Pulling Secrets

Prerequisites

Before pulling down secrets, ensure you have:

• You have installed the Hyphen CLI (see installation guide).
• Signed in to your Hyphen account via the CLI with the hx auth command
• You have access to an existing project that contains the app secrets in your Hyphen organization

Navigate to your App's Directory

First, navigate to the directory where your app’s source code is located:

cd path/to/your/app

This is where the secrets will be synced and stored.

Obtain the encryption key

The encryption key is stored in a .hxkey file, but Hyphen never has access to this key, and is why we never see your secrets. Once you obtained the encryption key via a secure channel, place in the app's root diretory.

Fetch Secrets for the App

hx pull

The pull command retrieves environment variables from Hyphen and decrypts them into local .env files.

You can also pull a specific environment by name:

hx pull production

Verify the Pulled Secrets

Once the command has completed, the secrets will be available in the corresponding .env files in your app’s directory. The following files may be updated based on your environment.

• .env: default secrets stored here will apply to all environments
• .env.development: in the development environment, secrets defined here override secrets in .env
• .env.production: in the production environment, secrets defined here override secrets .env
• .env.local: in your local development environment, secrets defined here override the default secrets .env (this file is not synced with Hyphen)

You can open and inspect these files to verify that the secrets have been pulled correctly.

If you edit an of the .env files, the next time you push, a new version for that environment(s) will be added to the version history.