​

We’ve all been there – that heart-stopping moment when you realize you’ve accidentally exposed sensitive information.

Today, I’m sharing a personal story and introducing a tool that could save you from a similar nightmare.

The Nightmare Scenario

London, February 2019, I was about to release an infrastructure project I’ve been working on for two weeks. I used the client’s AWS master key for testing. Yes, I know – I’m cringing too 😬. I pushed the container to a public repo for “easier access.” 🤡

Within seconds, an email arrived, cc’ing the entire company leadership about a critical security breach in production. Cold sweat. Near-firing experience. Lessons learned the hard way.

The Common Pitfall

Many developers, especially those working on side projects or open-source repos, face a common dilemma: How do you store secrets locally in a way that’s both secure and convenient? Is it enough to put them in clear text and add them to .gitignore or .dockerignore?

The answer is a resounding no. But the solution isn’t always clear.

​

Enter: dotenvx

Here’s where dotenvx comes in – a tool that could have saved me a world of pain. dotenvx is a “better .env” with three key features:

1. It runs everywhere
2. It encrypts your data
3. It supports multiple environments

Getting Started with dotenvx

Installation is simple: `curl -sfS https://dotenvx.sh | sh # or brew install dotenvx` (I used Nix)

Key Features:

1. Automatic Encryption: Use dotenvx encrypt to secure your .env file.
2. Public/Private Key System: Share the public key safely, keep the private key secret.
3. Language Agnostic: Works with any programming language or deployment method.
4. Direct Process Injection: Exposes variables directly to the application process.

Enhancing Security

While dotenvx is a great start, it’s not a silver bullet. I recommend coupling it with security scanning tools like Snyk. These tools can help identify exposed secrets and other vulnerabilities in your project.

Multi-Environment Support

dotenvx supports multiple environments (staging, production, etc.) through separate .env files. You can use the -f flag to specify which file to use.

Docker Integration

When using dotenvx with Docker, remember to:

1. Ignore the keys file in .dockerignore
2. Install dotenvx in your Dockerfile
3. Wrap your application execution with dotenvx: dotenvx run -- <my-app>

The Balanced Approach

While .env files remain controversial in professional settings, tools like dotenvx offer a middle ground between security and practicality for side projects and open-source work. Remember, no solution is perfect. Always stay vigilant and use supporting systems to minimize risks.

As always, feel free to reply directly with thoughts and comments.
Have a great weekend!