DEV Community

Cover image for Protecting and syncing secret keys
Zell Liew 🤗
Zell Liew 🤗

Posted on

Protecting and syncing secret keys

You should never expose API keys or secrets. If you expose them, you might get into trouble. Once, I had to almost had to pay an excessive amount because my friend leaked my Amazon API key by accident.

What's the amount? I can't remember, but I think somewhere between $20,000 to $60,000. Thankfully, Amazon waived the charges.

It's big trouble if you expose your API keys. So don't expose them.

The best way to protect your API keys is to use environment variables.

Setting environment variables

An environment variable is a variable that's set outside of the code you're running. Environment variables can be set on a Machine level.

If you use Bash, you can set environment variables in .bash_profile. If you use ZSH, you can set environment variables in .zshrc.

# Exports a variable called helloworld
export helloworld="Hello world!"

After setting the environment variable, update your shell. You can do this by:

  1. Running source on the file you changed. (like source ~/.zshrc)
  2. Restarting the terminal

Either way works.

After you sourced the file (or restarted the terminal), type echo $helloworld in your Terminal. You should see this:

echo $helloworld

Echoing the environment variable.

Using environment variables

In Node, you can use the environment variable by writing process.env.VARIABLE_NAME.

// This is located in a Node file called server.js
const variable = process.env.helloworld;

Terminal shows Hello world! when we run the server.js file.></figure><br>
  <a name=

A better way to use environment variables

It can be a hassle to setup environment variables on your computer, on the server, and on computers for all your team members.

The easy way to sync environment variables across all computers is to use a dotenv.

Setting up dotenv

First, you'll need to install dotenv from npm:

npm install dotenv --save

dotenv lets you save environment variables into a .env file. I like to put this .env file in the secrets folder. This can go along with all my secret files (like gcreds.json).

Placed the variables.env file in the secrets folder.

Here's the syntax to create an environment variable in a .env file. (Note: DO NOT write the export keyword!).

# Creates a environment variable called "variable".


helloworld="Hello world!"

Using variables from dotenv

First, you need to load the .env file. If you placed .env in ./secrets, you can load the .env file this way:

const dotenv = require("dotenv").config({
  path: "./secrets/.env"

Then, you use the environment variable like before:

const variable = process.env.helloworld;

Logged helloworld environment variable in the console.

Syncing the .env file into the server

You can use rsync to sync the .env file into your server. (I use Digital Ocean if you're curious. Use this link to get \$50 credit).

To use rsync, you can run a command like this:

rsync -avzr ./secrets/ user@host:/path-to-destination

This command syncs everything in the ./secrets folder into your destination folder. In the example above, I had a greds.json file. This gcreds.json file gets synced as well.

Unfortunately, you need to enter user and host into the rsync command. This means the user and hostname of your server gets exposed (if you synced the command).

A better way is to run rsync in Node.

Node Rsync

First, you need to install rsync from npm:

npm install rsync --save-dev

Then, you need to require rsync.

const Rsync = require("rsync");

Then, you create an rsync object with the options you want to include. Here's what I use:

const rsync = new Rsync()
  .shell("ssh") // Tells rsync to use SSH
  .set("stats") // Tells rysnc to display stats from the
  .flags("avz") // Tells rsync to use `a`, `v`, and `z` options. (Archive, Verbose, and Compress).
  .flags("n") // This is for dryrun. Test before syncing! :)
  .source("./secrets") // The folder you want to sync
  ); // The destination

Notice I used SSH_USER and SSH_HOST environment variables in the rsyrc object? This allows me to access the server on any computer via SSH. (Provided the computer has a valid SSH private key).

This also means I need to include dotenv before rsync.

const dotenv = require("dotenv").config({
  path: "./secrets/.env"
const rsync = new Rsync();
// ...

After setting up the rsync object, you can pipe the outputs from rsync into the terminal. You can do it with this command.

Note: You only do this if you want to see the results from rsync in your terminal.

  function(data) {
    // do things like parse progress
    const string = Buffer.from(data).toString();
  function(data) {
    // do things like parse error output

Finally, you execute rsync with this:

// Execute the command
rsync.execute(function(error, code, cmd) {
  if (error) console.error(error);

I put all the code above into a file called sync.js. When I want to sync my secrets, I run this sync.js file.

node sync.js

To make things easier for me, I put this command as a script in my package.json file.

"scripts": {
  "sync": "node sync.js"

Updating environment variables

dotenv does not overwrite environment variables that are already set. If you need to overwrite environment variables, you can run this code:

const Rsync = require("rsync");
const fs = require("fs");
const dotenv = require("dotenv");

const updateEnv = pathToConfig => {
  const envConfig = dotenv.parse(fs.readFileSync(pathToConfig));
  for (const k in envConfig) {
    process.env[k] = envConfig[k];


That's it!

Thanks for reading. This article was originally posted on my blog. Sign up for my newsletter if you want more articles to help you become a better frontend developer.

Discussion (5)

andrewbrown profile image
Andrew Brown 🇨🇦

AWS has two different services for handling sensitive application configuration.
Secrets Manager and SSM Parameter Store. One cost pennies and the other is free.

Instead of rolling your own I would suggest these services as you can apply envelope encryption.

If you are running AWS EC2 instances you don't need to embed AWS credentials as they are passed securely to the instance already via roles.

If you are using the AWS Credentials directly as a user you can apply MFA to include another layer of protection.

pavelloz profile image
Paweł Kowalski • Edited

There is also AWS KMS (i think its recommended by AWS nowadays)

On github there is also "secrets" under repo /settings/secrets - if you use github actions. GHA then can set environment variables based on secrets value.

And of course universal method (assuming you use git) - git crypt - if you insist on keeping those in files in repo.

andrewbrown profile image
Andrew Brown 🇨🇦

When I was mentioning envelope encryption on Secrets Manager or SSM Parameter Store that is using KMS. So you checkbox encrypt and choose a key from KMS.

ch3ckmat3 profile image
Sohail Iqbal

Nice article.

How do you secure Keys in a single page javascript application?