Background
I needed a solution for the secure transfer of sensitive data đ from the developer through to deployment on the residual environment. I really like the GitOps approach of storing a single source of truth đ in a code repository. I was struggling with the problem of how - minimally interfering to the developer - to store environment variables đ¤. We published our code very often build to serve as microservices on k8s. Initially, we had a solution to replace special tags with values that were stored in secret in one of the namespaces đ¤. But this solution required a lot of extra work, which consisted of writing down the values to change and replacing them during deployment đ ī¸. We didn't use any paid services for storing sensitive data and I'll be honest, we don't intend to?
So the initiative was born to create something simpler than BlackBox (and more secure than GPG?), which would allow us to safely store variables in git with minimal effort and then just as easily use them during deployment.
This is how EnvCloak was created, which main operation is to create encrypted files and keys to them. The procedure is completely reversible (decrypt) during deployment using the same key and encrypted file from repository đĄ. The goal of this project is to create as simple and intuitive a tool as possible.
Project URL: https://github.com/Veinar/envcloak
If you find EnvCloak useful, please â the repository. It helps others discover this project! - thank you!
Usage
As for main points of intrest, we have three must commands for easiest workflow usage:
Usage is really simple:
âšī¸ This part is being done by developer
- Generate key,
envcloak generate-key --output secretkey.key
â ī¸ Remember to use same key (I really encourage to do it in base64 form) in CI/CD tool as a secret variable.
- Encrypt sensitive variables file,
envcloak encrypt --input .env --output .env.enc --key-file secretkey.key
Encrypted file can be securely stored in git. But
keyfile will be automatically added to.gitignorebecause it cannot be present with*.encfile. For env file you must explicitly add it to.gitignore.
Now when we want to use it after transfer simply decrypt it, with securely passed encryption key.
âšī¸ This part can be done in a workflow or by developer with fresh clone of repository.
- Decrypt encypted file during deployment.
envcloak decrypt --input .env.enc --output .env --key-file secretkey.key
Tool also provides functionalities like compare and key-rotation.
To ensure security AES-256-GCM was used for encryption, and EnvCloak uses duplicated SHA3 verification of file and content during decryption.
I've described usage in popular CICD pipelines like Github Actions, Gitlab CI/CD, Azure Pipelines and in k8s alike systems.
âšī¸ I'm still working on creating self-contained binaries to remove requirement of using python at all.
Conclusion
If you're searching for an easy and reliable solution to manage encrypted environment files securely, I hope you'll give my project, EnvCloak, a try.
I realise that the topic of security is thin ice, as it is difficult to trust a new tool, but "who dares, wins"! I think the project is mature enough for first-time users.
I'm happy to answer any questions or explore any use cases you might have for securing and managing your environment files to see how EnvCloak can help streamline your workflow.
Feel free to leave a comment, and thanks for checking it out!
Top comments (0)