Today I Learned

hashrocket A Hashrocket project

Use encrypted env vars with direnv

Direnv can execute shell scripts, so given that your env file is encrypted, you can automatically have it become decrypted for you:

───────┬──────────────────────
       │ File: .env
───────┼──────────────────────
   1   │ STRIPE_PK="123456789"
   2   │ API_KEY="qwertyuiop"
───────┴──────────────────────

Say is was encrypted:

ansible-vault encrypt --vault-password-file config/master.key .env
cat .env
───────┬─────────────────────────────────────────────────────────────────────────────────
       │ File: .env
───────┼─────────────────────────────────────────────────────────────────────────────────
   1   │ $ANSIBLE_VAULT;1.1;AES256
   2   │ 35306466356632363334643432343132356662376462333964366534393462366333623764336161
   3   │ 6131336435323834623539323462626235383330346562660a323534656133653237656634346235
   4   │ 30653635663438313931393966383266663535313361613339396234373164323830373262633661
   5   │ 6262356131306530350a643362623636323762656132326363323736633431396463616137343139
   6   │ 66666438623230333636373563393165333562633964616536663363323334343235386465346663
   7   │ 3365643263643766323835356230636539353034643034346136
───────┴─────────────────────────────────────────────────────────────────────────────────

Now that we have an encrypted .env file, we just need direnv to decrypt it whenever we’re in our directory:

───────┬────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: .envrc
───────┼────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ export $(ansible-vault decrypt --vault-password-file config/master.key --output - .env | xargs)
───────┴────────────────────────────────────────────────────────────────────────────────────────────────

Output:

$ cd rails_app
direnv: loading ~/dev/rails_app/.envrc
direnv: export +API_KEY +STRIPE_PK
echo $API_KEY
qwertyuiop

Now whenever we enter the directory, we will have the unencrypted env vars, but the file remains encrypted on disk. For whatever that’s worth.