ADR-001: Encrypted Environment Variables for Ephemeral Containers
Date: 2025-10-08 Status: ✅ Accepted (Machine Services) | 🤔 Proposed (Universal Adoption) Decision Makers: Architecture Team Related ADRs: Docker Swarm Migration Analysis
Executive Summary
This ADR documents the encrypted environment variable system used to securely deploy containerized services to ephemeral hosting platforms (SALAD, vast.ai, RunPod) where runtime secret injection is impractical or unavailable. The system encrypts environment variables at build time, bakes them into Docker images, and decrypts them at runtime using a separate decryption key.
Current State:
- ✅ Machine services (ComfyUI workers) use encrypted environment variables
- ❌ API/Webhook services skip encryption, use runtime environment injection
Key Question: Should this system be adopted universally across all ephemeral containers?
Table of Contents
- Context
- Problem Statement
- Decision
- Technical Architecture
- Implementation Details
- Security Analysis
- Current Adoption Matrix
- Consequences
- Universal Adoption Analysis
- Alternatives Considered
- Related Documentation
Context
The Deployment Challenge
EMP-Job-Queue deploys services to multiple environments with different constraints:
| Environment | Deployment Method | Secret Management Challenge |
|---|---|---|
| Local Dev | Docker Compose | Easy: Volume mount .env.secret files |
| Staging/Production (API) | Railway.app | Easy: Platform secret injection |
| Ephemeral Machines | SALAD/vast.ai/RunPod | Hard: No built-in secret management |
Ephemeral Hosting Platforms
Machine services deploy to cost-optimized ephemeral hosting platforms:
- SALAD: Low-cost GPU compute, spot instances, minimal configuration options
- vast.ai: GPU marketplace, no secret injection, container-focused
- RunPod: Serverless GPUs, limited environment variable support
Key Constraints:
- No secret injection - Platforms don't support runtime secret management
- Container-focused - Deploy pre-built images, minimal configuration
- Elastic scaling - Spin up/down 10-50 machines daily
- Immediate deployment - Seconds not minutes (no runtime configuration steps)
Why Runtime Secret Injection Fails
Traditional approach (API services):
bash
# Railway.app, fly.io, Render.com
docker run -e DATABASE_URL=postgres://... -e API_KEY=secret123 my-api:latestProblem with ephemeral platforms:
bash
# SALAD, vast.ai - must configure 50+ environment variables per machine
# Each machine restart requires re-entering secrets
# No CLI automation, manual UI configuration
# Secrets stored in platform UI (security concern)Problem Statement
Requirements
- Deploy to ephemeral platforms - Machine services must run on SALAD/vast.ai without runtime secret injection
- Secure secret storage - Secrets cannot be stored in plaintext in Docker images
- Simple deployment - One-click deployment from pre-built images
- Fast startup - No dependency on external secret management systems
- Development flexibility - Local development shouldn't require encryption
Non-Requirements
- Multi-tenant secret isolation (each deployment has its own images)
- Secret rotation without rebuild (acceptable trade-off)
- Runtime secret fetching (adds latency and dependencies)
Decision
Adopted Approach: Build-Time Encryption + Runtime Decryption
For Machine Services (ComfyUI Workers):
- ✅ Encrypt environment variables at build time using AES-256-CBC
- ✅ Bake encrypted blob into Docker image as
/service-manager/env.encrypted - ✅ Decrypt at runtime using
EMP_ENV_DECRYPT_KEYenvironment variable - ✅ Optional encryption - Disable for local development with
DISABLE_ENV_ENCRYPTION=true
For API/Webhook Services:
- ❌ Skip encryption - Use platform-native secret injection (Railway.app secrets)
- ✅ Simpler deployment - No decryption overhead, standard Docker practices
Decision Rationale
| Factor | Encrypted Env Vars | Runtime Secret Injection | External Secret Store |
|---|---|---|---|
| Ephemeral platform support | ✅ Works | ❌ Platform limitations | ⚠️ Adds dependencies |
| Deployment simplicity | ✅ One-click | ❌ Manual config | ⚠️ Setup complexity |
| Security | ✅ Encrypted + HMAC | ❌ Plaintext in logs | ✅ Centralized |
| Local dev | ✅ Optional | ✅ Simple | ⚠️ Requires access |
| Secret rotation | ⚠️ Rebuild required | ✅ Immediate | ✅ Immediate |
| Cold start time | ✅ Fast (local) | ✅ Fast | ❌ Network fetch |
Conclusion: Encrypted environment variables provide the best balance for ephemeral machine deployments while accepting the trade-off of rebuild-based secret rotation.
