Integrate EnvKey with your Ruby or Ruby On Rails projects to keep api keys, credentials, and other configuration securely and automatically in sync for developers and servers.
Now that EnvKey v2 has been released, you can find version 2 of this gem in a subdirectory of the EnvKey v2 monorepo. Using v2 requires an EnvKey v2 organization (it won't work with ENVKEYs generated in a v1 org).
Here's a guide on migrating from v1 to v2.
To continue using version 1 of this gem, make sure you specify ~> 1.0.0
in your Gemfile so that you don't accidentally install v2.
In your Gemfile:
gem 'envkey', '~> 1.0.0'
If you're using Rails, that's all you need. In plain Ruby, you need to require envkey at the entry point of your application.
require 'envkey'
Generate an ENVKEY
in the EnvKey App. Then set ENVKEY=...
, either in a gitignored .env
file in the root of your project (in development) or in an environment variable (on servers).
Now all your EnvKey variables will be available on ENV
.
The gem will throw an error if an ENVKEY
is missing or invalid.
Assume you have STRIPE_SECRET_KEY
set to sk_test_2a33b045e998d2ef60c7861d2ac22ea8
for the development
environment in the EnvKey App. You generate a local development ENVKEY
.
In your project's gitignored .env
file:
# .env
ENVKEY=GsL8zC74DWchdpvssa9z-nk7humd7hJmAqNoA
In config/initializers/stripe.rb
:
Stripe.api_key = ENV.fetch("STRIPE_SECRET_KEY")
Now STRIPE_SECRET_KEY
will stay automatically in sync for all the developers on your team.
For a server, generate a server ENVKEY
in the EnvKey App, then set the ENVKEY
as an environment variable instead of putting it in a .env
file.
Now your servers will stay in sync as well. If you need to rotate your STRIPE_SECRET_KEY
you can do it in a few seconds in the EnvKey App, restart your servers, and you're good to go. All your team's developers and all your servers will have the new value.
The envkey gem will not overwrite existing environment variables or additional variables set in a .env
file. This can be convenient for customizing environments that otherwise share the same configuration. You can also use sub-environments in the EnvKey app for this purpose.
The envkey gem caches your encrypted config in development so that you can still use it while offline. Your config will still be available (though possibly not up-to-date) the next time you lose your internet connection. If you do have a connection available, envkey will always load the latest config. Your cached encrypted config is stored in $HOME/.envkey/cache
For caching purposes, the gem assumes you're in development mode if either ENV["RAILS_ENV"]
or ENV["RACK_ENV"]
is "development"
or "test"
. If you aren't using Rails or Rack, then it's assumed you're in development mode when a .env
file exists in the root of your project.
If you look in the ext
directory of this gem, you'll find a number of envkey-fetch
binaries for various platforms and architectures. These are output by the envkey-fetch Go library. It contains EnvKey's core cross-platform fetching, decryption, verification, web of trust, redundancy, and caching logic. It is completely open source.
On a stripped down OS like Alpine Linux, you may get an x509: certificate signed by unknown authority
error when the envkey gem attempts to load your config. envkey-fetch tries to handle this by including its own set of trusted CAs via gocertifi, but if you're getting this error anyway, you can fix it by ensuring that the ca-certificates
dependency is installed. On Alpine you'll want to run:
apk add --no-cache ca-certificates
For more on EnvKey in general:
Read the docs.
Read the integration quickstart.
Read the security and cryptography overview.
Post an issue or email us: [email protected].