Add support for encrypted environment variables

Allow users to encrypt environmental variables in their yaml configuration so they can still feel comfortable keeping them in version control. Would decrypt values transparently with a chosen environmental variable (like FIG_CRYPT_KEY) and provide users a helper command to generate encrypted values.

Only downside is you have to add pycrypto as a dependency.

[danielwegener]

Would it really be useful to share a fig file that only you can use? Why don't you just use environment keys (see http://www.fig.sh/yml.html#environment) and export the secrets on your host environment in the first place? 👎

[cpuguy83]

Yes, this doesn't seem all that helpful.
You can even encrypt the values and decrypt once in the container.

Other people on my team can use it, they just need to know the password. Environment files doesn't solve my problem of distributing secrets to my team members. I agree I can decrypt them in the container but then I need to do run-time munging of config files or write that facility into all my applications.

[pwaller]

At @scraperwiki we solve this using direnv and secret-tool which is a part of libsecret (part of libsecret-tools in debian).

That way, to get the secrets in your environment, you just cd to your project and unlock your keyring.

In your .envrc, you put this:

export SECRET=$(secret-tool lookup projectName SECRET)

You can equally well substitute secret-tool for a keyring manager of your choice.

[pwaller]

There is also #1534 which can possibly supersede this issue.

[dnephin]

Ya, I don't think compose should be responsible for any encryption or decryption (it's outside the scope of the problem compose is solving).

The above comments outline some good ways to handle this without compose being involved. env_file, environment keys with no values (so the value is read from the host), or environment variable interpolation in the config are all available to solve the problem.

[pwaller]

moby/moby#13490 (still open for now) is also an eye opener. There are even some issues with using the environment for secrets that I wasn't aware of.