Technical Architecture
High-Level Flow
System Components
Build Process Runtime Process
┌─────────────────────┐ ┌─────────────────────┐
│ prepare-docker- │ │ entrypoint-base- │
│ build.js │ │ common.sh │
├─────────────────────┤ ├─────────────────────┤
│ │ │ │
│ 1. Load .env files │ │ 1. Check SERVICE_ │
│ - Regular vars │ │ TYPE=machine │
│ - Secret vars │ │ │
│ │ │ 2. Read env. │
│ 2. Merge configs │ │ encrypted │
│ │ │ │
│ 3. Encrypt: │ │ 3. Verify HMAC │
│ - AES-256-CBC │ │ │
│ - HMAC-SHA256 │ │ 4. Decrypt data │
│ - Gzip compress │ │ │
│ │ │ 5. Decompress │
│ 4. Write env. │ │ │
│ encrypted │ │ 6. Write .env │
│ │ │ │
│ 5. Bake into image │ │ 7. Load into shell │
└─────────────────────┘ └─────────────────────┘
│ │
└──────────────────────────────────┘
Docker Image Layer
/service-manager/env.encryptedImplementation Details
Build-Time Encryption (prepare-docker-build.js)
Location: /Users/the_dusky/code/emerge/emerge-turbo/apps/machine/prepare-docker-build.js
Process:
javascript
// 1. Load environment files
const regularEnv = parseEnv('.env.staging')
const secretEnv = parseEnv('.env.secret.staging')
const allEnvVars = { ...regularEnv, ...secretEnv }
// 2. Get encryption key
const encryptKey = allEnvVars.ENV_ENCRYPT_KEY // From environment config
// 3. Handle base64 or UUID keys
let encryptionKey
try {
encryptionKey = Buffer.from(encryptKey, 'base64')
if (encryptionKey.length !== 32) throw new Error('Invalid key length')
} catch (e) {
// If not base64, hash to 32 bytes
encryptionKey = crypto.createHash('sha256').update(encryptKey).digest()
}
// 4. Compress data (reduces size by ~60%)
const jsonData = JSON.stringify(allEnvVars)
const compressedData = zlib.gzipSync(jsonData)
// 5. Deterministic IV for Docker caching
const contentHash = crypto.createHash('sha256').update(jsonData).digest()
const iv = contentHash.slice(0, 16) // First 16 bytes
// 6. Encrypt with AES-256-CBC
const cipher = crypto.createCipheriv('aes-256-cbc', encryptionKey, iv)
const encrypted = Buffer.concat([iv, cipher.update(compressedData), cipher.final()])
// 7. Add HMAC authentication
const hmac = crypto.createHmac('sha256', encryptionKey)
hmac.update(encrypted)
const authTag = hmac.digest()
// 8. Final payload: [IV|Ciphertext|HMAC] → base64
const encryptedPayload = Buffer.concat([encrypted, authTag])
fs.writeFileSync('env.encrypted', encryptedPayload.toString('base64'))Key Design Decisions:
- Deterministic IV - Uses content hash for Docker layer caching
- HMAC authentication - Prevents tampering, verifies decryption key
- Gzip compression - Reduces payload size by ~60%
- Flexible key format - Accepts base64 or plain UUID (hashed to 32 bytes)
Example Output:
bash
🔐 Encrypting environment variables...
