Secrets don't belong in your repository, but sometimes they are too large or unwieldy for envornment variables. This provides a simple way to securely drop a bundle of files into your Heroku application on deploy.
This is experimental, and not 12-Factor compliant
cd secrets/ && tar -c * | gzip > ../secrets.tar.gz
openssl enc -aes-256-cbc -md sha256 -salt -in secrets.tar.gz -out secrets.tar.gz.enc
heroku buildpacks:add -i 1 https://github.com/getflywheel/heroku-buildpack-secrets-bundle
secrets/directory to use
After you deploy once with a secrets bundle, you can clear
SECRET_BUNDLE_PASSPHRASE and it will still load the secrets from cache. If you want to replace the cache, just set them again and it will overwrite.
If you want to completely flush your cache, set
DELETE and run a deploy.
The heroku-18 stack uses OpenSSL 1.1.0, which is incompatible with previous encryption versions. If you are on an older stack (cedar-14, heroku-16) please use the
Copy the snippet above into CLI.