The latest articles on DEV Community by Victor (@victor_sunday_1de46f21e18). https://dev.to/victor_sunday_1de46f21e18 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3732770%2Fead67bc4-a9bf-4076-b344-b1c13bf48350.png https://dev.to/victor_sunday_1de46f21e18 en Victor Sun, 22 Mar 2026 23:56:55 +0000 https://dev.to/victor_sunday_1de46f21e18/stop-using-env-files-on-servers-do-this-instead-2adm https://dev.to/victor_sunday_1de46f21e18/stop-using-env-files-on-servers-do-this-instead-2adm <p>If you're deploying apps on a VPS, chances are you're still using <code>.env</code> files.</p> <p>I was, too.</p> <p>Until I realized how messy (and risky) it actually is:</p> <ul> <li>copying <code>.env</code> files between machines</li> <li>leaving secrets sitting in plaintext on servers</li> <li>forgetting to delete old files</li> <li>no real access control per machine</li> </ul> <p>It works… until it doesn’t.</p> <p>So I built a different approach.</p> <h2> 🚀 The idea </h2> <p>Instead of storing secrets on your server:</p> <p>👉 <strong>don’t store them at all</strong></p> <ul> <li>encrypt secrets locally</li> <li>store only ciphertext</li> <li>inject them into your app at runtime</li> </ul> <p>No <code>.env</code> files. No plaintext on disk.</p> <h2> ⚡ Example </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vaultsync secrets push <span class="nt">--file</span> .env vaultsync run <span class="nt">--</span> node app.js </code></pre> </div> <p>That’s it.</p> <p>Your app still gets environment variables —<br> but they’re never written to disk on the server.</p> <h2> 🧠 How it works (simplified) </h2> <ul> <li> <code>.env</code> is encrypted locally using AES</li> <li>the server stores only ciphertext</li> <li>each machine has its own RSA keypair</li> <li>secrets are decrypted <strong>only in memory at runtime</strong> </li> </ul> <p>After your app exits, secrets are wiped.</p> <h2> 🔐 Why this is better than <code>.env</code> </h2> <h3> <code>.env</code> files: </h3> <ul> <li>stored in plaintext</li> <li>copied across servers</li> <li>hard to rotate</li> <li>easy to leak</li> </ul> <h3> This approach: </h3> <ul> <li>no plaintext on servers</li> <li>per-machine access control</li> <li>secrets only exist in memory</li> <li>easier to revoke access</li> </ul> <h2> 🆚 What about Vault, Doppler, etc? </h2> <p>There are great tools out there:</p> <ul> <li>HashiCorp Vault → powerful but complex</li> <li>Doppler / Infisical → nice UX but SaaS-based</li> </ul> <p>I wanted something:</p> <ul> <li>simple</li> <li>self-hostable</li> <li>designed for VPS / bare metal</li> </ul> <h2> 🛠️ What I built </h2> <p>I ended up building a CLI called <strong>VaultSync</strong>.</p> <p>It lets you:</p> <ul> <li>push encrypted secrets</li> <li>register machines</li> <li>grant access per machine</li> <li>run apps with secrets injected at runtime</li> </ul> <h2> 🖥️ Real-world use case </h2> <p>Let’s say you’re deploying a Node.js API on a VPS.</p> <p>Instead of:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scp .env server:/app </code></pre> </div> <p>You do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vaultsync secrets push <span class="nt">--file</span> .env vaultsync run <span class="nt">--</span> node dist/index.js </code></pre> </div> <p>No <code>.env</code> file ever touches the server.</p> <h2> 🤔 When should you use this? </h2> <p>This is useful if you:</p> <ul> <li>deploy apps to VPS or bare metal</li> <li>don’t want secrets sitting on disk</li> <li>want per-machine access control</li> <li>don’t need a full-blown Vault setup</li> </ul> <h2> 📦 Try it </h2> <p>If this sounds useful, you can check it out here:</p> <p>👉 <a href="https://github.com/KingVics/vaultsync-cli" rel="noopener noreferrer">https://github.com/KingVics/vaultsync-cli</a></p> <p>Would love feedback — especially from people managing secrets in production.</p> <h2> 💬 Curious how others are handling this </h2> <p>Are you:</p> <ul> <li>still using <code>.env</code> files?</li> <li>using Vault / Doppler?</li> <li>rolling your own solution?</li> </ul> <p>I’m curious what’s working (or not working) for you.</p> devops node security cli