Found 12 regular variables
Found 34 secret variables
Total: 46 variables
✅ Encryption complete:
Original size: 5247 bytes
Compressed: 1823 bytes (65% reduction)
Encrypted: 1855 bytes
Output: env.encryptedRuntime Decryption (entrypoint-base-common.sh)
Location: /Users/the_dusky/code/emerge/emerge-turbo/scripts/entrypoint-base-common.sh (lines 40-146)
Process:
bash
decrypt_environment() {
# 1. Skip for non-machine services
if [ "${SERVICE_TYPE:-}" != "machine" ]; then
log_info "Skipping decryption for ${SERVICE_TYPE:-unknown} service"
return 0
fi
# 2. Check if encryption disabled (local dev)
if [ "${DISABLE_ENV_ENCRYPTION:-false}" = "true" ]; then
log_info "Encryption disabled via DISABLE_ENV_ENCRYPTION=true"
return 0
fi
# 3. Verify decryption key provided
if [ -z "${EMP_ENV_DECRYPT_KEY:-}" ]; then
log_error "EMP_ENV_DECRYPT_KEY required for decryption"
return 1
fi
# 4. Decrypt using Node.js (inline script)
node -e "
const crypto = require('crypto');
const zlib = require('zlib');
const fs = require('fs');
// Read encrypted data
const encryptedData = fs.readFileSync('/service-manager/env.encrypted', 'utf8');
const encryptedBuffer = Buffer.from(encryptedData, 'base64');
// Get decryption key (matches encryption key handling)
const keyString = process.env.EMP_ENV_DECRYPT_KEY;
let keyBuffer;
try {
keyBuffer = Buffer.from(keyString, 'base64');
if (keyBuffer.length !== 32) throw new Error('Invalid key length');
} catch (e) {
keyBuffer = crypto.createHash('sha256').update(keyString).digest();
}
// Extract and verify HMAC (last 32 bytes)
const encrypted = encryptedBuffer.slice(0, -32);
const receivedHmac = encryptedBuffer.slice(-32);
const hmac = crypto.createHmac('sha256', keyBuffer);
hmac.update(encrypted);
const computedHmac = hmac.digest();
if (!crypto.timingSafeEqual(receivedHmac, computedHmac)) {
throw new Error('HMAC verification failed - invalid decryption key');
}
// Decrypt with AES-256-CBC
const iv = encrypted.slice(0, 16);
const ciphertext = encrypted.slice(16);
const decipher = crypto.createDecipheriv('aes-256-cbc', keyBuffer, iv);
const compressedData = Buffer.concat([
decipher.update(ciphertext),
decipher.final()
]);
// Decompress and parse
const jsonString = zlib.gunzipSync(compressedData).toString('utf8');
const envVars = JSON.parse(jsonString);
// Write .env file
let envContent = '';
for (const [key, value] of Object.entries(envVars)) {
envContent += \`\${key}=\${value}\\n\`;
}
fs.writeFileSync('/service-manager/.env', envContent);
console.log(\`✅ Decrypted \${Object.keys(envVars).length} variables\`);
"
}Security Features:
- HMAC verification - Detects tampering or wrong decryption key
- Timing-safe comparison - Prevents timing attacks on HMAC
- Explicit error messages - Guides troubleshooting without leaking secrets
- Service type isolation - Only machine services decrypt
Configuration (machine.env)
Location: /Users/the_dusky/code/emerge/emerge-turbo/config/environments/components/machine.env
ini
[default]
ENV_ENCRYPTION_KEY=${ENV_ENCRYPT_KEY} # Build-time encryption key
EMP_ENV_DECRYPT_KEY=${ENV_ENCRYPT_KEY} # Runtime decryption key
[local]
DISABLE_ENV_ENCRYPTION=true # Skip encryption for fast dev iteration
[remotedev]
DISABLE_ENV_ENCRYPTION=false # Encrypt for remote testing
[staging]
DISABLE_ENV_ENCRYPTION=false # Encrypt for staging deployments
[production]
DISABLE_ENV_ENCRYPTION=false # Encrypt for production deploymentsKey Management:
ini
# config/environments/secrets/.env.secrets.local
ENV_ENCRYPT_KEY=base64EncodedKey32BytesLong==
# OR
ENV_ENCRYPT_KEY=550e8400-e29b-41d4-a716-446655440000 # UUID (hashed to 32 bytes)Docker Integration
Dockerfile Pattern:
dockerfile
# Multi-stage build
FROM node:20-slim AS builder
# Build dependencies
WORKDIR /app
COPY package*.json ./
RUN npm install
# Prepare encrypted environment
COPY apps/machine/prepare-docker-build.js ./
RUN ENV_ENCRYPT_KEY=${ENV_ENCRYPT_KEY} node prepare-docker-build.js
# Final runtime image
FROM nvidia/cuda:12.1.0-base-ubuntu22.04
# Copy encrypted environment
COPY --from=builder /app/env.encrypted /service-manager/env.encrypted
# Copy entrypoint
COPY scripts/entrypoint-base-common.sh /service-manager/
RUN chmod +x /service-manager/entrypoint-base-common.sh
ENTRYPOINT ["/service-manager/entrypoint-base-common.sh"]Build Command:
bash
# Local development (no encryption)
docker build \
--build-arg ENV_ENCRYPT_KEY=dummy \
--build-arg DISABLE_ENV_ENCRYPTION=true \
-t machine:local .
