.env
Store secrets and app configuration securely with a single file.
Store secrets and app configuration securely with a single file.
Part of π Layer 1 Protection
The .env file format is central to good DSX and has been since it was introduced by Heroku in 2012 and popularized by our dotenv node module (and other libraries) in 2013.
The .env file format starts where the developer starts - in development. It is added to each project but NOT committed to source control. This gives the developer a single secure place to store sensitive application secrets.
Can you believe that prior to introducing the .env file, almost all developers stored their secrets as hardcoded strings in source control. That was only 10 years ago!
Here's an example of what a .env file might look like:
DB_HOST=localhost
DB_PASSWORD=pa$$word
ENCRYPT_PUBLIC_KEY=5daef8d0b8c62f9569a634c88574cdd0
GATSBY_API_URL=http://localhost:3000/gatsby
MAILCHIMP_API_USERNAME=d3a5f1d9f215941181752a7f0bda5380
S3_KEY=cd89a34bcd76
SIGN_PUBLIC_KEY=84a8cfc121cb6b517f7c11c92cad2cc7
STRIPE_KEY=scr_a34bd7c37abc
STRIPE_PUBLIC_KEY="pub_z17ab3d3741a"
It is purposefully simple because, as security professionals, we know that complexity is the enemy of security.
You can read more about how it works here (or at other implementations here, here, here). It is the gold standard for securing development secrets - proven and trusted by millions of developers around the world.
But the world has changed and developers manage secrets at far greater scale than a decade ago. Today it's difficult to securely share .env files between machines, environments, and team members. As a result, developers often share secrets over Slack, email, text message, and post-it notes. It's not scaleable and fraught with security risks. For a CTO or CSO it is a risk they should not take.
Luckily, that is changing. We have been extending the .env file format to support secure sharing and storage in Dotenv Vault.
The .env file format is still at the center of security. But we are adding two new extensions. They are not required. They are optional, but we highly recommend them for teams. They are the:
.env.project extension
(learn more)
.env.me extension
(learn more)
These work alongside your .env files to significantly improve security. This is the next great leap forward in application secrets security, and like the original .env file format we have worked hard to minimize complexity in order to increase security.
Join millions of developers that already trust and use Dotenv.
π Est. 2013