Allow (or enforce) encryption of .env file

[YPCrumble]

Hi - thanks for building this great repo!

I noticed that you suggest adding .env to the .gitignore file - presumably because the config shouldn't be exposed as part of the repository?

Do you have a suggestion on how to share the .env file with members of my team?

The best answer I could find suggests checking in the .env file and encrypting it as an option.

What do maintainers think about allowing encryption of the .env file with one master password? I'd be happy to help with a PR if it would be welcomed and someone could help me think through best practice implementation.

Or, is there a better way to share the .env file with my team?

[merwok]

I think the typical way is to have .env.example in your repo, with comments to explain the settings, default values where possible (e.g. DATABASE_URL="postgres://localhost:5432/project"), and instructions for real secrets (GOOGLE_MAPS_API_KEY="ask in slack channel XYZ" or "see 1password/project/google maps key"). Then the README can instruct people to copy that file to .env and edit it.

[Pithikos]

@merwok but how would that work when you kill instances and make new ones all the time? For every new deploy you will need to manually copy the file from one place to another so that doesn't seem pragmatic.

I think encrypting the file is the more realistic. Then you have everything in one place and you only need to pass one environment variable (the decryption key) to the server.

[merwok]

Ah that’s another problem! What I said about copying .env.example to .env and changing values is for local dev, i.e. to help my coworkers set up their environment.

For server deployment, this becomes a config management issue.
If I run on Heroku, I already have an interface to define environment variables.
On another container platform, I have docker secrets.
On AWS EC2, I’ll get my secrets from SSM.
On another VM, maybe I’ll have an ansible vault that creates a .env file.

[joshgeller]

@merwok In your EC2/SSM example, do you still use this library?

[merwok]

No, I connect to the SSM API (using https://github.com/caravancoop/configstore/) to get settings, without writing them to an env file.