How I organize all my project secrets (real workflow)
This is one workable system — not scripture. It optimizes for fewer wrong-key mistakes and fast rotation when GitHub emails at dinner.
1. One PassStore workspace per git remote “product”
Examples:
github.com/acme/payments-api→ workspacepayments-apigithub.com/acme/web→ workspaceweb
2. Groups inside each workspace
Default three buckets:
dev— keys I use daily.staging— sometimes empty; only if I actually touch staging from laptop.integrations— third-party dashboards (read-only PATs), separate from runtime keys.
Never store prod here unless break-glass — and then name it PROD_BREAKGLASS_EXPIRES_YYYY-MM-DD.
3. Entry naming
stripe_secret_key_test
database_url_dev
jwt_signing_secret_dev
sentry_dsn_dev # often non-secret DSN; still grouped for clarity
Convention matches organize API keys.
4. Session pattern
- Open workspace → copy
database_url_dev→ paste into one shell tab. - Run migrations / server.
- Close tab.
If Docker needs env_file, I generate a fresh .env from those copies and rm after — or mount only what compose needs.
5. Monorepo tweak
Workspace acme-monorepo with groups:
app-api-devapp-web-devtooling-ci(personal PATs for local release scripts)
Cross-links: structure large projects.
6. What I do not store
- Production root DB passwords — use break-glass path through employer infra.
- One-time OAuth codes — ephemeral garbage.
- Secrets belonging to clients — employer vault / policy wins.
7. Monthly chore (calendar reminder)
- Delete orphan keys in vendor UIs.
- Archive vault entries with
_deprecated_2026-04after rotation — rotate.