# Production (encrypted)
docker build \
--build-arg ENV_ENCRYPT_KEY=$(cat .env.secret | grep ENV_ENCRYPT_KEY) \
-t machine:production .Runtime Command:
bash
# Deployment to SALAD/vast.ai
docker run \
-e SERVICE_TYPE=machine \
-e EMP_ENV_DECRYPT_KEY=base64EncodedKey32BytesLong== \
machine:productionSecurity Analysis
Threat Model
Assets:
- API keys (OpenAI, Anthropic, Gemini)
- Database credentials (PostgreSQL, Redis)
- Service keys (internal authentication)
- Encryption keys (ENV_ENCRYPT_KEY)
Threats:
| Threat | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Image compromise | Medium | High | Encryption prevents plaintext exposure |
| HMAC bypass | Low | High | Timing-safe comparison prevents attacks |
| Key leakage | Medium | Critical | Separate build/runtime keys possible |
| Man-in-the-middle | Low | Medium | HTTPS for image registry |
| Brute force | Very Low | High | 256-bit AES is computationally infeasible |
Security Properties
1. Confidentiality
- ✅ AES-256-CBC - Industry-standard symmetric encryption
- ✅ 32-byte key - 256 bits of entropy (base64 or SHA256-hashed UUID)
- ✅ Unique IV per content - Deterministic but content-dependent
2. Integrity
- ✅ HMAC-SHA256 - Detects tampering or corruption
- ✅ Timing-safe comparison - Prevents timing attacks
- ✅ Authenticated encryption - Encrypt-then-MAC pattern
3. Availability
- ✅ Self-contained - No external dependencies at runtime
- ✅ Fast decryption - Milliseconds overhead
- ⚠️ Key dependency - Wrong key causes startup failure (intentional)
Key Management
Current Approach:
Developer Laptop CI/CD Pipeline Production Container
┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐
│ .env.secrets. │ │ GitHub Secrets │ │ ENV variable │
│ local │ │ ENV_ENCRYPT_KEY │ │ EMP_ENV_DECRYPT_ │
│ │ │ │ │ KEY │
│ ENV_ENCRYPT_KEY │──(build)──>│ Used at build │──(deploy)─>│ Used at runtime │
│ = base64... │ │ time │ │ │
└──────────────────┘ └──────────────────┘ └──────────────────┘Separation Strategy (Optional):
Build Key (ENV_ENCRYPT_KEY) Runtime Key (EMP_ENV_DECRYPT_KEY)
┌──────────────────┐ ┌──────────────────┐
│ Stored in CI/CD │ │ Stored in hosting│
│ Used to encrypt │ │ platform │
│ env.encrypted │ │ │
│ │ │ Can be rotated │
│ Rotate: Rebuild │ │ independently │
│ all images │ │ │
└──────────────────┘ └──────────────────┘Best Practices:
- Never commit keys - Use
.env.secrets.local(gitignored) - Rotate keys quarterly - Rebuild images with new keys
- Separate build/runtime - Different keys reduce blast radius
- Audit access - Track who has access to decryption keys
- Use secrets managers - GitHub Secrets, AWS Secrets Manager, etc.
Comparison to Alternatives
| Approach | Confidentiality | Integrity | Key Mgmt | Complexity |
|---|---|---|---|---|
| Plaintext .env | ❌ None | ❌ None | ✅ Simple | ✅ Simple |
| Encrypted env vars | ✅ AES-256 | ✅ HMAC | ⚠️ Manual | ⚠️ Moderate |
| Docker secrets | ✅ Platform | ✅ Platform | ✅ Platform | ⚠️ Platform lock-in |
| Vault/AWS Secrets | ✅ Strong | ✅ Strong | ✅ Centralized | ❌ Complex |
Current Adoption Matrix
Service-Level Encryption Status
| Service | Encryption | Reason | Deployment Target |
|---|---|---|---|
| Machine (ComfyUI) | ✅ Enabled | Ephemeral platforms (SALAD/vast.ai) | Spot GPU instances |
| API | ❌ Disabled | Railway.app secrets | Railway.app |
| Webhook Service | ❌ Disabled | Railway.app secrets | Railway.app |
| Monitor | ❌ Disabled | No secrets required | Railway.app |
| EmProps API | ❌ Disabled | Railway.app secrets | Railway.app |
Code-Level Implementation
1. Service Type Check (entrypoint-base-common.sh:47-50)
bash
# Skip decryption for non-machine services (API/Webhook)
if [ "${SERVICE_TYPE:-}" != "machine" ]; then
log_info "Skipping environment decryption for ${SERVICE_TYPE:-unknown} service"
return 0
fi2. Optional Encryption (entrypoint-base-common.sh:56-59)
bash
# Check if encryption is disabled (local development)
if [ "${DISABLE_ENV_ENCRYPTION:-false}" = "true" ]; then
log_info "Environment encryption disabled via DISABLE_ENV_ENCRYPTION=true"
return 0
fi3. Key Requirement Check (entrypoint-base-common.sh:68-73)
bash
# Check if decryption key is provided
if [ -z "${EMP_ENV_DECRYPT_KEY:-}" ]; then
log_error "❌ EMP_ENV_DECRYPT_KEY environment variable is required for decryption"
log_error "💡 Set EMP_ENV_DECRYPT_KEY in your Docker run command or compose file"
log_error "💡 Or set DISABLE_ENV_ENCRYPTION=true to skip decryption"
return 1
fiEnvironment-Specific Behavior
bash
# Local development - Fast iteration
$ docker run -e DISABLE_ENV_ENCRYPTION=true machine:local
[INFO] Environment encryption disabled via DISABLE_ENV_ENCRYPTION=true
[INFO] Loading environment from /service-manager/.env (volume mounted)
# Remote development - Test encryption
$ docker run -e EMP_ENV_DECRYPT_KEY=$(cat .env.secret) machine:remotedev
[INFO] Decrypting environment variables...
