The file may contain some secret tokens. In OSS, those information must not open. Even in private repository, we shouldn't include secret information into Git repository, because a lot of stakeholder including out-source developers will commit the code.
However, secret information is needed in applications so we may want to include them to the repository.
According to this article, major option is to use KMS, Key Management Service. Major cloud service such as AWS and GCP provide the service.
It is written in Ruby. Ruby on Rails use YAML file for configurations. So the tool is popular with Ruby on Rails applications.
Rails 5.2 has the similar function by default. If we run the following command, the file is decrypted and our editor will run. The file encrypted again after editing the file.
bin/rails credentials:edit
However, my project does not use neither Ruby on Rails nor YAML. Just .env and .env.local, .env.production files exists.
So I created dotenv-vault (apparently inspired by yaml_vault).
Philosophy
Less dependency. This is convenient if we run in CI.
Simple. Easy setup and no DSL, zero learning cost.
Productive. Automate as possible.
Less dependency is really important because we could use this tool in any environments, any projects, with zero cost. Currently dotenv-vault depends on the three:
Bash
Openssl
Perl
I chose Perl to parse dotenv file because Perl does not change command syntax between operating systems. sed differs between BSD and GNU.
Major OS, such as macOS and Ubuntu, have Perl by default.
How to use
Manually
After install (check out the repo), add # encrypt-me comment at the end of line to be encrypted:
Bashtub is a tiny unit test framework for Bash
You can specify the test caes as as assertion-based test cases likes xUnit
Bashtub colorfully outputs the results of the test
When test passed
and when tests failed, it bashtub outputs the information of the failures,
where the path ~/bin must be included in $PATH.
Then test to run the bashtub.
bashtub # output 0 examples
Writing tests
Test cases are declared in the function that start with testcase_.
Bashtub automatically finds the testcase in the loaded file.
The tests are written as assertion-based test cases likes xUnit.
Minimal test
The first, simple example is the following :
# examples/first_test_case.sh
lorem_ipsum='lorem ipsum dolor sit amet'testcase_first_word() {
first_word=$(echo $lorem_ipsum| cut -f1
Hey! Just wanted to share that if you use this syntax {% github https://github.com/acro5piano/dotenv-vault we can see a preview of your repo/readme %}!
Hey! Just wanted to share that if you use this syntax
{% github https://github.com/acro5piano/dotenv-vaultwe can see a preview of your repo/readme %}!simple dotenv encrypt & decrypt tool inspired by yaml_vault
dotenv-vault
simple dotenv encrypt tool inspired by yaml_vault
Default cipher is aes-256-cbc. Default sign digest is SHA256.
Install
For MacOS:
For Linux:
Requirements
dotenv-vault requires the following:
Almost all machine does not need any installation process.
Usage
Encrypt
Input file (.env):
where
# encrypt-meis the mark of the line dotenv-vault encrypt.Command:
Output:
# decrypt-mewill be used when decrypt the file.Decrypt
Input file (.env.encrypted):
# decrypt-meis the mark of the line dotenv-vault decrypt.Command:
Output:
Create Encrypt env
…dotenv-vault createcommand is convenient to create new entry: