Skip to content
·10 min read

Secrets Management Beyond Env Vars with Vaults and Key Rotation

When environment variables are not enough and how to use secrets managers, vaults, and rotation for real security

Share

Secrets management is the practice of controlling how your application's credentials are stored, accessed, and rotated. With 92% of developers using AI tools daily, API key exposure has become the top security risk for shipped applications. If you are still managing secrets through .env files alone, you are running a system never designed for production security.

Where Environment Variables Break Down

Environment variables were the first upgrade from hardcoded secrets, and they were a good one. Instead of writing const apiKey = "sk_live_abc123" directly in your source code, you reference process.env.STRIPE_SECRET_KEY and keep the real value in a .env file that Git ignores. This keeps secrets out of your repository. For a solo developer shipping a side project, this works fine.

The problems start when your application grows past that point.

No audit trail. When you store secrets in .env files, there is no record of who accessed what, when, or from where. If a key leaks, you cannot trace how it happened. You cannot see which team member last touched the Stripe key or whether someone copied it to their personal machine.

No rotation mechanism. Env files are static. Rotating a key means manually updating every .env file on every machine, every CI pipeline, and every deployment platform. For a solo project with one Vercel deployment, that is manageable. For a team with staging, production, and local environments, it is a recipe for missed updates and broken deploys.

Shared in plain text. When a new team member joins, how do they get the secrets? Usually through Slack, email, or a shared document. Your production database password ends up in a Slack DM with no expiration, no access control, and no way to revoke it. GitGuardian's 2025 report found that secrets shared through messaging platforms account for 27% of all credential leaks.

No environment isolation. A .env file does not distinguish between development, staging, and production secrets. Developers accidentally use production keys in development all the time, especially when AI tools generate configuration that references whatever values are available.

Key Takeaway

Environment variables solve one problem well: keeping secrets out of source code. They do not solve access control, audit logging, rotation, or secure sharing. Once you have more than one environment or more than one person touching your secrets, .env files become a liability rather than a solution.

The Secrets Management Maturity Ladder

Think of secrets management as a ladder with three rungs. You do not need to jump straight to the top, but you should know which rung you are on and when to climb.

Rung 1: Environment variables. Secrets live in .env files locally and in your hosting platform's settings. This is where most vibe coders start, and it is appropriate for solo projects with a single deployment target. The critical requirement is that your .env file is in .gitignore and you never commit it.

Rung 2: Secrets manager. Secrets live in a centralized service with access control, audit logging, environment separation, and secure team sharing. Tools like Doppler, Infisical, and 1Password Secrets Automation sit at this level. Move here when you add a second team member, a staging environment, or more than ten secrets.

Rung 3: Vault with dynamic secrets. Secrets are generated on demand with automatic expiration. HashiCorp Vault is the standard. Instead of storing a static database password, the vault generates a temporary credential that expires after a set period. This is enterprise-grade and overkill for most indie projects, but it is where companies with compliance requirements end up.

EXPLAINER DIAGRAM: A vertical ladder with three labeled rungs showing the secrets management maturity progression. Bottom rung labeled RUNG 1 ENV VARIABLES shows icons for a .env file and a single developer, with text SOLO PROJECTS and a green checkmark for KEEPS SECRETS OUT OF CODE and red X marks for NO AUDIT TRAIL, NO ROTATION, NO SHARING. Middle rung labeled RUNG 2 SECRETS MANAGER shows icons for Doppler, Infisical, and 1Password logos, with text TEAMS AND MULTIPLE ENVIRONMENTS and green checkmarks for ACCESS CONTROL, AUDIT LOGS, ENVIRONMENT SEPARATION, SECURE SHARING. Top rung labeled RUNG 3 VAULT WITH DYNAMIC SECRETS shows a HashiCorp Vault icon, with text COMPLIANCE AND ENTERPRISE and green checkmarks for all previous items plus DYNAMIC CREDENTIALS, AUTOMATIC EXPIRATION, FINE-GRAINED POLICIES. An arrow on the left side labeled WHEN TO CLIMB points upward with trigger descriptions: SECOND TEAM MEMBER or STAGING ENVIRONMENT between rung 1 and 2, SOC 2 or HIPAA COMPLIANCE between rung 2 and 3.
Most indie hackers and small teams belong on rung 2. You only need rung 3 when compliance or scale demands it.

