Encrypted Environment Variables

At some point you may be interested in using encrypted environment variables in your app (not limited to redwood). In our case, we hit the 4KB Vercel limit. Another reason could be easier distribution. You can send the encryption keys to the team once, rather than sending the entire .env file each time its updated. You also get the perk of having changes tracked in version control. This can be super helpful for tracking down spooky “works on my machine” errors.

There are also many reasons why you shouldn’t do this. The primary one is that you’re creating a honeypot for attackers. If a mistake is made, or your crypto best-practices are lacking, you risk having everything exposed. You should think carefully about whether this makes your devops actually more secure. I wouldn’t put anything of value in this file like wallet private keys or mnemonics, and I would discourage using this method in a public repo.

That said, here’s a public demo repo which you can play around in! Welcome to all suggestions.

TL;DR environment variables are decrypted and injected immediately prior to runtime

PS: Vercel’s “solution” in the link above is hot garbage. I can’t believe they actually recommend that.

1 Like

Thanks for this example repo, this isn’t something I need to do in any of my projects right now but in the past I’ve worked on a Redwood App with 20+ environment variables and holy crap was it a pain.

Could you elaborate a bit on what the issue is with the workaround suggested by Vercel? Just curious as an encryption noob. Also wondering if you have tried out Doppler or HashiCorp Vault? DT mentioned Doppler in the Discord and I liked it the one time I used it. Never tried Vault myself.

The issue with the vercel solution is asking people to 1) generate a “secret” on a random website, 2) encrypt all your private info on a different random website, and 3) create an api endpoint for decrypting things. None of these are ever good ideas.

The environment tools you mentioned can be used together with this method!