✅ Decrypted 46 environment variables
[INFO] ✅ Environment variables decrypted to /service-manager/.env
# Production - Encrypted deployment
$ docker run -e EMP_ENV_DECRYPT_KEY=base64Key== machine:production
[INFO] Decrypting environment variables...
✅ Decrypted 46 environment variables
[INFO] ✅ Environment variables decrypted to /service-manager/.envConsequences
Positive
1. Simplified Ephemeral Deployment
- ✅ One-click deployment to SALAD/vast.ai with single environment variable
- ✅ No manual secret configuration in hosting platform UI
- ✅ Fast scaling (10 → 50 machines in minutes)
- ✅ Consistent configuration across all machine instances
2. Security
- ✅ Secrets not stored in plaintext in Docker images
- ✅ HMAC prevents tampering or corruption
- ✅ Failed decryption fails fast (intentional)
- ✅ Audit trail (build logs show encryption, runtime logs show decryption)
3. Developer Experience
- ✅ Optional encryption for local development (skip overhead)
- ✅ Single source of truth (component-based environment files)
- ✅ Type-safe configuration (service interfaces)
- ✅ Consistent across environments (local/staging/production)
4. Operational
- ✅ Fast cold starts (no network fetch for secrets)
- ✅ Docker layer caching (deterministic IV)
- ✅ Self-contained containers (no external dependencies)
- ✅ Portable images (deploy to any platform with single key)
Negative
1. Secret Rotation
- ⚠️ Rebuild required - Changing secrets requires rebuilding images
- ⚠️ Deployment overhead - Push new images to registry
- ⚠️ Downtime risk - Rolling update across machines
- ⚠️ Key distribution - New keys must reach all deployment targets
2. Complexity
- ⚠️ Two-stage process - Build-time encryption + runtime decryption
- ⚠️ Key management - Separate build/runtime keys (optional but recommended)
- ⚠️ Debugging - Encryption failures can be cryptic
- ⚠️ Learning curve - Team must understand encryption flow
3. Security Trade-offs
- ⚠️ Secrets baked in - Encrypted blob in image layer (mitigated by encryption)
- ⚠️ Key exposure risk - Decryption key passed at runtime
- ⚠️ No central audit - Secret access not logged centrally
- ⚠️ Key rotation overhead - More complex than platform secrets
4. Operational Constraints
- ⚠️ Image size - env.encrypted adds ~2KB (minimal)
- ⚠️ Startup latency - Decryption adds ~50ms (negligible)
- ⚠️ Single point of failure - Wrong key = container won't start
- ⚠️ No dynamic updates - Can't change secrets without rebuild
Universal Adoption Analysis
Should All Services Use Encrypted Environment Variables?
Current State:
- Machine services ✅ Use encryption
- API/Webhook services ❌ Use platform secrets (Railway.app)
Question: Should API/Webhook services adopt encryption for consistency?
