Real-world examples and use cases
// index.js
// IMPORTANT: Load env-lock BEFORE other modules
require('@oxog/env-lock').config();
// Now you can safely use environment variables
const express = require('express');
const app = express();
const PORT = process.env.PORT || 3000;
const DATABASE_URL = process.env.DATABASE_URL;
const API_KEY = process.env.API_KEY;
app.get('/health', (req, res) => {
res.json({
status: 'healthy',
database: !!DATABASE_URL,
apiKey: !!API_KEY
});
});
app.listen(PORT, () => {
console.log(`Server running on port ${PORT}`);
});// app.js
require('@oxog/env-lock').config();
const express = require('express');
const helmet = require('helmet');
const cors = require('cors');
const app = express();
// Middleware
app.use(helmet());
app.use(cors());
app.use(express.json());
// Database connection
const db = require('./database');
db.connect(process.env.DATABASE_URL)
.then(() => console.log('Database connected'))
.catch(err => console.error('Database error:', err));
// Routes
app.get('/api/data', async (req, res) => {
// Use API key from encrypted env
const data = await fetch('https://api.example.com/data', {
headers: {
'Authorization': `Bearer ${process.env.API_KEY}`
}
});
res.json(await data.json());
});
// Start server
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
console.log(`Server running on ${PORT}`);
});FROM node:18-alpine
WORKDIR /app
# Copy package files
COPY package*.json ./
# Install dependencies
RUN npm ci --only=production
# Copy application code and encrypted .env.lock
COPY . .
# The OXOG_ENV_KEY will be passed at runtime
EXPOSE 3000
CMD ["node", "index.js"]version: '3.8'
services:
app:
build: .
ports:
- "3000:3000"
environment:
# Pass the encryption key
OXOG_ENV_KEY: ${OXOG_ENV_KEY}
NODE_ENV: production
volumes:
- ./logs:/app/logs
restart: unless-stopped
depends_on:
- database
- redis
database:
image: postgres:14-alpine
environment:
POSTGRES_USER: ${DB_USER:-postgres}
POSTGRES_PASSWORD: ${DB_PASSWORD:-postgres}
POSTGRES_DB: ${DB_NAME:-myapp}
volumes:
- postgres_data:/var/lib/postgresql/data
redis:
image: redis:7-alpine
restart: unless-stopped
volumes:
postgres_data:# Create .env file with the key (DON'T commit this!)
echo "OXOG_ENV_KEY=your_key_here" > .env
# Build and start services
docker-compose up -d
# View logs
docker-compose logs -f app
# Stop services
docker-compose downname: Deploy
on:
push:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install dependencies
run: npm ci
- name: Run tests
run: npm test
env:
# Encryption key from GitHub Secrets
OXOG_ENV_KEY: ${{ secrets.OXOG_ENV_KEY }}
deploy:
needs: test
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v3
- name: Deploy to production
run: |
# Your deployment script
npm run deploy
env:
OXOG_ENV_KEY: ${{ secrets.OXOG_ENV_KEY }}Setup: Add OXOG_ENV_KEY to GitHub repository secrets (Settings → Secrets and variables → Actions → New repository secret)
// config.js
const envLock = require('@oxog/env-lock');
// Determine environment
const env = process.env.NODE_ENV || 'development';
// Load appropriate encrypted file
const envFile = `.env.${env}.lock`;
envLock.config({
path: envFile,
silent: false
});
console.log(`Loaded ${env} environment`);
module.exports = {
port: process.env.PORT,
database: process.env.DATABASE_URL,
apiKey: process.env.API_KEY,
environment: env
};.env.development.lock # Encrypted dev variables
.env.staging.lock # Encrypted staging variables
.env.production.lock # Encrypted production variablesEach environment has its own encryption key stored securely in the deployment environment.
apiVersion: v1
kind: Secret
metadata:
name: env-encryption-key
type: Opaque
stringData:
OXOG_ENV_KEY: "your_encryption_key_here"apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: myapp:latest
ports:
- containerPort: 3000
env:
- name: OXOG_ENV_KEY
valueFrom:
secretKeyRef:
name: env-encryption-key
key: OXOG_ENV_KEY
- name: NODE_ENV
value: "production"# Create the secret
kubectl create secret generic env-encryption-key \
--from-literal=OXOG_ENV_KEY=your_key_here
# Apply deployment
kubectl apply -f deployment.yaml
# Check pods
kubectl get pods
# View logs
kubectl logs -f deployment/myappconst envLock = require('@oxog/env-lock');
// Generate a new key
const key = envLock.generateKey();
console.log('Generated key:', key);
// Encrypt data directly
const plaintext = 'DATABASE_URL=postgresql://...\nAPI_KEY=sk_test_123';
const encrypted = envLock.encrypt(plaintext, key);
console.log('Encrypted:', encrypted);
// Decrypt data
const decrypted = envLock.decrypt(encrypted, key);
console.log('Decrypted:', decrypted);
// Parse .env content
const parsed = envLock.parse(plaintext);
console.log('Parsed:', parsed);
// { DATABASE_URL: 'postgresql://...', API_KEY: 'sk_test_123' }
// Stringify object
const obj = { DATABASE_URL: 'postgresql://...', API_KEY: 'sk_test_123' };
const content = envLock.stringify(obj);
console.log('Stringified:', content);// Old way
require('dotenv').config();
// .env file (NOT safe in git!)
DATABASE_URL=postgresql://...
API_KEY=sk_live_secret123
STRIPE_KEY=sk_live_xyz// New way - same API!
require('@oxog/env-lock').config();
// .env.lock file (SAFE in git!)
abc123...def456 (encrypted data)
// Key stored securely
OXOG_ENV_KEY=your_keynpm install @oxog/env-locknpx env-lock generate-keynpx env-lock encrypt --key YOUR_KEYrequire('dotenv') with require('@oxog/env-lock')It's encrypted and safe for version control
Never commit OXOG_ENV_KEY to git
Separate keys for dev, staging, production
Generate new keys and re-encrypt regularly