.

Installation

Add this line to your application's Gemfile:

gem 'yaml_vault'
Enter fullscreen mode Exit fullscreen mode

And then execute:

$ bundle

Or install it yourself as:

$ gem install yaml_vault

Usage

Encrypt

# secrets.yml
default: &default
  hoge: fuga
  aaa: true
  bbb: 2
foo: bar
complicated:
  - 1
  - ["hoge", "fuga"]
  - [{key1: val1, key2: val2}, {key3: val3}]
  - a:
      b:
        c: d
        e: !ruby/range 1..10

test:
  <<: *default
  hoge:
    - 1
    - 2
    - 3

vault:
  secret_data: 
…
Enter fullscreen mode Exit fullscreen mode

It is written in Ruby. Ruby on Rails use YAML file for configurations. So the tool is popular with Ruby on Rails applications.

Rails 5.2 has the similar function by default. If we run the following command, the file is decrypted and our editor will run. The file encrypted again after editing the file.

bin/rails credentials:edit
Enter fullscreen mode Exit fullscreen mode

However, my project does not use neither Ruby on Rails nor YAML. Just .env and .env.local, .env.production files exists.

So I created dotenv-vault (apparently inspired by yaml_vault).

Philosophy

  • Less dependency. This is convenient if we run in CI.
  • Simple. Easy setup and no DSL, zero learning cost.
  • Productive. Automate as possible.

Less dependency is really important because we could use this tool in any environments, any projects, with zero cost. Currently dotenv-vault depends on the three:

  • Bash
  • Openssl
  • Perl

I chose Perl to parse dotenv file because Perl does not change command syntax between operating systems. sed differs between BSD and GNU.
Major OS, such as macOS and Ubuntu, have Perl by default.

How to use

Manually

After install (check out the repo), add # encrypt-me comment at the end of line to be encrypted:

# .env

APP_ENV=production
APP_KEY=super_secret_value # encrypt-me
Enter fullscreen mode Exit fullscreen mode

Then run the following command:

$ dotenv-vault encrypt .env
Enter fullscreen mode Exit fullscreen mode

You may be asked the password to encrypt, input it and press return:

Please input password and press Return:
Enter fullscreen mode Exit fullscreen mode

It will output encrypted file as standard output like this:

APP_ENV=production
APP_KEY=U2FsdGVkX19VF+rLm7ypGQFl76Sq7QUEaU5uM+AlQmRxcKMTTj63R81K4U0WYZzy # decrypt-me
Enter fullscreen mode Exit fullscreen mode

So you can redirect the output to a file:

$ dotenv-vault encrypt .env > .env.production
Enter fullscreen mode Exit fullscreen mode

To decrypt the file, run:

$ dotenv-vault decrypt .env.production
Enter fullscreen mode Exit fullscreen mode

Then input the password and decrypted output will be shown.

In CI

In CI, we cannot input the password manually, so set DOTENV_PASSWORD environment variable in your CI service.

$ env DOTENV_PASSWORD=foo dotenv-vault decrypt .env.production > .env
Enter fullscreen mode Exit fullscreen mode

(Actually env DOTENV_PASSWORD=foo is not needed)

Add tokens

It is not convenient if we should decrypt & encrypt every time we add new token.

dotenv-vault generate simply generate encrypted token.

$ dotenv-vault generate 'FIREBASE_TOKEN=new_secret_token'
Enter fullscreen mode Exit fullscreen mode

The command output will be like this:

FIREBASE_TOKEN=U2FsdGVkX19NWIIPCamKJOFdJktBSETdFNV6BIwBlkjBNhCRQ18z2zDtVRu3fO79 # decrypt-me
Enter fullscreen mode Exit fullscreen mode

So we can redirect the output to add new token.

$ dotenv-vault generate 'FIREBASE_TOKEN=new_secret_token' >> .env.production
Enter fullscreen mode Exit fullscreen mode

Thanks

I use Bashtub to run unit test for bash script. Bashtub is really simple and good tool.

