Both TravisCi, CodeShip, AWS, Docker Swarm and many professional platforms provide mechanisms to encrypt environment variables and pass them to the container. The key for the variables is stored in their key store mechanism.
However, if you wanted to use something universal, Good luck. I spent hours and couldn't find anything. If you find a solution please feel free to let me know, I would appreciate it.
I decided to use Open SSL with two variables. The variables are a Symmetric Encryption Key and Destination Environment value. These two variables are used to decrypt the correct env file and expand the variables into the shell. These two variables are sent to the container with the env files that are encrypted.
As you can guess, this technique has problems ( as do all techniques ):
- The key and destiny environment values are passed as clear text to the container ( but can be encrypted with the platforms techniques ).
- The deployment has to decrypt the values and pass them to the shell... writing a file would be bad and this makes things complicated.
- All the environment variables ( encrypted ) have to be bundled with the deployment.
files .env.<ENV>.enc were is DEV, PROD, TEST are the encrypted environment files.
files <ENV>-example.sh were is DEV, PROD, TEST are test files and should be deleted.
.
|____.env.DEV.enc
|____.env.PROD.enc
|____.env.TEST.enc
|____TEST-example.sh
|____DEV-example.sh
|____PROD-example.sh
export X=TEST
for this example. you need these two.
I used the same key for all three environments ( bad idea ) ENVPASSWORD
ENV tell this script which file to decrypt.
export ENVPASSWORD=ZuCmYE2qD6UU3C2Yh9BcB9Yin
export ENV=TEST
- Phil