DEV Community

Cover image for I Built a Zero-Config Secret Manager in Rust Because .env Files Are Security Theater
Sruthi a
Sruthi a

Posted on

I Built a Zero-Config Secret Manager in Rust Because .env Files Are Security Theater

#security #devops #opensource #rust

I Built a Zero-Config Secret Manager in Rust Because .env Files Are Security Theater

Every time I onboard a new developer, the instructions include:

"Ask someone for the .env file. Don't commit it."

That's it. That's our secret management strategy. A file we pass around on Slack.

We've all been there. A .env ends up in a repo. Or in a Slack message. Or gets pasted into a Notion doc for "convenience." Then six months later you're rotating every credential you own because someone found it in a git log.

The problem isn't that developers are careless. The problem is that .env files are the path of least resistance — and they're fundamentally insecure by design.

The Real Problems with .env

Let me be specific about what's wrong:

1. They're plaintext. Your DATABASE_URL sits in a text file on your disk, next to your code. If your laptop is compromised, all your secrets are too.

2. They travel through insecure channels. How do new devs get them? Slack DMs. Email. Sometimes a Google Doc. These aren't encrypted at rest. They're indexed. They persist.

3. They're static. That STRIPE_SECRET_KEY in your .env from 2022? Still valid. Still sitting in your old laptop's backup. Static credentials that never expire are the gift that keeps on giving — to attackers.

4. Git is forever. Even with .gitignore, secrets end up in repos. Accidentally committed, then deleted — but git log remembers everything. GitHub has a secret scanning feature specifically because this happens constantly.

5. No audit trail. Who accessed PROD_DATABASE_URL last Tuesday at 3am? With .env files: no idea. Zero visibility.

What I Built Instead

I got frustrated enough that I spent a weekend building zenv — a zero-config secret injection runtime for developers. zenv

The idea is simple: replace .env files with an encrypted vault that injects secrets at runtime.


bash
# Before zenv
cp .env.example .env
# edit .env with secrets from Slack...
npm start

# After zenv
zenv init
zenv vault import .env  # one-time migration
zenv run -- npm start   # secrets injected at runtime
Enter fullscreen mode Exit fullscreen mode

Top comments (0)