Guide
Environment variable manager for macOS developers
How to manage dev, staging, and production-style variables on a Mac without syncing secrets to the cloud: patterns, anti-patterns, tooling comparison, and using PassStore as your local source of truth.
Environment variable manager for macOS developers
Environment variables are the default API for configuration in almost every language — Node, Python, Go, Rust, Ruby, PHP. That convenience created a culture of plaintext .env files copied between machines until something leaks.
This guide explains what a serious environment-variable workflow looks like on macOS when you care about local-first storage, Git safety, and speed. It is written to stand alone — you do not have to use PassStore — but we will show where a native vault fits naturally.
What “env manager” should mean
An environment variable manager is not just a file with KEY=value lines. At minimum, it should help you:
- Group variables per application and environment (dev vs staging vs prod-like).
- Avoid Git as the carrier of secrets (templates only).
- Copy or inject values into shells, containers, or IDEs deliberately — not via screenshots or Slack.
- Rotate credentials without hunting twelve
backup-final.envfiles.
Anti-patterns that cause incidents
| Anti-pattern | Why it hurts |
|---|---|
One giant .env for “everything” | Wrong DATABASE_URL in the wrong terminal tab. |
Checking .env into a “private” repo | History is forever; access models change. |
Emailing .env to onboard someone | Mailbox retention + forward rules = breach. |
| Storing prod secrets on every laptop | Maximum blast radius when a laptop is lost. |
Deeper dive: Why your .env setup is probably leaking.
Recommended baseline layout
1) Committed template
.env.example (names + fake values only):
APP_ENV=development
PORT=3000
DATABASE_URL=postgresql://USER:PASSWORD@localhost:5432/myapp_dev
REDIS_URL=redis://127.0.0.1:6379
STRIPE_SECRET_KEY=sk_test_replace_me
2) Gitignored local file or vault export
Either:
.envon disk (acceptable if you accept plaintext-at-rest risk), or- Canonical secrets in a Keychain-backed vault, copied into the shell when needed.
Keychain concepts: macOS Keychain for developers.
3) CI and production use platform injection
GitHub Actions secrets, Kubernetes Secret objects, ECS task definitions, etc. — not a file committed to the repo.
Docker and Compose (quick reference)
docker compose commonly loads:
services:
api:
env_file:
- .env
Keep compose YAML in Git; keep .env out. Document required keys in README.md.
direnv: powerful, easy to misuse
direnv auto-loads .envrc when you enter a directory. If your team uses it:
- Never commit real secrets in
.envrc. - Add code review rules for any new
direnvfile.
How PassStore maps to “env manager”
PassStore is a native macOS app for developer secrets — API keys, credential bundles, and environment-style groupings. Design highlights from our Security overview:
- Encrypted vault at rest (AES-256-GCM; Argon2id key wrapping for current vaults).
- Keychain Services for sensitive items — aligned with Apple platform security.
- Local-first — no mandatory cloud sync for core flows.
Typical workflow
- Create a workspace per repo or product.
- Add groups such as dev / staging (even if staging keys are rare on laptops).
- Store
DATABASE_URL, signing keys, third-party tokens as named entries. - Copy into Terminal or config when you start work — reduce long-lived plaintext files.
For multi-repo habits, read Organize API keys without slowing down.
Full playbook
For an end-to-end system spanning Git, CI, cloud, and Mac:
A practical developer secret management setup for 2026.
Long-form guides (SEO clusters)
- Where should I store
.envfiles securely? - Structure environment variables in large projects
- Avoid duplicate env configuration
- Share environment variables safely with your team
- Doppler vs local env management
- Is it safe to store secrets in
.envfiles?
Download
Download PassStore — local macOS vault for developer secrets.