Daniel Lyons' Notes
Topics
cybersecurity
`.env` files
Cross Site Request Forgery
cybersecurity
secrets management strategies
3D Printing
ACTS prayer
aimlessness
beauty
China
Christmas Songs
clarity
collaboration
commitment
comparison
competence
consistency
Creative Commons
daily bible reading
Decision-making
delayed gratification
Delegated Complexity
Denial
Digital Autonomy
Discipline
DRM-free solutions
economics
emergent
Emmaus Orthodox Presbyterian Church
enshittification
Estate Planning
excellence
experts
Feedless February
focus
Gartner hype cycle
GraphViz
How to Futureproof Your Data
immediate gratification
incentives
integrity
intensity
intentionality
isomorphic
keystone habit
land acknowledgment
Mars Inc. Principles
mediocrity
mindfulness
Monopolies enforced by the US Federal Government
moralism
My Views on Feedback
nerd sniping
optimism
Ouroboros
Palestine
Parkinson's Law
Passkeys
Post Expertise Scarcity Examples
pray the news
privacy
Project Gutenberg
Public Domain
RAWG
regret
responsibility
Royalty Free Music
Scenius
scientism
self-examination
self-improvement
Self-lish
Setup Jackbox for Streaming
simplicity
sorrow
Speech
Textus Receptus
The Historical Jesus
Time Zones
Topics
Transhumanism
two pizza rule
values
war
Homepage
Daniel Lyons' Notes

secrets management strategies

Strategy Strengths Weaknesses Best For
`.env` files

Plain text files containing key-value pairs that store configuration and secrets locally, excluded from version control via .gitignore		 • Simple and convenient for local development
• No additional tools required
• Can be excluded from version control
• Project-scoped (won't collide with system variables)		 • Plain text storage (no encryption)
• Easily leaked if committed to git
• No audit logging or access control
• Doesn't scale across teams
• No secret rotation capabilities
• Accessible to all child processes		 Local development only
shell environment variables

Dynamic values set at the OS, user, or session level that programs access at runtime via system APIs		 • Universal across all operating systems
• Integrated into OS
• Portable across deployments
• Easy to change between environments		 • Visible to all processes in user space
• Stored in plain text
• Accessible via process inspection
• No encryption at rest
• Difficult to manage at scale
• Can leak into logs and process dumps
• No audit trail		 Simple applications, CI/CD pipelines with caution
1Password CLI

Command-line tool that integrates with 1Password's centralized password manager, allowing applications to fetch secrets at runtime from shared team vaults		 • User-friendly and convenient
• Centralized secret storage
• Team-friendly with shared vaults
• Automatic secret injection
• Audit logging included
• Works locally and in CI/CD
• Supports arbitrary secret fields		 • Still uses environment variables under the hood (inherits some risks)
• Requires 1Password subscription
• Vendor lock-in
• Not ideal for production at scale
• Requires CLI installation		 Small to medium teams, development environments, CI/CD workflows
HashiCorp Vault

Enterprise secrets management platform that generates, stores, and rotates secrets with fine-grained access control and comprehensive audit logging		 • Enterprise-grade security
• Dynamic secrets with auto-expiration
• Fine-grained access control
• Comprehensive audit logging
• Secret rotation automation
• Multi-cloud support
• Encryption as a service		 • Complex setup and configuration
• Steep learning curve
• Requires dedicated infrastructure
• Higher operational overhead
• Potential single point of failure		 Enterprise environments, complex deployments, high-security requirements
AWS Secrets Manager

AWS-native service that stores, encrypts, and automatically rotates secrets with IAM-based access control and CloudTrail audit logging		 • Native AWS integration
• Automatic secret rotation
• Encryption at rest and in transit
• Fine-grained IAM policies
• Audit logging via CloudTrail
• Seamless with AWS services		 • AWS-only (vendor lock-in)
• Additional AWS costs
• Requires IAM setup
• Not ideal for multi-cloud
• Runtime API calls add latency		 AWS-native applications, production deployments on AWS
Google Cloud Secret Manager

