Doppler Blog Doppler Encrypted Secrets Snapshots for High Availability

Ideally, fetching secrets at runtime by your application is avoided altogether using Doppler integrations (e.g. Doppler Kubernetes Secrets Operator), which continuously sync secrets to your hosting environment ahead of time, but this won't always be possible.For legacy applications, on-prem, and virtualized environments where secrets must be fetched at runtime, bundling Doppler CLI secrets snapshots into your application provides a robust failsafe in the event Doppler's API is unreachable.The result is similar to a GitOps secrets approach, but without the messy business of committing encrypted secrets to Git repositories can be avoided.Build. Encrypt. Deploy. Fallback.Doppler secrets snapshots are bundled into the application build during CI/CD with a single command:doppler secrets download secrets.json.encThen to fallback to a secrets snapshot when running your application:doppler run --fallback secrets.json.enc -- ./app-start.shSecrets snapshots aren't just for high availability. They're perfect for network-restricted environments and offer protection if Doppler's API rate limit is exceeded.The addition of the --fallback-only instructs the CLI to only use the snapshot:doppler run \ --fallback secrets.json.enc \ --fallback-only -- ./app-start.shNow let's look into passphrase usage for encrypting and decrypting secrets snapshots.PassphraseBy default, the CLI configuration is used to construct the passphrase, which is typically the Service Token value exposed via the DOPPLER_TOKEN environment variable. While this is the simplest solution, setting the passphrase explicitly has the benefits of:Only using the DOPPLER_TOKEN for authenticationAllowing the passphrase and DOPPLER_TOKEN values to be rotated independentlyMost importantly, your implementation must guarantee the passphrase remains constant from build to deployment during a release. As these are infrastructure secrets, we recommend a dedicated infra project for each application containing only the DOPPLER_TOKEN and (should you use a passphrase) a DOPPLER_PASSPHRASE.Doppler integrations then keep infrastructure secrets in sync between your build and your deployment environments, eliminating the risks associated with manual copying and pasting.The following video demonstrates how to set up an infra project in three simple steps:https://vimeo.com/769739281With the required pieces in place, let's move on to creating and using secrets snapshots.BuildWith the DOPPLER_TOKEN and DOPPLER_PASSPHRASE injected into your build environment (e.g. GitHub Action Secrets), we can now create the secrets snapshot file:doppler secrets download \ --passphrase "$DOPPLER_PASSPHRASE" \ secrets.json.encSecrets snapshots also support name transformers and download formats:# ASP.NET Core secrets snapshot doppler secrets download \ --passphrase "$DOPPLER_PASSPHRASE" \ --format dotnet-json \ appsettings.json.encEnsure the secrets snapshot file is included in your build, then you're done!DeployWith the DOPPLER_TOKEN and DOPPLER_PASSPHRASE injected into the deployment environment via automation (e.g Ansible), the Doppler CLI will attempt to fetch the latest version of secrets using the secrets snapshot as a fallback:doppler run \ --passphrase "$DOPPLER_PASSPHRASE" \ --fallback secrets.json.enc -- ./start-app.shSummaryDoppler secret snapshots are your high-availability solution to ensure applications can always access their secrets.Using Docker? Check out our dedicated Docker High Availability documentation to learn more.