Analysis by Service Type
1. Machine Services (Current: ✅ Encrypted)
| Factor | Assessment |
|---|---|
| Deployment target | SALAD/vast.ai (no secret injection) |
| Secret rotation frequency | Low (quarterly) |
| Scaling pattern | Elastic (10-50 instances daily) |
| Cold start importance | Critical (seconds matter) |
| Recommendation | ✅ Keep encrypted - Platform constraints require it |
2. API Services (Current: ❌ Platform Secrets)
| Factor | Assessment |
|---|---|
| Deployment target | Railway.app (secret injection) |
| Secret rotation frequency | Medium (monthly) |
| Scaling pattern | Stable (2-5 replicas) |
| Cold start importance | Moderate (seconds acceptable) |
| Recommendation | ❌ Keep platform secrets - Railway.app handles this well |
3. Webhook Services (Current: ❌ Platform Secrets)
| Factor | Assessment |
|---|---|
| Deployment target | Railway.app (secret injection) |
| Secret rotation frequency | Medium (monthly) |
| Scaling pattern | Stable (1-3 replicas) |
| Cold start importance | Moderate (seconds acceptable) |
| Recommendation | ❌ Keep platform secrets - Railway.app handles this well |
4. Monitor (Current: ❌ No Secrets)
| Factor | Assessment |
|---|---|
| Deployment target | Railway.app |
| Secret rotation frequency | N/A (no secrets) |
| Scaling pattern | Stable (1 replica) |
| Cold start importance | Low (UI can wait) |
| Recommendation | ❌ No encryption needed - No secrets to protect |
Consistency vs. Pragmatism
Arguments for Universal Adoption:
✅ Consistency
- Single secret management approach across all services
- Easier to document and train developers
- Predictable behavior in all environments
✅ Portability
- Images work on any platform (not locked to Railway.app)
- Easier to migrate between hosting providers
- Self-contained deployments
✅ Simplicity
- No platform-specific configuration
- Same workflow for all services
- Reduces cognitive load
Arguments Against Universal Adoption:
❌ Platform Features
- Railway.app provides excellent secret management
- Built-in secret rotation
- Centralized audit logs
- Team-based access control
❌ Operational Overhead
- Rebuild images for secret rotation (vs. instant platform rotation)
- Push new images to registry
- Coordinate deployments
❌ Complexity
- Two-stage encryption/decryption process
- Key management for all services
- Debugging encryption failures
❌ No Clear Benefit
- API/Webhook services deploy to platforms with good secret management
- No ephemeral scaling constraints
- Secret rotation is more frequent (favor platform flexibility)
Recommendation Matrix
| Service Type | Deployment | Encryption Recommendation | Reason |
|---|---|---|---|
| Machine | SALAD/vast.ai | ✅ Use encryption | Platform requires it |
| API | Railway.app | ❌ Use platform secrets | Platform handles it better |
| Webhook | Railway.app | ❌ Use platform secrets | Platform handles it better |
| Monitor | Railway.app | ❌ No encryption needed | No secrets |
| Future ephemeral | Any spot instance | ✅ Use encryption | Pattern proven for machines |
Decision Framework
Use encrypted environment variables when:
- ✅ Deploying to ephemeral hosting platforms (SALAD, vast.ai, RunPod)
- ✅ Platform lacks runtime secret injection
- ✅ Scaling elastically (10+ instances with frequent changes)
- ✅ Cold start time is critical
- ✅ Secret rotation is infrequent (quarterly)
Use platform secrets when:
- ✅ Deploying to platforms with secret management (Railway, fly.io, Render)
- ✅ Stable scaling pattern (few replicas)
- ✅ Frequent secret rotation (monthly or more)
- ✅ Team needs centralized audit logs
- ✅ Cold start time is less critical
Alternatives Considered
Alternative 1: Docker Secrets (Docker Swarm)
Approach:
yaml
# docker-compose.yml
services:
machine:
image: machine:latest
secrets:
- api_key
- database_url
secrets:
api_key:
external: true
database_url:
external: truePros:
- ✅ Native Docker feature
- ✅ Encrypted at rest and in transit
- ✅ File-based secrets (
/run/secrets/api_key)
Cons:
- ❌ Requires Docker Swarm - Not available on SALAD/vast.ai
- ❌ Swarm complexity - Swarm init, node management, stack deploy
- ❌ Not portable - Doesn't work with plain
docker run
Decision: ❌ Rejected - SALAD/vast.ai don't support Docker Swarm
Alternative 2: External Secret Store (Vault, AWS Secrets Manager)
Approach:
bash
# Entrypoint fetches secrets at runtime
curl -H "X-Vault-Token: $VAULT_TOKEN" \
