DEV Community

Victor Sunday
Victor Sunday

Posted on

Stop Using .env Files on Servers (Do This Instead)

#security #node #webdev #devops

If you're deploying apps on a VPS, chances are you're still using .env files.

I was, too.

Until I realized how messy (and risky) it actually is:

  • copying .env files between machines
  • leaving secrets sitting in plaintext on servers
  • forgetting to delete old files
  • no real access control per machine

It works… until it doesn’t.

So I built a different approach.

🚀 The idea

Instead of storing secrets on your server:

👉 don’t store them at all

  • encrypt secrets locally
  • store only ciphertext
  • inject them into your app at runtime

No .env files. No plaintext on disk.

⚡ Example 

vaultsync secrets push --file .env
vaultsync run -- node app.js
Enter fullscreen mode Exit fullscreen mode

That’s it.

Your app still gets environment variables —
but they’re never written to disk on the server.

🧠 How it works (simplified)

  • .env is encrypted locally using AES
  • the server stores only ciphertext
  • each machine has its own RSA keypair
  • secrets are decrypted only in memory at runtime

After your app exits, secrets are wiped.

🔐 Why this is better than .env

.env files:

  • stored in plaintext
  • copied across servers
  • hard to rotate
  • easy to leak

This approach:

  • no plaintext on servers
  • per-machine access control
  • secrets only exist in memory
  • easier to revoke access

🆚 What about Vault, Doppler, etc?

There are great tools out there:

  • HashiCorp Vault → powerful but complex
  • Doppler / Infisical → nice UX but SaaS-based

I wanted something:

  • simple
  • self-hostable
  • designed for VPS / bare metal

🛠️ What I built

I ended up building a CLI called VaultSync.

It lets you:

  • push encrypted secrets
  • register machines
  • grant access per machine
  • run apps with secrets injected at runtime

🖥️ Real-world use case

Let’s say you’re deploying a Node.js API on a VPS.

Instead of:

scp .env server:/app
Enter fullscreen mode Exit fullscreen mode

You do:

vaultsync secrets push --file .env
vaultsync run -- node dist/index.js
Enter fullscreen mode Exit fullscreen mode

No .env file ever touches the server.

🤔 When should you use this?

This is useful if you:

  • deploy apps to VPS or bare metal
  • don’t want secrets sitting on disk
  • want per-machine access control
  • don’t need a full-blown Vault setup

📦 Try it

If this sounds useful, you can check it out here:

👉 https://github.com/KingVics/vaultsync-cli

Would love feedback — especially from people managing secrets in production.

💬 Curious how others are handling this

Are you:

  • still using .env files?
  • using Vault / Doppler?
  • rolling your own solution?

I’m curious what’s working (or not working) for you.

Top comments (0)