@sodefa/gitenvs

Git Envs

Save encrypted environment variables directly in git.

Setup

• Create a ts file in your root folder (we suggest createEnvFiles.ts)
• Copy the following template into the file:

import { GenerateEnvFilesFunction, Keys, main } from '@sodefa/gitenvs'

type Stage = 'production' | 'staging' | 'development'

const generateEnvFiles: GenerateEnvFilesFunction<Stage> = ({
  resolveSecret,
}) => {
  return [
    {
      envFilePath: 'path/to/your/app/.env.local',
      envVars: [
        {
          key: 'ENV_NAME',
          values: {
            default: 'EMPTY',
            production: resolveSecret(''),
            staging: resolveSecret(''),
            development: resolveSecret(''),
          },
        },
      ],
    },
  ]
}

const keys: Keys<Stage> = {
  production: {
    publicKey: '',
    encryptedPrivateKey: '',
  },
  staging: {
    publicKey: '',
    encryptedPrivateKey: '',
  },
  development: {
    publicKey: '',
    encryptedPrivateKey: '',
  },
}

main({
  generateEnvFiles,
  keys,
})

• Setup the stages as you need them
  • development is the default stage that is used if you do not specify any stage
• Create new public / private keys for every stage you defined by running npx ts-node createEnvFiles.ts createKeys (or how you called your file)
  • Copy the object with publicKey & encryptedPrivateKey and paste them into the keys object in your createEnvFiles.ts file
  • !WARNING! Do not copy & paste the passphrase into createEnvFiles.ts. It is a secret! Save it into your password manager.
• Add the following command to your package.json:
  • "env:create": "cross-env npx tsx createEnvFiles.ts createEnvFiles"
    if you setup just one stage other than 'development' you have to add GITENV_STAGE=YourStageName in front of the npx part. Otherwise the default stage will be used which is 'development'
  • "env:ui": "npx tsx watch createEnvFiles.ts ui"
  • "prepare": "yarn env:create" (This is so that the .env files will be created after node_modules were installed)
• Add *.passphrase to your .gitignore

Adding new environment variables

• Start the UI by running yarn env:ui and go to http://localhost:1337
• Define environment variables in your createEnvFiles.ts file
  • The default value will be used if no value for the current stage is provided
  • If you want to use an encrypted enviroment variable go to the UI and enter the plaintext under Encryption
  • Copy the encrypted secret and paste it into the resolveSecret function. Example: resolveSecret('jk3Z35gkHKQtWlLWl4HXdhEJQAJdyIHTzQ4nH/uq84+SdD2ty2Q6qEECfjbAr79U65slD+8BxmFbSMwkAFdXtpkJpw+vHzwi+uVbMIDuq/yHW39XQ9Tv+5qGO3xIZnnE1HrkIOYNFc5O+YLb5dsBTasBwbMrVEBSUL1jA7NdL1IHo9lidrMPFfPxTdyB6COfuhu+UBq1MSXvjVabXXYuU2LXCBVeGhfRRVqs9lxPzb0ilplldsxns3nWRc3g2C5mOc3P2Ki9PjPEmaSvAi/CDgtrXuhMQ4yjeTTLmsZ9iDzyC9RR6apoJBj0NMkFxrnoJg/gG9Jyrgofbi2vfgmchFTPNB41KggNFEMGf428oihXW/k0o9tZWkyiCkXyysjHNJ/hz5g10tEBII1DTifWSe4H2LAfvAliOz8EzTMopXnra5LjlP1exDiTBTwg1GQj6VJ0tcYGnDLkGbkHVXZSZxQwgHWyUKcipb3J2O+21qMWcsRPGo4mzH0X6ORKnD+v4oGI34YDvcedMuQEfs2pmmX+EYwQx3TRgNk6Uy3ZAU84nM2z3IFeLBjhra5/mIH68y/MFMN/Kle6lEa28RR3bz2ToMDrDfvEyIQV+T2X0h8YiUDhol6UWA6OPGY8p2xS8Inz/byQCjbPO0z9hk1Vq9nzMkaupAy/KzZcorwtSPc=')

Decrypting environment variables locally

• This is for debugging purposes only
• Copy the passphrases you got from the createKeys command and paste them into the textarea under Decryption
• All secrets will be revealed

Setting up local dev environment

• You want to give all your developers the development passphrase so that they can work
• You can send them a file called development.passphrase which just contains the passphrase
• They should place it under the root folder and the local .env files will be created if they run env:create / yarn install

Setting up servers

• On servers you want to provide the passphrase through environment variables. You have to provide two env vars:
• GITENV_STAGE defines which stage should be used
• GITENV_PRIVATE_KEY_PASSPHRASE_${stageName} contains the passpharse. Replace ${stageName} with the stage name you used in GITENV_STAGE