Load environment variables from encrypted .env.vault files, with Golang πΉ.
π± Install
go get github.com/dotenv-org/godotenvvault
ποΈ Usage (.env)
Create a .env file in the root of your project:
# .env
S3_BUCKET="YOURS3BUCKET"
SECRET_KEY="YOURSECRETKEYGOESHERE"
As early as possible in your application, import and configure godotenvvault:
package main
import (
"log"
"os"
"github.com/dotenv-org/godotenvvault"
)
func main() {
err := godotenvvault.Load()
if err != nil {
log.Fatal("Error loading .env file")
}
s3Bucket := os.Getenv("S3_BUCKET")
secretKey := os.Getenv("SECRET_KEY")
// now do something with s3 or whatever
}
Thatβs it! os.Getenv has the keys and values you defined in your .env file. Continue using it this way in development.
π Deploying (.env.vault)
Generate a .env.vault file in the root of your project.
$ npx dotenv-vault local build
This will create an encrypted .env.vault file along with a .env.keys file containing the encryption keys. Set the DOTENV_KEY environment variable on your server by copying and pasting the key value from the .env.keys file. For example, in heroku Iβd run the following command.
$ heroku config:set DOTENV_KEY=<key string from .env.keys>
Commit your .env.vault file safely to code and deploy. Your .env.vault fill be decrypted on boot, itβs environment variables injected, and your app work as expected.
π΄ Manage Multiple Environments
You have two options for managing multiple environments - locally managed or vault managed - both use dotenv-vault.
Locally managed never makes a remote API call. It is completely managed on your machine. Vault managed adds conveniences like backing up your .env file, secure sharing across your team, access permissions, and version history. Choose what works best for you.
π» Locally Managed
Create a .env.production file in the root of your project and put your production values there.
# .env.production
S3_BUCKET="PRODUCTION_S3BUCKET"
SECRET_KEY="PRODUCTION_SECRETKEYGOESHERE"
Rebuild your .env.vault file.
$ npx dotenv-vault local build
Check your .env.keys file. There is a production DOTENV_KEY that coincides with the additional DOTENV_VAULT_PRODUCTION cipher in your .env.vault file.
Set the production DOTENV_KEY on your server, recommit your .env.vault file to code, and deploy. Thatβs it!
π Vault Managed
Sync your .env file. Run the push command and follow the instructions. learn more
$ npx dotenv-vault push
Manage multiple environments with the included UI. learn more
$ npx dotenv-vault open
Build your .env.vault file with multiple environments.
$ npx dotenv-vault build
Access your DOTENV_KEY.
$ npx dotenv-vault keys
Set the production DOTENV_KEY on your server, recommit your .env.vault file to code, and deploy. Thatβs it!
β FAQ
What happens if DOTENV_KEY is not set?
godotenvvault gracefully falls back to godotenv when DOTENV_KEY is not set. This is the default for development so that you can focus on editing your .env file and save the build command until you are ready to deploy those environment variables changes.
Should I commit my .env file?
No. We strongly recommend against committing your .env file to version control. It should only include environment-specific values such as database passwords or API keys. Your production database should have a different password than your development database.
Should I commit my .env.vault file?
Yes. It is safe and recommended to do so. It contains your encrypted envs, and your vault identifier.
Can I share the DOTENV_KEY?
No. It is the key that unlocks your encrypted environment variables. Be very careful who you share this key with. Do not let it leak.