Use dotenvx with Digital Ocean
Use dotenvx with Digital Ocean
Find code examples for this guide on GitHub.
Initial setup
Install the necessary web server libraries in the language of your choice.
npm install express --save
Create a simple Hello World program.
// index.js
const express = require('express')
const app = express()
const PORT = process.env.PORT || 3000
app.get('/', (req, res) => {
res.send(`Hello ${process.env.HELLO || ''}`)
})
app.listen(PORT, () => {
console.log(`Server running on port:${PORT}`)
})
Create a Dockerfile.
# Dockerfile
FROM node:20
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000
CMD ["node", "index.js"]
Create .dockerignore.
.dockerignore
# .dockerignore
.env.keys
Build and run it with Docker.
docker build -t app . && docker run -it --init --rm -p 3000:3000 app
Once deployed, your app will say 'Hello [blank]' as it doesn't have a way to access the environment variable yet. Let's do that next.
Digital Ocean has multiple ways to deploy your code – from old school droplets, to Kube, to their app platform. It is too much for us to document here, so please refer to their documentation. This guide will assume you are using Docker with Digital Ocean (most common) and give examples in that context.
Run dotenvx
Install dotenvx to your Dockerfile and prepend your app command with dotenvx run --.
# Dockerfile
FROM node:20
WORKDIR /app
# Install dotenvx
RUN curl -fsS https://dotenvx.sh/ | sh
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000
# Prepend dotenvx run
CMD ["dotenvx", "run", "--", "node", "index.js"]
Add production environment
Create a .env.production file in the root of your project.
# .env.production
HELLO="production"
Encrypt production
dotenvx set HELLO production -f .env.production --encrypt
Your .env.production file is now encrypted, and you have a .env.keys file.
.env.production
#/-------------------[DOTENV_PUBLIC_KEY]--------------------/
#/ public-key encryption for .env files /
#/ [how it works](https://dotenvx.com/encryption) /
#/----------------------------------------------------------/
DOTENV_PUBLIC_KEY_PRODUCTION="0354d5293e40f78b8b44d6b5ded92719ef99d119a79093d6babd0ef9e80a9a7667"
# .env.production
HELLO="encrypted:BGo+chylmSbkHeDsn9gPy5LYvYUUpTstaUr8hDU0lgp4ssyH2MXav43ww+B3WNaYLZQpJdJdJ2F8qLbV4vDolF42ETQFu/xxhKA2/MRxiC/Vd1s/DMDjm9RSHOCQ5YHywLrUY9UySesbn58="
.env.keys
#/------------------!DOTENV_PRIVATE_KEYS!-------------------/
#/ private decryption keys. DO NOT commit to source control /
#/ [how it works](https://dotenvx.com/encryption) /
#/----------------------------------------------------------/
# .env.production
DOTENV_PRIVATE_KEY_PRODUCTION="3c54363a4a678042d298660e2038df68aaa4a9383048d913d0e6db15e137020d"
You SHOULD commit .env.production to code. It is now encrypted, safe, and recommended to do so. But DO NOT commit .env.keys to code. Keep them somewhere safe like 1Password.
We're ready to inject the encrypted .env.production secrets into Docker run.
Set decryption key
Set DOTENV_PRIVATE_KEY_PRODUCTION on Docker using the production key in your .env.keys file.
docker build -t app . && docker run -e "DOTENV_PRIVATE_KEY_PRODUCTION=3c54363a4a678042d298660e2038df68aaa4a9383048d913d0e6db15e137020d" -it --init --rm -p 3000:3000 app
Your docker instance starts and env is successfully injected using the encrypted contents of .env.production.
[[email protected]] injecting env (2) from .env.production
Server running on port:3000
For Digital Ocean, do the same. Set your DOTENV_PRIVATE_KEY_PRODUCTION in the environment variable manager.
Visit your url and it says Hello production.
You succesfully add encryption to your .env files. This is safer than scattering your secrets across third-party platforms and tools. When you need to update a secret, run dotenvx set KEY value --encrypt and redeploy.
Great job! That's pretty much it. See the bonus section(s) below to go a little deeper.
Bonus
Try changing the value of .env.production to your name.
dotenvx set HELLO Mot --encrypt
Commit .env.production safely to code and re-run your Docker container.
