Environment Variables

Environment variables are stored in an encrypted .env files in local environments. For production, they are stored in .prod.env.

To update the variables, you need to encrypt the prod variables using the procedure below to a .secret.env file. It will be decrypted by Github actions to a plain .env before being used by the application.

Encrypting and Decrypting Environment Variables

The .env file is encrypted using sops and age for secure storage in the repository.

Installing Required Tools

Install sops:

curl -LO https://github.com/mozilla/sops/releases/download/v3.9.0/sops-v3.9.0.linux.amd64
chmod +x sops-v3.9.0.linux.amd64
sudo mv sops-v3.9.0.linux.amd64 /usr/local/bin/sops

Install age:
```
sudo apt-get install age
```
Generate a key pair:
```
age-keygen -o keys.txt
```

Encrypting .env File

Important: Ensure there are no blank lines in the .env file to avoid decryption issues.

sops --encrypt --age '<public-key>' .prod.env > secret.env

Decrypting .env File

Store the keys.txt file at ~/.config/sops/ for automatic key detection:

sops --decrypt --input-type dotenv --output-type dotenv secret.env > .prod.env

Encrypting and Decrypting Environment Variables​

Installing Required Tools​

Encrypting .env File​

Decrypting .env File​

Encrypting and Decrypting Environment Variables

Installing Required Tools

Encrypting .env File

Decrypting .env File