Replies: 1 comment 15 replies
-
This has one downside. For server environments that have ephemeral file storage (like Heroku and many others) you can't guarantee the file will always be there. For other deployment environments like serverless, you can't always write to a file. They don't allow it. Instead, maintaining the encrypted file in your codebase guarantees it will be available to all infra types.
This is a good thought. They only exist during that process (and are cleared when the process shuts down), but yes, if a 3rd party accesses that process somehow, then it can slurp them up. This is rare and means you have a worse intrusion (like a compromised node module or server), but I agree with the point. What if we added the ability for you to pass your own target that should be written to - rather than https://github.com/motdotla/dotenv/blob/master/lib/main.js#L188 We recently built the mechanism to do to this (https://github.com/motdotla/dotenv/tree/master#populate). We would just need to bubble up the option to
What do you think? |
Beta Was this translation helpful? Give feedback.
-
I really like the solution offered by dotenv vault, just not as advertised.
Storing secrets in the process env variables is risky, it allows 3rd party modules
which run on the same process access to read the secrets..
As an architect in a tech company I'm considering using this tool like so:
This will result in a file with secrets existing on the disk.
The other part would be to start the actual process, init a module which will read the file and
delete it from the disk, thus it cannot be accessed by a malicious 3rd party module, whilst ensuring the secrets
are only available via dedicated module api.
WDYT?
Beta Was this translation helpful? Give feedback.
All reactions