The latest articles on DEV Community by Selixe (@selixe). https://dev.to/selixe https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3827801%2Fd79f14d9-a4b5-4a6e-b5a5-e49781bebfda.jpg https://dev.to/selixe en Selixe Mon, 16 Mar 2026 17:32:48 +0000 https://dev.to/selixe/why-your-env-files-are-a-security-risk-and-what-to-do-instead-4h9o https://dev.to/selixe/why-your-env-files-are-a-security-risk-and-what-to-do-instead-4h9o <h2> Why your .env files are a security risk (and what to do instead) </h2> <p>If you've been developing for more than a year, you've probably done at least one of these:</p> <ul> <li>Committed a <code>.env</code> file to git by accident</li> <li>Sent a teammate your database URL over Slack</li> <li>Had a <code>.env.production</code> file sitting on your laptop with live API keys</li> <li>Lost track of which machine has the "real" values</li> </ul> <p>None of these feel like a big deal in the moment. Until they are.</p> <h2> The actual problem with .env files </h2> <p>The <code>.env</code> file pattern works fine when you're the only developer and you never <br> make mistakes. In practice that means it works fine for about five minutes.</p> <p>The real problems start when:</p> <p><strong>You have a team.</strong> Now you need to share secrets somehow. Slack, email, Notion, <br> a shared password manager — all of these are worse than you think. Someone leaves <br> the company and you're not sure what they have. A Slack message with your Stripe <br> key is sitting in a searchable archive forever.</p> <p><strong>You have multiple environments.</strong> Now you have <code>.env.development</code>, <code>.env.staging</code>, <br> <code>.env.production</code>, and a 50% chance that at least one of them is out of date on <br> at least one machine.</p> <p><strong>You have multiple projects.</strong> Now you have a folder of .env files somewhere and <br> you're manually copying values between them and praying nothing drifts.</p> <p><strong>You work across machines.</strong> The values on your laptop and your desktop are <br> different and you don't remember which one is right.</p> <h2> The git problem </h2> <p>The most common disaster is the accidental commit. You add a new variable, forget <br> to check <code>.gitignore</code>, and push. Even if you catch it and remove it in the next <br> commit, the key is in your git history forever. Anyone who clones that repo has it.</p> <p>GitHub's secret scanning catches some of this, but only for known patterns like <br> AWS keys and Stripe keys. Your custom internal secrets are invisible to it.</p> <p>The standard advice is "just add .env to your .gitignore" but that's not enough. <br> You also need to make sure every developer on your team has done the same, on every <br> project, every time. One person forgets and you have a breach.</p> <h2> What actually fixes this </h2> <p>The right solution has a few properties:</p> <ul> <li>Secrets never live on disk in plaintext</li> <li>Secrets are centralized so there's one source of truth</li> <li>Access is controlled so people only see what they need</li> <li>Changes are audited so you know what changed and when</li> <li>It works with your existing workflow so people actually use it</li> </ul> <p>There are enterprise solutions for this — HashiCorp Vault, AWS Secrets Manager, <br> Doppler. They're good if you're running infrastructure at scale. They're overkill <br> if you're a small team trying to ship software without leaking your database <br> credentials.</p> <h2> What I built </h2> <p>I got frustrated with this problem enough that I built <br> <a href="https://envmaster.dev" rel="noopener noreferrer">EnvMaster</a> — a CLI tool that stores your variables <br> encrypted in the cloud and injects them directly into any process.</p> <p>The workflow looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>envmaster project my-api envmaster environment production envmaster run <span class="nt">--</span> node server.js </code></pre> </div> <p>That's it. No .env file on disk, no dotenv package in your project, no manual <br> exports. The right variables are injected into the process and exist only in <br> memory for the duration of the request.</p> <p>Everything is encrypted at rest with AES-256-GCM before it hits the database. <br> Keys are stored separately from the data. Your plaintext values never persist <br> to disk on our end.</p> <p>For teams it supports per-project roles so frontend developers never accidentally <br> see backend secrets, and a full audit log so when something breaks in production <br> you know instantly whether a variable change was the cause.</p> <p>There's a free tier and a Pro trial on every new account. No credit card required <br> to start.</p> <h2> The bottom line </h2> <p>.env files are a fine pattern for a solo developer on a single project. The moment <br> you add a second person, a second environment, or a second machine, the cracks <br> start showing.</p> <p>The fix isn't complicated — centralize your secrets, encrypt them, control who can <br> see them, and inject them at runtime. Whether you use EnvMaster or something else, <br> the .env file era is worth leaving behind.</p> <p><em>Built EnvMaster to solve this exact problem. Would love feedback from anyone <br> who's dealt with the same mess.</em></p> devops git security webdev