How to manage secrets without using cloud tools
Some developers cannot use another SaaS: regulated clients, personal privacy preference, air-gapped labs, or simply “I do not want my API keys on a vendor’s server.” You can run a serious local-first workflow — with clear boundaries about what must still live in cloud infrastructure for production.
1. What “no cloud tools” does and does not mean
Can be fully local:
- Developer laptop storage of dev API keys and env material.
- Git hygiene (
.gitignore,gitleaks) — not a “secret manager” but essential. - Passwords / keys you never upload (hardware tokens, offline GPG).
Usually still “cloud” somewhere for real systems:
- Production databases and APIs are on cloud or datacenters — their IAM and secret injection are part of that platform (AWS Secrets Manager, etc.). That is not the same as “sync my dev
.envto a SaaS.”
PassStore is local-first for macOS dev workflows — Security — no mandatory cloud for core product flows.
2. Baseline stack (no SaaS secret manager)
| Layer | Tooling |
|---|---|
| Storage on Mac | Encrypted vault (PassStore) + FileVault |
| Git protection | .env.example only, keep secrets out of Git |
| CI | Your CI still needs secrets — use CI-native secret storage (GitHub Actions secrets). That is not optional for hosted CI. |
| Production | Cloud provider’s native secret store tied to IAM — you are already in that ecosystem |
3. Optional: SOPS without a “secret manager UI”
Mozilla SOPS encrypts YAML/JSON/ENV files with keys from age/PGP/KMS. Teams use it to commit encrypted config to Git carefully. It is powerful and easy to misconfigure — review SOPS documentation before adopting.
Caution: encrypted files in Git still signal structure; access to the decrypt key is the real control.
4. Team sync without a secrets SaaS
Hard truth: end-to-end encrypted email or Slack DMs are common — and bad. Better offline-ish options:
- In-person USB handoff for break-glass material (rare).
- Company systems you already run (self-hosted Vault, on-prem LDAP) — that is not “no cloud,” but it is no extra startup SaaS.
Practical middle ground: share environment variables safely with your team.
5. Threat model honesty
A local-only dev vault does not protect against:
- Malware on an unlocked Mac.
- You pasting a key into ChatGPT.
It does help with:
- Accidental Git commits and backup sprawl.
- Reducing third-party exposure of dev keys.
Compare trade-offs: local-first vs cloud secret managers.
6. Soft CTA
If your goal is developer secrets on macOS without a sync-everything SaaS, try PassStore and read minimalist local secrets setup.