Docs
Design
Secrets

Secrets

Sidekick is made for freelancers, solopreneurs and makers; those who want to iterate quickly over different versions host tens of projects cheaply. Agile minds that tend to break things as they go. That’s why handling secrets can be particularly challenging. Sidekick is trying to help while staying true to my vision.

ℹ️
Sidekick is focused on a model of two machines only; your local and your VPS. The most minimal setup needed.

There are multiple ways to handle env secrets; some good ones and some terrible ones. Most devs would use .env files that get moved to your server or copied into your docker image. That way is the basic level Sidekick is trying to improve on; it’s considered the status-quo for a typical Sidekick user. Of course there are terrible ways to handle secrets like hardcoding them into your repo for example. Sidekick will not interfere with this. Feel free to shoot yourself in the foot.

The best way to handle env secrets is to inject them during run-time. This usually is done in a couple of ways:

  • Sops controller integrated into K8s
  • Third party secret management service like Vault, Infisical or 1Pass

The latter is the choice made by Kamal for instance. It’s a great solution in terms of safety and ease of use.

However, I think it’s too complicated. Yes you read that right.

Sidekick takes a weird and fresh approach to this problem. Sidekick focuses on just two machines, your local and your VPS. I do my best to extract the most of this setup before introducing any other dependencies. Sidekick uses sops and age to handle your env secrets in a secure way. Here is how it works:

  • We generate a set of age keys when you run sidekick init
  • Those keys are stored on your local and never make their way to your VPS
  • When you run sidekick launch we encrypt your .env with sops using the age keys created earlier
  • We copy over the encrypted.env file to the project folder on your VPS
  • We use sops exec-env command to spawn a new secure environment where the the values of your env file are available securely

This way is the simplest and most secure you can get with just two machines - as far as I know. Always open for feedback.

Your keys will never touch your VPS. Even if your VPS is hacked, only the encrypted file will be there. Leaving your secrets secure still. You don’t have to pay for any service to securely store your “secrets” for you.

Docker ImagesReverse Proxy