Security Concern regarding env file in codebase

[Shreyansh Jain]

Hi Team, 

The environment file in the CCF Codebase has all the Secrets required to connect with various clouds, in plain text. 

But that for sure cannot be the case in production as we would want to use some kind of encryption/security/cloud vault to secure the secrets present in .env file on production.

Is there any way or something which we have planned to deploy these secrets in production securely and use them for calculations in code. 

Please let me know if you have any thoughts/info for this scenario.

Thanks,

Shreyansh Jain

[Cloud Carbon Footprint]

Hello Shreyansh,

The .env file is a default we provide in order to allow the application to properly run. It also acts as a starting point to enable running the application locally. However, the means by which environment variables are loaded can substitute the existence of the .env file in a production environment. For example, you can use all of the native secrets managers provided by your cloud provider. As long as you have authorization for the vault, have properly configured it with the instance host, and match the naming conventions of the environment variables, the secrets should be securely accessible. 

Please feel free to reach out if you have any questions.

Thanks, 

Cloud Carbon Footprint Team