Stop Putting Secrets in .env Files(jonmagic.com)

30 pointsby veverkap11 hours ago9 comments

sudahtigabulan2 hours ago
> They sit on disk as plaintext, readable by any process running as your user
The proposed solution:
> Instead of loading secrets from a file, you use a wrapper script that fetches secrets from a secure store and injects them as environment variables into your process
Now they sit "on disk" as plaintext, in /proc/self/environ, still readable by any process running as your user.
theozero7 hours ago
You will probably really like https://varlock.dev
It’s a whole toolkit for this - with built in validation, type safety, and extra protection for sensitive secrets.
3 hours ago
undefined
6 hours ago
undefined
prognostikos5 hours ago
It may be marked as Beta, but I've been using https://developer.1password.com/docs/environments/ since October-ish with no issues.
- hollow-moe4 hours ago
  I'm pretty sure this uses FIFO under the hood, that's a smart idea !
mahaekoh5 hours ago
Mfw typing the command stores the password in plaintext in my shell history
- embedding-shape3 hours ago
  Prefix your entire command with a space, usually prevents saving it to the history file.
  Usually I do ^ while setting it as a variable, then I can still save the regular command to the history without the secret.
theden8 hours ago
So the solution is to use a proprietary password manager instead? No thanks
- ray_v8 hours ago
  This is a MUCH better solution https://wiki.archlinux.org/title/Systemd-creds
hebetude7 hours ago
People still code on their local boxes? op is not biometric secured over an ssh tunnel
- hyperman12 hours ago
  2 hour train ride with flaky internet. Yes we do.
bibstha5 hours ago
Nice. One more benefit of this is when using LLM tools like Claude Code or Codex to do something and run tests on a worktree, this solution would work seamlessly.