GitHub logo ueokande / bashtub

Tiny unittest framework for Bash.

Bashtub πŸ› - Unit test framework for Bash

Build Status

Bashtub is a tiny unit test framework for Bash You can specify the test caes as as assertion-based test cases likes xUnit Bashtub colorfully outputs the results of the test When test passed

success

and when tests failed, it bashtub outputs the information of the failures,

failure

Requirements

  • Bash 3.2+

Installation

curl -o ~/bin/bashtub https://raw.githubusercontent.com/ueokande/bashtub/v0.2/bin/bashtub
chmod +x ~/bin/bashtub
Enter fullscreen mode Exit fullscreen mode

where the path ~/bin must be included in $PATH. Then test to run the bashtub.

bashtub   # output 0 examples
Enter fullscreen mode Exit fullscreen mode

Writing tests

Test cases are declared in the function that start with testcase_. Bashtub automatically finds the testcase in the loaded file. The tests are written as assertion-based test cases likes xUnit.

Minimal test

The first, simple example is the following :

# examples/first_test_case.sh
lorem_ipsum='lorem ipsum dolor sit amet'
testcase_first_word() {
  first_word=$(echo $lorem_ipsum | cut -f1
…
Enter fullscreen mode Exit fullscreen mode

Conclusion

In my use case, dotenv-vault provides useful features. If you have any opinions, please let me know!

Thanks.

Top comments (4)

Collapse
 
thepracticaldev profile image
dev.to staff

Hey! Just wanted to share that if you use this syntax {% github https://github.com/acro5piano/dotenv-vault we can see a preview of your repo/readme %}!

acro5piano / dotenv-vault

simple dotenv encrypt & decrypt tool inspired by yaml_vault

CircleCI

dotenv-vault

simple dotenv encrypt tool inspired by yaml_vault

Default cipher is aes-256-cbc. Default sign digest is SHA256.

Install

For MacOS:

git clone https://github.com/acro5piano/dotenv-vault ~/.dotenv-vault
ln -sfnv ~/.dotenv-vault/bin/dotenv-vault /usr/local/bin/dotenv-vault

For Linux:

git clone https://github.com/acro5piano/dotenv-vault ~/.dotenv-vault
sudo ln -sfnv ~/.dotenv-vault/bin/dotenv-vault /usr/bin/dotenv-vault

Requirements

dotenv-vault requires the following:

  • Bash > 2
  • Openssl > 2
  • Perl > 5

Almost all machine does not need any installation process.

Usage

Encrypt

Input file (.env):

NODE_ENV=development
API_KEY=123456789 # encrypt-me

where # encrypt-me is the mark of the line dotenv-vault encrypt.

Command:

$ env DOTENV_PASSWORD=foobarbaz dotenv-vault encrypt .env

Output:

NODE_ENV=development
API_KEY=U2FsdGVkX186T6zdupR27pXHO0Hdnz9rqZfVdgqBEqk= # decrypt-me

# decrypt-me will be used when decrypt the file.

Decrypt

Input file (.env.encrypted):

NODE_ENV=development
API_KEY=U2FsdGVkX186T6zdupR27pXHO0Hdnz9rqZfVdgqBEqk= # decrypt-me

# decrypt-me is the mark of the line dotenv-vault decrypt.

Command:

$ env DOTENV_PASSWORD=foobarbaz dotenv-vault decrypt .env.encrypted

Output:

NODE_ENV=development
API_KEY=123456789 # encrypt-me

Create Encrypt env

dotenv-vault create command is convenient to create new entry:

$ env DOTENV_PASSWORD=foobarbaz bin/dotenv-vault create
…
Collapse
 
acro5piano profile image
Kay Gosho

Thanks! Great feature.

Collapse
 
mgrachev profile image
Grachev Mikhail

Another useful tool -Β github.com/dotenv-linter/dotenv-li....
It’s a lightning-fast linter for .env files. Written in Rust.

Collapse
 
motdotla profile image
Mot

Also check out github.com/dotenv-org/dotenv-vault - from the same people that helped pioneer .env files.