FRESH

Hacker News

Stop Putting Secrets in .env Files

32 points by veverkap

by theozero

0 subcomment

You will probably really like https://varlock.dev
It’s a whole toolkit for this - with built in validation, type safety, and extra protection for sensitive secrets.

by sudahtigabulan

1 subcomments

> They sit on disk as plaintext, readable by any process running as your user
The proposed solution:
> Instead of loading secrets from a file, you use a wrapper script that fetches secrets from a secure store and injects them as environment variables into your process
Now they sit "on disk" as plaintext, in /proc/self/environ, still readable by any process running as your user.

by prognostikos

2 subcomments

It may be marked as Beta, but I've been using https://developer.1password.com/docs/environments/ since October-ish with no issues.

0 subcomment

by mahaekoh

1 subcomments

by theden

1 subcomments

by hebetude

1 subcomments

People still code on their local boxes? op is not biometric secured over an ssh tunnel

by zaik

0 subcomment

Another solution integrated with most Linux systems: https://systemd.io/CREDENTIALS/

by bibstha

0 subcomment

Nice. One more benefit of this is when using LLM tools like Claude Code or Codex to do something and run tests on a worktree, this solution would work seamlessly.