profile

ESPRESSO FRIDAYS

This Changes Everything About .env Files

Published about 1 year ago • 2 min read

Thank you to our sponsors who keep this newsletter free to the reader:

Aikido is your no-nonsense DevSecOps platform. One central system that shows you what matters and how to fix it, from code to cloud. So you can get back to building. Try Aikido today!

We’ve all been there – that heart-stopping moment when you realize you’ve accidentally exposed sensitive information.

Today, I’m sharing a personal story and introducing a tool that could save you from a similar nightmare.

The Nightmare Scenario

London, February 2019, I was about to release an infrastructure project I’ve been working on for two weeks. I used the client’s AWS master key for testing. Yes, I know – I’m cringing too 😬. I pushed the container to a public repo for “easier access.” 🤡

Within seconds, an email arrived, cc’ing the entire company leadership about a critical security breach in production. Cold sweat. Near-firing experience. Lessons learned the hard way.

The Common Pitfall

Many developers, especially those working on side projects or open-source repos, face a common dilemma: How do you store secrets locally in a way that’s both secure and convenient? Is it enough to put them in clear text and add them to .gitignore or .dockerignore?

The answer is a resounding no. But the solution isn’t always clear.

Enter: dotenvx

Here’s where dotenvx comes in – a tool that could have saved me a world of pain. dotenvx is a “better .env” with three key features:

  1. It runs everywhere
  2. It encrypts your data
  3. It supports multiple environments

Getting Started with dotenvx

Installation is simple: `curl -sfS https://dotenvx.sh | sh # or brew install dotenvx` (I used Nix)

Key Features:

  1. Automatic Encryption: Use dotenvx encrypt to secure your .env file.
  2. Public/Private Key System: Share the public key safely, keep the private key secret.
  3. Language Agnostic: Works with any programming language or deployment method.
  4. Direct Process Injection: Exposes variables directly to the application process.

Enhancing Security

While dotenvx is a great start, it’s not a silver bullet. I recommend coupling it with security scanning tools like Snyk. These tools can help identify exposed secrets and other vulnerabilities in your project.

Multi-Environment Support

dotenvx supports multiple environments (staging, production, etc.) through separate .env files. You can use the -f flag to specify which file to use.

Docker Integration

When using dotenvx with Docker, remember to:

  1. Ignore the keys file in .dockerignore
  2. Install dotenvx in your Dockerfile
  3. Wrap your application execution with dotenvx: dotenvx run --

The Balanced Approach

While .env files remain controversial in professional settings, tools like dotenvx offer a middle ground between security and practicality for side projects and open-source work. Remember, no solution is perfect. Always stay vigilant and use supporting systems to minimize risks.

As always, feel free to reply directly with thoughts and comments.
Have a great weekend!

ESPRESSO FRIDAYS

Every once in a while I send hand picked things I've learned. Kind of like your filter to the tech internet. No spam, I promise!

Read more from ESPRESSO FRIDAYS

You’ve been parsing JSON wrong your whole life This issue is brought to you by: Secure Your AI Future at DevSecCon 2025 Software development is undergoing a seismic shift as AI transforms how we build, deploy, and secure applications. Register for the 1st-ever Global Community Summit on AI Security, covering critical strategies to empower AI innovation without compromising security. Register for DevSecCon 2025 (It’s Free!) Ever opened a massive “.log” file and realized it’s just one long,...

6 days ago • 4 min read

Wait… cURL can do WHAT?! Brought to you in collaboration with 1Password and Browserbase: 🔐 Your AI Agents Can Finally Log In! 1Password and Browserbase just partnered to solve AI’s biggest security nightmare: authentication without exposing credentials. Introducing 1Password’s Secure Agentic Autofill, allowing you to connect your 1Password Enterprise Password Manager to your browser automation agent powered by Browserbase. Build AI agents that can actually work without compromising security....

8 days ago • 4 min read

Postgres is not a database. For years, we’ve been taught to see Postgres as the reliable, open source workhorse for storing our data. Everyone called it "The Toyota of databases", you know... it just works. But to leave it at that is to miss the whole story.Postgres isn’t just a place to put your data, it’s a powerful development platform that can become the core of your entire backend, an operating system (yea, bold) for your application’s stack. Diving deep into its capabilities I learned...

27 days ago • 3 min read