Storing encryption key in dynamic env variables

[mlechler]

Hi @generalpiston,

we have the following scenario:

• three stages (dev/test/prod) with different encryption keys
• secrets, keys, ... stored in an Azure KeyVault
• on the backend startup the secrets, keys, ... are read from the KeyVault and filled in env variables (based on predefined placeholders)
• these env variables are then used for all auth operations in the backend

I tried to do the same workflow for the encryption keys, but as I recognized for now, it is impossible to use a dynamic env variable, isn't it?

Problem
The column transformer is build once when building the backend and as encryption key the placeholder for the KeyVault replacement is used. Later, when the env variable is properly filled with the correct encryption key, the column transformer is not aware of this change (results in an "invalid IV length" error of course).

Question
Is it possible to use a dynamic env variable for the encryption key, which will be filled when the backend is already on startup? Currently I think only the value which is stored in the env variable on build time is used.

I'm curious if there is any chance to get this working. Maybe with recreating the column transformer on change? I don't know if something like this is possible...

Hope you can help 😊