Stop storing secrets in .env files (do this instead)
Exception: short-lived, gitignored, machine-local .env files are still a valid transport into process.env. The headline means: stop treating .env as your vault.
1. The replacement model
| Old | New |
|---|---|
Long-lived .env with real keys in repo folder | Canonical secrets in PassStore |
| Copy repo → secrets travel | Clone repo → no secrets on disk until you choose |
| One giant file | Workspaces + groups per organize projects |
2. Migration steps (one evening)
- Export current
.envto a temporary file outside the repo. - Create entries in PassStore workspace matching each
KEY. - Verify
.gitignore— guide. - Delete old
.envor replace with empty template pointing to vault workflow. - Rotate anything that ever sat in backup or sync you do not trust.
3. Keep .env.example in Git
# .env.example — committed, fake values only
DATABASE_URL=postgresql://USER:PASSWORD@localhost:5432/myapp_dev
STRIPE_SECRET_KEY=sk_test_replace_me
4. Runtime unchanged
Twelve-factor config still comes from environment — you changed storage, not architecture. See local-first secrets.
5. Docker exception
env_file: .env in Compose is OK if the file is generated per session and not backed up blindly — multiple env files.
6. Soft CTA
Download PassStore for macOS · Security overview