env-vault provides a convenient way to launch a program with environment variables populated from an encrypted file. Inspired by ansible-vault and envconsul.

Download and install using go get:

go get -u github.com/romantomjak/env-vault

or grab a binary from releases section!

env-vault allows to do pretty cool stuff like injecting secrets into docker-compose files, but in general use it like so:

env-vault <vault> <program>

The <program> argument is the executable that will be launched with environment variables from the encrypted file pointed to by <vault> argument.

env-vault takes advantage of a POSIX standard that uses -- to signify the end of command line options. Meaning that everything after that can get passed on to a sub-command. Use this one one weird trick to pass arguments to programs:

env-vault <vault> <program> -- <program-arg1> <program-arg2> <...>

This section describes how to use env-vault to safely store secrets and then pass them on to docker-compose.

Please note the POSTGRES_PASSWORD field that is set only as a key. This tells docker-compose to resolve the value on the machine on which the compose is running on.

services:
  db:
    image: postgres:13-alpine
    environment:
      - POSTGRES_USER=myproject
      - POSTGRES_PASSWORD

This is an encrypted file created with env-vault. Vaults are created with the create sub-command and can be viewed using the view sub-command. Let's create a vault named prod.env to hold our production secrets:

env-vault create prod.env

Running the command above will prompt for a new password and then open your favorite $EDITOR to input the environment variables. Let's add the POSTGRES_PASSWORD secret now:

POSTGRES_PASSWORD=passwordformyproject

Save the file and close your editor. env-vault will encrypt the plain text using AES256-GCM symmetrical encryption.

env-vault takes advantage of a POSIX standard that uses -- to signify the end of command line options. Meaning that everything after that can get passed on to a sub-command. Let's see how we can use that to decrypt secrets for docker-compose:

env-vault prod.env docker-compose -- up -d

It looks somewhat mad, but essentially env-vault will decrypt prod.env and expose found environment variables to docker-compose. The command would otherwise look like so:

docker-compose up -d

Now lets inspect the container to see that the POSTGRES_PASSWORD environment variable was successfully injected:

$ docker-compose exec db env | grep POSTGRES_PASSWORD
POSTGRES_PASSWORD=passwordformyproject

Wooo!!! 🚀

You can further ease the workflow by setting the ENV_VAULT_PASSWORD environment variable. env-vault will use it to decrypt vaults automatically and you won't get prompted for a password any time you interact with env-vault.

export ENV_VAULT_PASSWORD=somepassword

This works exceptionally well when docker-compose is used with Makefiles:

up:
	env-vault prod.env docker-compose -- up -d

so now you can run:

make up

and env-vault will take it from there to make it work automagically! ✨

You can contribute in many ways and not just by changing the code! If you have any ideas, just open an issue and tell me what you think.

Contributing code-wise - please fork the repository and submit a pull request.

MIT