Safely commit your encrypted secrets to git, no more .env files!

How it works

Strong Config uses sops to encrypt your secrets with strong cryptography. Every config value whose key has the suffix Secret will be encrypted by the CLI command strong-config encrypt:

  # will NOT by encrypted, it's just a normal config value
  # WILL be encrypted because it has the 'Secret' suffix
  apiSecret: super-duper-secret-key

  # WILL also be encrypted, you get the idea :)
  anotherSecret: please-dont-tell-anybody

How to encrypt

To encrypt anything, you will need an encryption key. Sops supports PGP, AWS KMS, Google Cloud KMS, and Azure Key Vault as key providers. Each of which we will demonstrate below ⬇️

Encrypt with PGP

<aside> 🚨 PGP is great if you just want to try out encryption or have a very simple use case. However, we recommend against using PGP for for production-level use or when working in a team because it's easier to use one of the cloud KMS systems below. Managing PGP keys among multiple people can get complicated very fast.


Encrypt with AWS KMS

For this walk-through, we will use the AWS console to create our test key (if you prefer the terminal, you can also use the AWS CLI to create and manage keys).