Setting up secure development environtments

In todays world of software development, containers, kubernetes and cloud, one at some point stumbles into 12 factor apps. One of the things stated there, is that configuration in the environment. This basically means that it should be stored in ones environment. Some of the things you wish to store is sensitive information like passwords or API keys, and you certainly want to store those in a secure and responsible manner, so that they do not end up on say github for everybody to read.

Futhermore, when changing software projects relatively often, it can be a pain keeping ones environment setup in sync. This can largely be automated using the excellent direnv utility. So we really want to use direnv, and store environment in .envrc files, but still wanting to keep secure information secure. How to do that?

Recently, I have used this .envrc for my projects:

  export ENV=dev

  if [ -f .envrc.gpg ]; then
      echo "Using encrypted values"
      eval $(gpg -q --for-your-eyes-only --no-tty -d .envrc.gpg)
  fi

  if [[ -n ${ENV} && -f .envrc.${ENV}.gpg ]]; then
      echo "Using encrypted values for $ENV"
      eval $(gpg -q --for-your-eyes-only --no-tty -d .envrc.$ENV.gpg)
  fi

  export LOGLEVEL=debug
  export FEATURE_OPEN_ENDPOINTS=true

So what does it do? It allows storing sensitive information in .envrc.gpg file for general settings, and environment specific files. If I by accident commit a PGP encrypted file, there really is no harm done.

As a bonus point, I can encrypt the files for my coworkers, so that we can actually share them responsibly.

So far it has worked really well for me.