Secrets in Environment Variables

The cluster debates best practices for managing application secrets like API keys and passwords, focusing on the security risks and alternatives to using environment variables and .env files, such as dedicated secret managers like Vault or EnvKey.

➡️ Stable 0.6x Security

2,017

Comments

Years Active

Top Authors

#8939

Topic ID

Activity Over Time

2009

2010

2011

2012

2013

108

2014

2015

102

2016

2017

2018

2019

2020

192

2021

173

2022

210

2023

238

2024

278

2025

236

2026

Top Contributors

danenania (39) theozero (21) tracker1 (10) vmatsiiako (8) stackskipton (8)

Keywords

e.g PHP AWS passwordstore.org CEO heroku.com ENVKEY YC W19 index.js secrets env environment variables variables environment config secret file credentials vault

Sample Comments

lexokoh • Mar 13, 2025 • View on HN

I think using a secret manager like https://onboardbase.com solves this easily. .envs are never in the codebase.

throw1234651234 • Oct 12, 2023 • View on HN

The whole .env file holding all your configs thing is a disaster. People forget to update the template, it has to be passed around, etc.Configure your secrets in Azure Key Vault (AWS Secrets Manager, GCP-something-I-forget) or whatever the non-cloud Vault software is called.Devs only set client_id, client_secret, and env defaulted to dev. On startup, the app fetches configs for the secret store. The needed secrets are in source control. If the needed secret is missing from the secret store

12_throw_away • Mar 20, 2025 • View on HN

And the environment! (Also, don't put secrets in environment vars)

w0m • Jul 10, 2025 • View on HN

I assume environment variables became popular as it's an 'easy' way to inject secrets without hardcoding them in a config file.

daralthus • Jun 25, 2024 • View on HN

Can you do safer? Yes, yes you can with a secrets management service (e.g.: Hasicorp Vault). Is that way more complicated to setup in all envs? Oh yes, yes it is.

bbkane • Oct 13, 2025 • View on HN

Any good cross-platform and easy ways to share secrets without using environment variables?

josephcsible • Jan 20, 2022 • View on HN

There's nothing wrong with passing secrets in environment variables. They're not supposed to be publicly readable, and if they are, then you should fix that. Any alternative could also end up being accidentally publicly readable due to a mistake.

vmatsiiako • Dec 19, 2022 • View on HN

This is always a very heated discussion topic :)We started developing Infisical for the majority of people using environment variables right now. We actually have some plans for accommodating for other more secure approaches very soon. Stay tuned.Feel free to join our Slack for any updates: https://join.slack.com/t/infisical-u

dathinab • Oct 12, 2023 • View on HN

it's both trueputting any form of secrets into a env var is deeply insecureusing env is the most simple uniformly available way to have configsthrough I would take it a step further, anything which must not be leaked probably should not be in any config, weather env or file or similar, it should be injected through other means if viable

whatshisface • Apr 1, 2021 • View on HN

Store a path to the top secret file in an environment variable, and have the program read the credentials out of the file. Put the file somewhere far away from the repo, on the deployed filesystem.