GCP-native service for storing, managing, and accessing secrets with versioning, encryption, and IAM-based access controls		 • Tight GCP integration
• Versioning support
• Access logging
• Automatic encryption
• Fine-grained IAM controls		 • GCP-only (vendor lock-in)
• Not ideal for multi-cloud
• Additional costs
• Requires GCP infrastructure		 GCP-native applications, Google Cloud deployments
Azure Key Vault

Azure service for managing cryptographic keys, certificates, and secrets with HSM support, managed identities, and RBAC integration		 • Azure ecosystem integration
• HSM support for critical secrets
• Managed identities support
• Encryption at rest
• RBAC integration		 • Azure-only (vendor lock-in)
• Not ideal for multi-cloud
• Additional costs
• Requires Azure setup		 Azure deployments, enterprise Microsoft environments
SOPS (Secrets OPerationS)

Open-source file editor that encrypts/decrypts structured files (YAML, JSON, ENV) with selective value encryption, supporting multiple encryption backends (AWS KMS, GCP KMS, Azure Key Vault, PGP, age)		 • Encrypts only values, keeps structure readable
• Git-friendly (can commit encrypted files)
• Multiple encryption backend support
• Minimal infrastructure required
• Developer-friendly workflow
• Version control integration
• Supports multiple recipients		 • File-based only (no API access)
• Manual key management required
• No built-in secret rotation
• Requires key distribution
• Limited to file formats
• Not a full secrets manager		 Teams wanting secrets in git, offline-capable systems, infrastructure-as-code
git-crypt

Transparent encryption/decryption tool for Git repositories that automatically encrypts files on commit and decrypts on checkout using GPG or symmetric keys		 • Transparent Git integration
• Automatic encryption on commit
• Automatic decryption on checkout
• Minimal setup required
• Works with existing Git workflows		 • GPG-only encryption
• Limited to Git repositories
• Manual key management
• No audit logging
• Difficult key distribution
• No access control granularity		 Teams wanting automatic Git-based encryption, simple workflows
Doppler

Cloud-based secrets management platform with multi-environment support, team collaboration, automatic syncing, and built-in audit logging		 • Easy setup and onboarding
• Multi-environment support
• Team collaboration features
• Audit logging
• Automatic syncing
• Cloud-agnostic
• Developer-friendly UI		 • Additional vendor dependency
• Subscription costs
• Requires internet connection
• Potential single point of failure
• Smaller ecosystem than cloud providers		 Growing teams, multi-cloud deployments, developer experience priority
Infisical

Open-source end-to-end encrypted secrets management platform with team collaboration, automatic syncing, and multi-cloud support		 • End-to-end encrypted
• Open-source option
• Team collaboration
• Automatic syncing
• Multi-cloud support
• Self-hostable
• Developer-friendly		 • Requires infrastructure if self-hosted
• Smaller community than established tools
• Potential single point of failure
• Subscription for cloud version		 Teams prioritizing open-source, self-hosted deployments, multi-cloud environments

Key Recommendations

For Development: Use .env files locally with a .sample.env template. Never commit real secrets to version control.

For Small Teams: 1Password CLI offers the best balance of convenience and security. Store an access token in .env and fetch other secrets at runtime.

For Production: Use your cloud provider's native secrets manager (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault) or HashiCorp Vault for multi-cloud scenarios. These provide encryption, rotation, audit logging, and access controls.

Hybrid Approach (Recommended): Store only a short-lived access token or authentication credential in .env or environment variables, then use that to fetch remaining secrets from a centralized secrets manager at runtime. This limits exposure while maintaining developer convenience.

Critical Best Practices Across All Strategies:

  • Never hardcode secrets in source code
  • Rotate secrets regularly (90 days minimum, daily if automated)
  • Implement least privilege access controls
  • Enable audit logging and monitor access
  • Encrypt secrets both at rest and in transit
  • Use automated secret scanning in CI/CD pipelines
  • Separate secrets by environment (dev, staging, production)
  • Never commit .env files to version control
secrets management strategies
Interactive graph
On this page
Key Recommendations
Powered by Obsidian Publish