Dotenv Vault


Posted on Fri, Sep 16, 2022 security env zsh

INTRODUCTION TO DOTENV VAULT!

๐Ÿ’ก What it is, Why You Should Use it, and How to Get Started

Dotenv Vault is a security tool and key management system. The article will guide you through how to use this technology in your own application development process. You'll also get a good understanding of what .env files are, and acquire knowledge on how to avoid security flaws often faced in managing them.

Read on to learn more about Dotenv, why you should use it, and how to start using it

WHAT IS .ENV FILE?

A .env file contains the configuration required for your application to run. These configurations normally contain sensitive data such as keys and values. The key value pairs may differ based on whether your application runs locally or on a production server.

To set environmental variables, look for .env files in a web-based application.

ARE THERE PROBLEMS WITH .ENV FILES?

A .env file contains some sensitive information that your application needs to be able to run. This information is not what you want to share with people without proper authorization.

The following are some of the files in a .env file :

  • Database Passwords
  • Authentication Tokens
  • API Keys
  • URLS

It can be crucial for security reasons not to leak this kind of information to the public.

So how can we protect that sensitive information ?

Let's look at a use-case scenario :

๐Ÿ—ฃ๏ธ

โ€œYouโ€™ve built an application and shared it for anyone to download after uploading its source code to GitHub. You accidentally uploaded a .env file that has auth tokens and some of the API keys of your servers.โ€

In this case, any public user may misuse that sensitive information. ๐Ÿ˜ฑ

Another issue that can arise when dealing with sensitive information is safely synchronizing environment files among your team members. Without a mechanism to synchronize these files for you, you'll have to keep multiple copies of .env files in your team's development ecosystem, which can quickly become a mess !

It's been known that certain teams share environment files via : Slack, Teams, and other communication-based apps. However, this method is still not an ideal solution when sharing sensitive information since encryption isn't part of the process.

โ“

So, shouldn't there be a tool built that helps synchronize .env files quickly and securely?

Your team members deserve to have the latest environment files instantly !

WHAT IS DOTENV VAULT?

Dotenv Vault is a vast security tool that was first created in 2013 by Mot https://github.com/motdotla to assist developers who were having trouble protecting their proprietary information. Dotenv Vault was made to make things better, easier, and safer while keeping private information safe.

WHY SHOULD YOU USE IT ?

The key management functionality within Dotenv Vault uses in-memory servers, encrypted using SSL for data transfer, and a unique datastore that is not accessible through the internet. Because of this, if hackers manage to access the application, they cannot access the vault's datastore and therefore will not be able to run your application.

The encryption process employs AES-GCM encryption. AES-GCM encryption is a well-researched algorithm that meets the standards of the Internet Engineering Task Force and is recommended by the National Institute of Standards and Technology.

The rotation schedule for the encryption key(s) used to encrypt the secret values is kept private. By giving them an old encryption key, we would stop attackers from decrypting secret information.

This means that if you are building a project and need to share a secret file, you simply need to inform your team to run dotenv-vault push after editing your .env file, and it will run the encryption process.

HOW TO USE DOTENV VAULT

There are two ways to access the Dotenv Vault after creating a project on https://dotenv.org. You can use the following :

  • The command line
  • A graphical user interface.

USING THE COMMAND LINE TOOL

To begin, open Terminal and navigate to the root of your project's root directory, which contains your .env file.

Then you can run the following command :

1 : INITIALIZE DOTENV IN A NEW PROJECT

First, you have to initialize a new dotenv vault for your project. Open your terminal, navigate to your project root directory containing your dotenv file, and run the code below :

npx dotenv-vault new

2 : GIVE YOUR PROJECT A NAME

Choose a unique name for your project on the page that opens up on your browser :

3 : SET UP THE PROJECT

On the next window, prompt the user to copy the code and return to your CLI, and then run :

npx dotenv-vault login

4 : COMPLETE THE LOGIN PROCESS

On the next prompt on your browser, complete the login process by confirming the message sent to your email address :

5 : PUSH YOUR ".ENV FILE" TO THE VAULT

Before you push your file to the vault, you can choose to view env.me, which is now available at the root of your project. Run the code below on your terminal to view it :

ls -al

7 : TO CHECK THE URL

npx dotenv-vault

8 : LOGGING OUT

You can log out by running the command :

npx dotenv-vault logout

For more information on the logout command, run this line in your terminal :

npx dotenv-vault help logout

For more, you can use the following commands to interact with Vault using the command line interface :

dotenv new       # create your project
dotenv login     # log in to dotenv-vault
dotenv logout    # log out
dotenv open      # open project page
dotenv push      # push .env securely
dotenv pull      # pull .env securely
dotenv versions  # list version history
dotenv whoami    # display the current logged in user
dotenv status    # check dotenv-vault operational status

USING THE GRAPHICAL USER INTERFACE

Once you sign up on https://dotenv.org/ you can log in to the system.

First, create the organization, and then create the project under that organization :

In this example, an inventory project has been created.

Once you create the project, you can add the key value (SECRET) by clicking on the right button Add Secret

๐Ÿ’ก

This is so you can keep adding key-value pairs to your .env file

If you want to pull your .env file to your development working folder, you can go with the following command :

npx dotenv-vault pull development

MANAGE .ENV VARIABLES IN MULTIPLE ENVIRONMENT

When you deploy an app, you'll need a development, production, and staging environment to build and run your apps. This requires you to need different sets of .env variables for each build. Dotenv Vault can handle multiple environments without any issues.

In the following screen, you can see the different environments in which you can use your .env keys and values :

Once you select the environment, you can change the value for that selected environment key.

The default system has four environments (development, production, staging, and CI). You can, however, define more environments according to your requirement.

If you want to change the DB_HOST value for the development environment, you can open the following screen and change its values :

With the graphical tool, you can manage all .env values for different environments in a centralized location, and team members can pull and have the same copy of the .env file instantly and securely !

CONCLUSION

With the opening of this open-source repository that has gained 16,000 stars on GitHub over the course of nine years, developers can finally enjoy using a system to easily and securely manage .env files across multiple applications.

You can securely manage your environmental keys using this vault, keep them up-to-date and share them with your team members !

You can learn more details about the dot env vault at https://www.dotenv.org/vault.