All articles
Operations

Managing Secrets: .env Files vs Secret Managers

Generate Secret Keys team June 4, 2026 7 min read

Generating a strong secret is only half the job — where it lives matters just as much. A perfectly random key accidentally committed to a public repo is worthless. This is the practical side of secrets: configuration and storage.

Keep config out of code

The guiding principle, from the Twelve-Factor App methodology, is to keep configuration — anything that varies between environments, especially secrets — out of your source code and supply it from the environment. That single rule prevents the most common leak: a hard-coded key sitting in your Git history forever.

The .env approach

A .env file holds KEY=value pairs your app loads into environment variables at startup. It's simple and ideal for local development.

  • Pros: trivial to set up, language-agnostic, great developer experience.
  • Cons: it's a plaintext file on disk; it doesn't rotate, audit, or restrict access; and it's dangerously easy to commit by accident.

The golden rule: add .env to .gitignore before you create it, and commit a .env.example with blank or dummy values to document the required keys.

When .env files leak

Leaks happen through committed files, log output, error pages that dump the environment, and over-broad container images. Treat the contents as live credentials: if a .env is ever exposed, rotate every secret in it immediately rather than hoping no one saw it.

Secret managers

As you move toward production and teams, a dedicated secret manager addresses what .env can't:

  • Examples: HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, Azure Key Vault, Doppler, 1Password.
  • Encryption at rest and in transit.
  • Fine-grained access control — services get only the secrets they need.
  • Audit logs — who read what, and when.
  • Rotation support — often automated, sometimes with dynamic, short-lived credentials.

Practical rules

  • Never commit secrets. Use .gitignore and a secret-scanning tool in CI.
  • Separate per environment. Dev, staging, and production get distinct secrets.
  • Least privilege. Grant each service access to only its own secrets.
  • Inject at runtime. Prefer environment variables or a manager over baking secrets into images or builds.
  • Plan rotation from day one.

Generate a full .env bundle

The More tab has an .env bundle generator that produces a ready set of named application secrets — JWT, encryption, session, CSRF, salt, and API token — in .env format, created locally in your browser.

Bootstrapping a new app? Generate a complete .env bundle of strong secrets in one click.

Open the .env generator