Use dotenvx with Heroku
Use dotenvx with Heroku
Find code examples for this guide on GitHub.
Initial setup
Add a Procfile to run your app.
# Procfile
web: node index.js
Install the necessary web server libraries in the language of your choice.
npm install express --save
Create a simple Hello World program.
// index.js
const express = require('express')
const app = express()
const PORT = process.env.PORT || 3000
app.get('/', (req, res) => {
res.send(`Hello ${process.env.HELLO || ''}`)
})
app.listen(PORT, () => {
console.log(`Server running on port:${PORT}`)
})
Commit to code and push to Heroku.
git commit -am "initial commit"
heroku create
git push heroku
Once deployed, your app will say 'Hello [blank]' as it doesn't have a way to access the environment variable yet. Let's do that next.
Run dotenvx
Install dotenvx via the dotenvx buildpack.
heroku buildpacks:add https://github.com/dotenvx/heroku-buildpack-dotenvx
Update your Procfile to use dotenvx.
# Procfile
web: dotenvx run -- node index.js
Add production environment
Create .env.production in the root of your project.
# .env.production
HELLO="production"
Encrypt production
dotenvx encrypt -f .env.production
Your .env.production file is now encrypted, and you have a .env.keys file.
.env.production
#/-------------------[DOTENV_PUBLIC_KEY]--------------------/
#/ public-key encryption for .env files /
#/ [how it works](https://dotenvx.com/encryption) /
#/----------------------------------------------------------/
DOTENV_PUBLIC_KEY_PRODUCTION="025a54defaeff32caa2bbe60537b88b5b89716eade6df08418d7a68f5c4f742be6"
# .env.production
HELLO="encrypted:BD+uttK9iBuXnfx6HukDK06IGk0pQARwivtxM+ZiePvhRxHyQL3UD0sf0ayLw/P5Y/BED//zRiTlUf6nENuu7QhNJ24g3uADfrDfhvYi/MOHjmfKyRiu+yOxSw6e+c0yRNukS+n8SxONnec="
.env.keys
#/------------------!DOTENV_PRIVATE_KEYS!-------------------/
#/ private decryption keys. DO NOT commit to source control /
#/ [how it works](https://dotenvx.com/encryption) /
#/----------------------------------------------------------/
# .env.production
DOTENV_PRIVATE_KEY_PRODUCTION="424d0ea072eb17c6bee9b4b42ff6333513cf128ea3d5d60ccf79246ca7c3f786"
You SHOULD commit .env.production to code. It is now encrypted, safe, and recommended to do so. But DO NOT commit .env.keys to code. Keep them somewhere safe like 1password or dotenvx ops.
We're ready to inject the encrypted .env.production secrets into the app on boot.
Set decryption key
Set DOTENV_PRIVATE_KEY_PRODUCTION on Heroku using the production key in your .env.keys file. We'll use the Heroku cli, but you can also use their dashboard.
heroku config:set DOTENV_PRIVATE_KEY_PRODUCTION='424d0ea072eb17c6bee9b4b42ff6333513cf128ea3d5d60ccf79246ca7c3f786'
Redeploy.
git push heroku
Your app restarts and env is successfully injected using the encrypted contents of .env.production.
heroku[web.1]: Starting process with command `dotenvx run -- node index.js`
app[web.1]: [[email protected]] injecting env (2) from .env.production
app[web.1]: Server running on port:7521/
Visit your url and it says Hello production.
You succesfully add encryption to your .env files. This is safer than scattering your secrets across third-party platforms and tools. When you need to update a secret, run dotenvx set KEY value and redeploy.
Great job! That's pretty much it. See the bonus section(s) below to go a little deeper.
Bonus
Try changing the value of .env.production to your name.
npm run dotenvx -- set HELLO Mot
Commit .env.production safely to code and redeploy.
