The latest articles on DEV Community by Muhammad Ahmad (@ahmadraza100). https://dev.to/ahmadraza100 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1150506%2Fbb00ec23-30e1-4d79-97ab-4d20f4922645.jpeg https://dev.to/ahmadraza100 en Muhammad Ahmad Sat, 30 May 2026 03:22:32 +0000 https://dev.to/ahmadraza100/every-tutorial-tells-you-to-add-env-to-gitignore-thats-not-enough-heres-what-i-built-43c8 https://dev.to/ahmadraza100/every-tutorial-tells-you-to-add-env-to-gitignore-thats-not-enough-heres-what-i-built-43c8 <p>Here's something nobody talks about.</p> <p><code>.gitignore</code> doesn't encrypt your secrets. It just hides them from git.</p> <p>They're still sitting on your laptop as plaintext. Every tool you install can read them. Every script that runs can read them. One accidental commit and your database password is public on GitHub forever.</p> <p>So I built <strong>dotlock</strong> — an encrypted <code>.env</code> vault with a terminal UI, written in Go.</p> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1jbkasvnk3lcxymmuizt.png" alt=" " width="800" height="610"> </h2> <h2> Before and after </h2> <p><strong>Before dotlock</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">DATABASE_URL</span><span class="o">=</span>postgres://localhost/myapp <span class="c"># plaintext, readable by anything</span> <span class="nv">STRIPE_KEY</span><span class="o">=</span>sk_live_abc123 <span class="c"># one grep away from anyone</span> </code></pre> </div> <p><strong>After dotlock</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .dotlock file on disk — looks like this:</span> <span class="o">[</span>encrypted binary — unreadable without your private key] </code></pre> </div> <h2> How it works under 10 seconds </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>my-project dotlock <span class="nb">set </span>DATABASE_URL <span class="c"># prompts for value, input is masked</span> dotloc <span class="c"># opens the terminal UI</span> </code></pre> </div> <p>Secrets are encrypted with <a href="https://age-encryption.org" rel="noopener noreferrer">age</a> — X25519 key agreement and ChaCha20-Poly1305 authenticated encryption. The same primitives serious security engineers use. No master password. No cloud. No telemetry. 100% offline.</p> <h2> What it looks like </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1jbkasvnk3lcxymmuizt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1jbkasvnk3lcxymmuizt.png" alt=" " width="800" height="610"></a><br> Two panels — profiles on the left, secrets on the right. Values are masked by default. Press <code>v</code> to reveal for 30 seconds, then it hides itself automatically.</p> <p>Switch between <code>dev</code>, <code>staging</code>, and <code>prod</code> profiles. Run a diff before deploying to catch missing variables before they break your app.</p> <h2> The interesting technical bit </h2> <p>The hardest part wasn't the encryption — <a href="https://age-encryption.org" rel="noopener noreferrer">filippo.io/age</a> makes that straightforward.</p> <p>It was the TUI.</p> <p><a href="https://github.com/charmbracelet/bubbletea" rel="noopener noreferrer">BubbleTea</a> uses the Elm architecture — Model, Update, View. Everything is a message. A keypress is a message. A timer firing is a message. Your <code>Update</code> function receives messages and returns a new model.</p> <p>The 30-second auto-hide on secret reveal works like this — no <code>time.Sleep</code>, no goroutines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">secretReveal</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">key</span> <span class="kt">string</span> <span class="n">value</span> <span class="p">[]</span><span class="kt">byte</span> <span class="n">expire</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="c">// Now() + 30 seconds</span> <span class="p">}</span> </code></pre> </div> <p>On every render, check if <code>time.Now()</code> is past the expiry. If it is, zero the bytes and clear the display. Simple once you understand the model but it took me longer than I expected to get right.</p> <h2> Install it </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go <span class="nb">install </span>github.com/ahmadraza100/dotlock@latest <span class="nb">cd </span>your-project dotlock init dotlock ui </code></pre> </div> <p>Or download a binary from the <a href="https://github.com/ahmadraza100/dotlock/releases/latest" rel="noopener noreferrer">releases page</a> — Mac, Linux, and Windows all supported.</p> <p>Full source, architecture docs, and security model on GitHub:</p> <p>👉 <strong><a href="https://github.com/ahmadraza100/dotlock" rel="noopener noreferrer">github.com/ahmadraza100/dotlock</a></strong></p> <p>What do you currently use for managing local secrets? Curious what others are doing — drop it in the comments.</p> go security opensource devtools