SSE is a highly-opinionated, platform-agnostic tool for managing secret environment variables.
Secrets are saved in an encrypted TOML file that is safe to check into version control. Only the master.key file is required to decrypt and edit it. Multiple environments are supported; development is the default.
SSE draws inspiration from Rails credentials and SOPS. It uses age for encryption.
It's a single-file executable with no external dependencies, so it's easy to integrate with development, build, and deployment environments.
Download the latest release and place the binary somewhere accessible by your PATH, probably /usr/local/bin.
The SSE_MASTER_KEY environment variable takes precedence over the master.key file for decryption operations. This is useful for CI/CD environments where you may not want to store the master.key file directly.
Only the private key is needed for decryption, so for deployments you can set SSE_MASTER_KEY=$(sse private).
eval "$(sse load)"ENV SSE_VERSION=0.1.1
RUN wget "https://github.com/schrockwell/sse/releases/download/v${SSE_VERSION}/sse-linux-amd64.tar.gz" -O /tmp/sse.tar.gz && \
tar -xzf /tmp/sse.tar.gz -C /usr/local/bin/ && \
rm /tmp/sse.tar.gz
COPY env.toml ./
ENTRYPOINT ["/app/bin/entrypoint"]
CMD ["/app/bin/server"]#! /bin/bash
eval "$(sse load production)"
exec "$@"SSE_MASTER_KEY="$(sse private)"
#! /bin/bash
kamal app exec "sse with production -- /app/bin/migrate"env:
secret:
- SSE_MASTER_KEYIf you're tired of squinting at random base-64 strings to see if your environment variables are consistent across environments, try sse analyze.
$ sse analyze
Missing keys:
DATABASE_URL is not set in: development
Equal values:
AWS_HOST is equal in: development, production
AWS_REGION is equal in: development, production
GEOCODING_API_KEY is equal in: development, production
PUSHOVER_APP_TOKEN is equal in: development, production
PUSHOVER_USER_KEY is equal in: development, production
Unique values:
ADMIN_PASSWORD
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
S3_ASSET_HOST
S3_BUCKET
SECRET_KEY_BASE
Run sse help [command] for details.
$ sse help
Stupidly Simple Environments (sse) manages encrypted environment variables
for small projects using age encryption.
Files:
master.key - age keypair (add to .gitignore)
env.toml - environment file with encrypted values (safe to commit)
The env.toml file contains sections for each environment:
[development]
API_KEY = "ENC[...]"
[production]
API_KEY = "ENC[...]"
Keys are human-readable, only values are encrypted.
Usage:
sse [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
edit Edit env.toml
help Help about any command
init Initialize a new project
load Export variables to current shell
private Print the private key from master.key
public Print the public key from master.key
show Print decrypted env.toml
with Run a command with decrypted environment
Flags:
-h, --help help for sse
-v, --version version for sse
Use "sse [command] --help" for more information about a command.