https://vault.example.com/v1/secret/data/machine/prod \
| jq -r '.data.data' > /service-manager/.envPros:
- ✅ Centralized secret management
- ✅ Instant secret rotation
- ✅ Audit logs
- ✅ Fine-grained access control
Cons:
- ❌ Network dependency - Adds latency to cold starts
- ❌ External service - Another failure point
- ❌ Complexity - Vault/AWS setup, authentication
- ❌ Cost - AWS Secrets Manager charges per secret
Decision: ❌ Rejected - Adds complexity and latency for machines that spin up/down constantly
Alternative 3: Environment Variable Injection (Platform Secrets)
Approach:
bash
# SALAD/vast.ai UI - manually configure 50+ variables
docker run \
-e OPENAI_API_KEY=sk-... \
-e ANTHROPIC_API_KEY=sk-... \
-e DATABASE_URL=postgres://... \
-e REDIS_URL=redis://... \
# ... 46 more variables
machine:latestPros:
- ✅ No encryption needed
- ✅ Instant secret rotation
- ✅ Standard Docker practice
Cons:
- ❌ Manual configuration - 50+ variables per machine
- ❌ No automation - Platform UIs don't support CLI injection
- ❌ Secrets in platform UI - Security concern (stored in hosting platform)
- ❌ Scale problem - 50 machines × 50 variables = 2,500 manual entries
Decision: ❌ Rejected - Impractical for elastic scaling
Alternative 4: Plaintext .env in Image
Approach:
dockerfile
# Copy plaintext .env into image
COPY .env /service-manager/.envPros:
- ✅ Simplest approach
- ✅ No encryption overhead
- ✅ Fast cold starts
Cons:
- ❌ Security risk - Secrets in plaintext in image layers
- ❌ Image exposure - Anyone with image access has secrets
- ❌ Compliance - Violates security best practices
Decision: ❌ Rejected - Unacceptable security risk
Alternative 5: Encrypted Config File (gpg, age)
Approach:
bash
# Build time: Encrypt with gpg
gpg --encrypt --recipient machine@example.com .env > env.gpg
# Runtime: Decrypt with private key
gpg --decrypt /service-manager/env.gpg > /service-manager/.envPros:
- ✅ Industry-standard encryption (gpg)
- ✅ Public/private key infrastructure
Cons:
- ❌ Key management - Distribute private keys to containers
- ❌ External dependency - Requires gpg binary in image
- ❌ Complexity - Key generation, distribution, rotation
Decision: ❌ Rejected - AES-256-CBC with single key is simpler and sufficient
Related Documentation
Internal Documentation
- Environment Management Guide:
/Users/the_dusky/code/emerge/emerge-turbo/apps/docs/src/environment-management-guide.md - Machine Deployment Guide: (To be created - tracks startup sequence, PM2 orchestration)
- Docker Swarm Migration Analysis:
/Users/the_dusky/code/emerge/emerge-turbo/apps/docs/src/adr/swarm-migration-analysis.md - CLAUDE.md North Star:
/Users/the_dusky/code/emerge/emerge-turbo/CLAUDE.md(Phase alignment, error handling philosophy)
Implementation Files
Build-Time Encryption:
/Users/the_dusky/code/emerge/emerge-turbo/apps/machine/prepare-docker-build.js- Lines 185-329: Encryption logic
- Lines 245-265: Key handling (base64 vs. hashed UUID)
- Lines 266-285: AES-256-CBC encryption with HMAC
Runtime Decryption:
/Users/the_dusky/code/emerge/emerge-turbo/scripts/entrypoint-base-common.sh- Lines 40-146:
decrypt_environment()function - Lines 47-50: Service type check (machine only)
- Lines 56-59: Encryption disable check
- Lines 78-146: Node.js decryption script
- Lines 40-146:
Configuration:
/Users/the_dusky/code/emerge/emerge-turbo/config/environments/components/machine.env- Lines 7-8: Encryption key mapping
- Lines 23-24: Local dev (encryption disabled)
- Lines 39-40: Production (encryption enabled)
External References
Cryptographic Standards:
- AES-256-CBC - NIST FIPS 197
- HMAC-SHA256 - RFC 2104
- Encrypt-then-MAC - RFC 7366
Docker Security:
Hosting Platforms:
Appendices
Appendix A: Encryption Performance Benchmarks
Test Environment: M1 MacBook Pro, Node.js 20, 46 environment variables
| Operation | Time | Notes |
|---|---|---|
| Encryption | 15ms | Build time (negligible) |
| Decryption | 8ms | Runtime (negligible) |
| Compression | 5ms | Gzip reduces size by 65% |
| HMAC verification | 2ms | Timing-safe comparison |
| Total overhead | ~30ms | Imperceptible to cold start |
Image Size Impact:
bash
# Without encryption
machine:base 15.2 GB
# With encryption (env.encrypted = 1.8 KB)
machine:base 15.2 GB # No measurable differenceAppendix B: Key Rotation Procedure
Quarterly Key Rotation (Recommended):
bash
# 1. Generate new encryption key
openssl rand -base64 32 > new-key.txt
