Your .env files are a liability. Two simple patterns for injecting secrets from 1Password or macOS Keychain so credentials never touch disk as plaintext.

Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

Storing secrets in plaintext .env files is risky — they get shared over Slack, accumulate across projects, and are readable by any process on your machine. A safer pattern is to store secrets in a vault and inject them at runtime using a wrapper script. Two practical implementations are shown: one using the 1Password CLI (`op run`) with committable reference files, and one using the macOS `security` command to read from the system Keychain. Both approaches mean secrets never touch disk as plaintext, enable a single source of truth for credential rotation, simplify team onboarding, and provide audit logs. A demo repo is provided to try both in minutes.

Stop Putting Secrets in .env Files