Stop Putting Secrets in .env Files
6 hours ago
- #devops
- #best-practices
- #security
- The article discusses the risks of storing credentials in plaintext .env files.
- A solution is proposed to use secure stores like 1Password or macOS Keychain to manage secrets.
- The pattern involves fetching secrets at runtime and injecting them as environment variables, avoiding plaintext storage on disk.
- 1Password CLI allows using secret references in a file that can be safely committed to version control.
- macOS Keychain can also be used as a built-in secrets manager with a bit more manual setup.
- Benefits include a single source of truth for credentials, simpler onboarding, and better auditing.
- The approach is language and framework agnostic, working with any tool that reads environment variables.
- A demo repository is provided to try both 1Password and Keychain implementations.