Managing Sensitive Credentials

Most modern application frameworks support the concept of storing sensitive values ("secrets") in local .env files or similar. Alternately, there are open source projects on GitHub that provide this functionality. An anti-pattern is to store the secrets directly in your repository's source code or Docker image, and Healthcare Blocks advises against using this approach.

To create a persistent location for an app-specific .env file on a Dokku-enabled virtual machine, first define a storage location:

dokku storage:ensure-directory my_app

This creates a directory at /var/lib/dokku/data/storage/my_app in the virtual machine's filesystem. Next, use the Dokku mount command to map the storage directory to a path that will be accessible by your app inside the runtime container. Inside the container, your application is located at /app. The following example allows your application to access files locally under /app/local.

dokku storage:mount my-app \

Finally, add your environment-specific .env file to the /var/lib/dokku/data/storage/my_app directory and re-deploy (git push) or restart (dokku ps:restart) your application.

Note: if your application complains about permissions when attempting to read the .env file during runtime, run the following command once to update the ownership of the file to match the identity used by the container:

sudo chown -R 32767:32767 \

Additional Options

If you do not want to store credentials directly on the server, Healthcare Blocks can enable the ability to store them in AWS Systems Manager Parameter Store, which provides an API through the official AWS SDK libraries. You would need to implement functionality in your application that can retrieve the values upon app startup, prior to making calls to databases and other external services that require credentials. Please create a support ticket for additional assistance.