Key Store

The Expo Open OTA server requires several keys and secrets to interact with the Expo API and your CDN.

The Key store is a module that manages how these keys are accessed by the server.

You can use 3 different key stores:

1. Local Key Store: Keys are stored in a directory on the server as *.pem files.
2. Environment Variables: Keys are stored as environment variables in base64 format.
3. AWS Secrets Manager: Keys are stored in AWS Secrets Manager and securely accessed by the server.

note

The environment variables required for key store configuration are listed below. You can set them in a .env file in the root of the project or keep them in a safe place to prepare for deployment.

Keys

The following keys are used by the server:

1. Expo signing key pairs: Used to sign and verify the updates returned by the server to expo-updates. The key pair consists of a public and private key and are required by the server.
2. Cloudfront private key: Used to sign the Cloudfront URLs for the assets. This key is optional and only required if you are using Cloudfront as your CDN.

Expo signing certificate

To generate expo signing key pairs :

1. On your terminal, go to the root directory of your expo project.
2. Run the following command:

cd ./my-expo-project

npx eoas generate-certs

Three files will be generated in the certs directory:

1. private-key.pem: The private key used to sign the updates.

2. public-key.pem: The public key used to verify the updates. Those two keys are used by the server to sign and verify the updates.

3. certificate.pem: Used by your expo client to verify the updates. It should be committed to your expo project.

Cloudfront private key

note

This key is only required if you are using Cloudfront as your CDN.

Please refer to this section on how to generate a Cloudfront private key.

Key Store Configuration

Local Key Store

warning

This key store is not recommended for production use. It is intended for development and testing purposes only.

To use local key store you will need to set the following environment variables:

.env

KEYS_STORAGE_TYPE=local
PUBLIC_LOCAL_EXPO_KEY_PATH=/path/to/public-key.pem
PRIVATE_LOCAL_EXPO_KEY_PATH=/path/to/private-key.pem
PRIVATE_LOCAL_CLOUDFRONT_KEY_PATH=/path/to/cloudfront-private-key.pem

Environment Variables

You will have to encode the keys in base64 format and set the following environment variables:

Encode keys

echo -n "your-private-key" | base64

Then set the following environment variables:

.env

KEYS_STORAGE_TYPE=environment
PUBLIC_EXPO_KEY_B64=base64-encoded-public-key
PRIVATE_EXPO_KEY_B64=base64-encoded-private-key
PRIVATE_CLOUDFRONT_KEY_B64=base64-encoded-cloudfront-private-key

AWS Secrets Manager

note

If you are not familiar with AWS Secrets Manager, you can refer to the official documentation.

1. Create a secret for each keys in AWS Secrets Manager.
2. Set the following environment variables:

.env

KEYS_STORAGE_TYPE=aws-secrets-manager
AWS_KEYS_PRIVATE_EXPO_KEY_SECRET_ID=The secret name of the expo private key
AWS_KEYS_PUBLIC_EXPO_KEY_SECRET_ID=The secret name of the expo public key
AWSSM_CLOUDFRONT_PRIVATE_KEY_SECRET_ID=The secret name of the cloudfront private key
AWS_REGION=your-region

If your are not using AWS IAM roles, you also need to set the following environment variables:

.env

AWS_ACCESS_KEY_ID=your-access-key-id
AWS_SECRET_ACCESS_KEY=your-secret-access-key

info

The server use the same AWS credentials for S3 Storage and AWS Secrets Manager. Please ensure to setup the correct ACLs and permissions for the keys.