Minimalist setup for managing secrets locally
You do not need HashiCorp Vault on day one. You do need three non-negotiables: Git discipline, one trustworthy place on your Mac, and CI injection for anything shared.
1. The five-item stack
| # | Piece | Job |
|---|---|---|
| 1 | .gitignore + .env.example | No secrets in Git — guide |
| 2 | gitleaks locally | Catch accidents before push |
| 3 | PassStore | Encrypted workspace vault on macOS (Security) |
| 4 | GitHub Actions secrets (or equivalent) | CI never reads your laptop |
| 5 | Rotation after doubt — playbook | History cleaning ≠ un-steal |
2. Daily flow
- Open workspace for today’s repo.
- Copy keys into one terminal tab or short-lived
.env. - Close tab / delete ephemeral file when done.
3. What you deliberately skip (for now)
- Doppler/Vault until team audit demands it — local vs cloud.
- SOPS until infra team owns key custody.
- Shared
.envin Slack — forever skip.
4. When to add complexity
Signals:
- >5 engineers sharing same dev keys without per-person creds.
- SOC2 asks for audit on secret reads.
- Kubernetes sprawl — see open source compared.