Secrets don't belong in your repository, but sometimes they are too large or unwieldy for envornment variables. This provides a simple way to securely drop a bundle of files into your Heroku application on deploy.
This is experimental, and not 12-Factor compliant
- Tar-Gzip your secrets
cd secrets/ && tar -c * | gzip > ../secrets.tar.gz
- Encrypt with OpenSSL AES-256-CBC
openssl enc -aes-256-cbc -salt -in secrets.tar.gz -out secrets.tar.gz.enc
- Host it somewhere (Dropbox public folder is an easy option)
- Set
SECRET_BUNDLE_URL
andSECRET_BUNDLE_PASSPHRASE
accordingly - Add the buildpack to your Heroku app
heroku buildpacks:add -i 1 https://github.com/getflywheel/heroku-buildpack-secrets-bundle
- Deploy your app to Heroku
- Your app should now have a
secrets/
directory to use
After you deploy once with a secrets bundle, you can clear SECRET_BUNDLE_URL
and SECRET_BUNDLE_PASSPHRASE
and it will still load the secrets from cache. If you want to replace the cache, just set them again and it will overwrite.
If you want to completely flush your cache, set SECRET_BUNDLE_URL
to DELETE
and run a deploy.
The heroku-18 stack uses OpenSSL 1.1.0, which is incompatible with previous encryption versions. If you are on an older stack (cedar-14, heroku-16) please use the legacy
branch.