Documentation / Guides / Integrations / Application / Phoenix
phoenix logo

How to use Phoenix with SecretHub

This guide will show how you to load secrets from SecretHub into your Phoenix application. These could be database passwords, API keys, encryption keys, or anything else you’d like to keep secret.

Instead of putting secrets values in source code or config files, you’ll be able to load them on demand from a secure and central place.

Before you begin

Before you start using SecretHub with Phoenix, make sure you have completed the following steps:

  1. Set up SecretHub on your workstation.
  2. Install Elixir and create a Phoenix project to use.

Step 1: Replace plaintext values with references

Collect all secrets from your source code, .exs files or other config files, and use the SecretHub CLI to encrypt and store them.

To do this, copy the values to your clipboard and use the write command and specify a path on SecretHub:

secrethub write --clip your-username/demo/api_key

In your Elixir code, read these secrets from environment variables:

api_key = System.get_env("API_KEY")

Then, in your app launch script or runtime environment, you’ll have to set these environment variables. But instead of using plaintext values, reference the secrets by the path you chose earlier, prefixed with secrethub://:

export API_KEY=secrethub://your-username/demo/api_key

Step 2: Load secrets into your app

To load secrets into your app, you don’t have to incorporate a Elixir client or SDK of some sort. Your application code can stay SecretHub-agnostic.

Instead, you can use the CLI to automatically fetch and decrypt secrets the moment your app starts.

Simply wrap your app start command with secrethub run and any environment variable that references a SecretHub secret will get updated to contain the actual secret value:

secrethub run -- mix phx.server

That’s it! You have now provisioned the app without a secret being near it. 🎉

As an added bonus, secrethub run keeps an eye on your log output to see if any secret accidentally gets logged and masks them from the output!

Next Up: Deploy your app

It’s great if simple examples work locally, but they don’t mean much if they don’t work anymore in a real-world scenario. So to read more about actually deploying your app with SecretHub, see:

Amazon Web Services icon Amazon Web Services

Google Cloud icon Google Cloud

Azure icon Azure

Other / bare-metal icon Other / bare-metal

SecretHub logo on dark background without text
We build software to make development, operations, and security into what it should be - easy and accessible
© 2018- SecretHub. All rights reserved. Privacy Policy Terms & Conditions