alt.hn

2/28/2026 at 12:53:43 AM

Stop Putting Secrets in .env Files

https://jonmagic.com/posts/stop-putting-secrets-in-dotenv-files/

by veverkap

2/28/2026 at 4:41:45 AM

You will probably really like https://varlock.dev

It’s a whole toolkit for this - with built in validation, type safety, and extra protection for sensitive secrets.

by theozero

2/28/2026 at 10:01:46 AM

> They sit on disk as plaintext, readable by any process running as your user

The proposed solution:

> Instead of loading secrets from a file, you use a wrapper script that fetches secrets from a secure store and injects them as environment variables into your process

Now they sit "on disk" as plaintext, in /proc/self/environ, still readable by any process running as your user.

by sudahtigabulan

2/28/2026 at 1:08:04 PM

Exactly.

That’s why I prefer programs that read all configuration from a file: this file can be dumped with fresh secrete value, read by the program and deleted right away once consumed.

Environment variables tend to be messy IMO

by jiehong

2/28/2026 at 7:09:07 AM

It may be marked as Beta, but I've been using https://developer.1password.com/docs/environments/ since October-ish with no issues.

by prognostikos

2/28/2026 at 8:24:05 AM

I'm pretty sure this uses FIFO under the hood, that's a smart idea !

by hollow-moe

2/28/2026 at 11:36:23 PM

Thanks for mentioning this, a coworker also pointed me to that feature after reading my post. I've since updated the top of the post with two things that stood out to me in the feedback here and on lobste.rs

by jonmagic

2/28/2026 at 6:33:06 AM

Mfw typing the command stores the password in plaintext in my shell history

by mahaekoh

2/28/2026 at 8:43:18 AM

Prefix your entire command with a space, usually prevents saving it to the history file.

Usually I do ^ while setting it as a variable, then I can still save the regular command to the history without the secret.

by embedding-shape

2/28/2026 at 4:19:19 AM

So the solution is to use a proprietary password manager instead? No thanks

by theden

2/28/2026 at 4:23:39 AM

This is a MUCH better solution https://wiki.archlinux.org/title/Systemd-creds

by ray_v

2/28/2026 at 4:54:49 AM

People still code on their local boxes? op is not biometric secured over an ssh tunnel

by hebetude

2/28/2026 at 9:41:08 AM

2 hour train ride with flaky internet. Yes we do.

by hyperman1

2/28/2026 at 12:53:22 PM

Another solution integrated with most Linux systems: https://systemd.io/CREDENTIALS/

by zaik

2/28/2026 at 7:16:32 AM

Nice. One more benefit of this is when using LLM tools like Claude Code or Codex to do something and run tests on a worktree, this solution would work seamlessly.

by bibstha