# 2. Update secrets file
echo "ENV_ENCRYPT_KEY=$(cat new-key.txt)" >> .env.secrets.local
# 3. Rebuild all machine images
pnpm docker:build:machine:production
# 4. Push to registry
docker push machine:production
# 5. Update deployment configurations
# - SALAD: Update EMP_ENV_DECRYPT_KEY in container config
# - vast.ai: Update environment variable template
# - RunPod: Update pod template
# 6. Rolling deployment
# - Stop old machines
# - Start new machines with new key
# - Verify health checks
# 7. Archive old key (for rollback)
mv old-key.txt keys/archive/2025-10-08-key.txtEmergency Rotation (Security Incident):
bash
# Follow steps 1-6 above, but:
# - Immediate rebuild (no waiting for quarterly schedule)
# - Force shutdown all old machines (no graceful drain)
# - Verify no old keys in CI/CD secrets
# - Audit image registry access logsAppendix C: Troubleshooting Guide
Problem: "EMP_ENV_DECRYPT_KEY environment variable is required"
bash
# Symptom: Container exits immediately with error
# Solution: Provide decryption key at runtime
docker run -e EMP_ENV_DECRYPT_KEY=your-key-here machine:latest
# Or disable encryption for local dev
docker run -e DISABLE_ENV_ENCRYPTION=true machine:localProblem: "HMAC verification failed - invalid decryption key"
bash
# Symptom: Container decrypts but HMAC check fails
# Cause: Wrong decryption key (or corrupted image)
# Solution: Verify key matches build-time encryption key
# Check env.encrypted.info for encryption metadata
docker run machine:latest cat /service-manager/env.encrypted.info
{
"created": "2025-10-08T12:34:56.789Z",
"environment": ".env.secret.staging",
"variables": 46
}
# Verify key is correct
echo $EMP_ENV_DECRYPT_KEY | base64 -d | wc -c # Should be 32 bytesProblem: "Cannot find module '/service-manager/.env'"
bash
# Symptom: Decryption succeeds but .env file not found
# Cause: Decryption wrote to wrong location
# Solution: Check entrypoint script path
# Verify env.encrypted exists
docker run machine:latest ls -lh /service-manager/env.encrypted
# Run decryption manually (debug mode)
docker run -it --entrypoint bash machine:latest
$ EMP_ENV_DECRYPT_KEY=your-key node -e "$(cat /service-manager/decrypt.js)"Problem: "Encryption disabled but secrets missing"
bash
# Symptom: Local dev with DISABLE_ENV_ENCRYPTION=true, but variables not loaded
# Cause: Missing volume mount for .env file
# Solution: Mount .env file explicitly
docker run \
-e DISABLE_ENV_ENCRYPTION=true \
-v $(pwd)/.env:/service-manager/.env \
machine:localAppendix D: Security Audit Checklist
Pre-Deployment:
- [ ] Verify ENV_ENCRYPT_KEY is stored securely (GitHub Secrets, not committed)
- [ ] Confirm HMAC verification is enabled (not bypassed)
- [ ] Check env.encrypted file permissions (should be readable by all)
- [ ] Audit build logs for key exposure (should not print keys)
- [ ] Verify Dockerfile doesn't expose secrets in layers
Post-Deployment:
- [ ] Confirm containers start successfully (decryption works)
- [ ] Check runtime logs for key exposure (should not print keys)
- [ ] Verify .env file is not exposed via health endpoints
- [ ] Test HMAC failure (wrong key should fail fast)
- [ ] Audit image registry access (who can pull images?)
Quarterly Review:
- [ ] Rotate encryption keys (rebuild images)
- [ ] Review key access logs (who has decryption keys?)
- [ ] Update team documentation (key rotation procedures)
- [ ] Test emergency rotation procedure (practice drill)
Revision History
| Date | Version | Author | Changes |
|---|---|---|---|
| 2025-10-08 | 1.0 | Architecture Team | Initial ADR documenting current state |
Approval
Status: ✅ Accepted (Machine Services) | 🤔 Proposed (Universal Adoption)
Approved By:
- [ ] Architecture Team Lead
- [ ] Security Team
- [ ] DevOps Lead
Next Review Date: 2026-01-08 (Quarterly)
Open Questions:
- Should we implement separate build/runtime keys for added security?
- Should API services adopt encryption if we migrate away from Railway.app?
- Should we integrate with external secret managers (Vault, AWS Secrets Manager) in Phase 2?
Document Location: /Users/the_dusky/code/emerge/emerge-turbo/apps/docs/src/adr/encrypted-environment-variables.md
Related ADRs:
- Docker Swarm Migration Analysis - Why Swarm was rejected (includes secrets discussion)
- (Future) Machine Deployment Architecture - Detailed lifecycle documentation
- (Future) Security Architecture - Comprehensive security design decisions