At some point you may be interested in using encrypted environment variables in your app (not limited to redwood). In our case, we hit the 4KB Vercel limit. Another reason could be easier distribution. You can send the encryption keys to the team once, rather than sending the entire
.env file each time its updated. You also get the perk of having changes tracked in version control. This can be super helpful for tracking down spooky “works on my machine” errors.
There are also many reasons why you shouldn’t do this. The primary one is that you’re creating a honeypot for attackers. If a mistake is made, or your crypto best-practices are lacking, you risk having everything exposed. You should think carefully about whether this makes your devops actually more secure. I wouldn’t put anything of value in this file like wallet private keys or mnemonics, and I would discourage using this method in a public repo.
That said, here’s a public demo repo which you can play around in! Welcome to all suggestions.
TL;DR environment variables are decrypted and injected immediately prior to runtime
PS: Vercel’s “solution” in the link above is hot garbage. I can’t believe they actually recommend that.