Most readers should aim for rung 2. It takes 15-30 minutes to set up, costs nothing for small teams, and eliminates the entire class of problems that .env files create.

Setting Up a Secrets Manager

The three most practical options for indie hackers and small teams are Doppler, Infisical, and 1Password Secrets Automation. All three follow the same pattern: store secrets in a centralized dashboard, organize by environment, and your application pulls them at runtime or build time.

Doppler is the most straightforward option for teams deploying to Vercel or Cloudflare. You create a project, add secrets through the web dashboard, and install the Doppler CLI. Instead of maintaining .env files, you run doppler run -- npm run dev and Doppler injects the correct secrets for your environment. For production, Doppler integrates directly with Vercel, Netlify, and most CI platforms.

Infisical is the open-source alternative. You can self-host it or use their cloud service. The workflow is similar to Doppler, but you get the option to run the entire infrastructure on your own servers. For teams that need secrets within their own network, Infisical is the strongest choice.

1Password Secrets Automation extends the password manager you might already use. If your team shares credentials through 1Password, their Secrets Automation product lets applications pull those same credentials at build or deploy time, eliminating the "copy from 1Password, paste into Vercel dashboard" step that introduces human error.

The setup for any of these follows the same pattern. Create an account, install the CLI tool, import your existing secrets from your .env file, and update your scripts to pull secrets from the manager instead of reading a local file.

Still Hardcoding API Keys?

Read our guide on how AI tools accidentally commit your secrets and how to scan your repos.

Read the guide

How Key Rotation Actually Works

Key rotation means replacing an active secret with a new one on a regular schedule, then revoking the old one. It limits the damage window. If a key leaks but you rotate weekly, the attacker has at most seven days before the stolen key stops working.

Manual rotation follows three steps in order. Generate a new key from the service provider's dashboard. Update the new key in your secrets manager or hosting platform. Revoke the old key after confirming the new one works. The order matters: generate, deploy, revoke. If you revoke before deploying, your app goes down.

Automated rotation is where secrets managers earn their value. Doppler and Infisical can trigger webhooks when secrets change, so your application picks up the new value without a redeploy. AWS Secrets Manager offers built-in rotation for RDS database credentials, where new passwords are generated and applied on a schedule you define.

For most indie projects, manual rotation on a quarterly schedule is reasonable. It takes five minutes per service. The goal is reducing the window of exposure from "forever" to "a few months," eliminating the most common attack scenario where a leaked key works indefinitely.

Common Mistake

Generating a new key but forgetting to revoke the old one. Both keys remain active until you explicitly delete the compromised one. Rotation without revocation is not rotation at all. It just means you now have two valid keys instead of one, and the leaked key still works.

When You Need a Vault vs When Env Vars Are Fine

Not every project needs HashiCorp Vault or a dedicated secrets manager. Here is a practical decision framework.

Env vars are fine when you are a solo developer with one production environment, fewer than ten secrets, no shared credentials, and your project does not handle sensitive user data like payment information or health records.

A secrets manager is necessary when two or more people need access to secrets, you maintain separate development, staging, and production environments, you need to know who accessed which secret and when, or you need to rotate keys without manually updating files everywhere.

A vault is necessary when you need dynamic, short-lived credentials, you are subject to compliance frameworks requiring audit trails and automatic rotation (SOC 2, HIPAA, PCI DSS), or you manage hundreds of services with thousands of credentials.

Most vibe coders should move from rung 1 to rung 2 and stop there. A secrets manager like Doppler or Infisical handles 95% of the security concerns that .env files leave unaddressed.

EXPLAINER DIAGRAM: A decision flowchart for choosing your secrets management approach. Starting node asks SOLO DEVELOPER WITH ONE ENVIRONMENT, with YES arrow pointing to a green box labeled ENV VARIABLES ARE FINE listing requirements: .env in .gitignore, never commit secrets, use hosting platform env settings. NO arrow leads to second question TEAM OR MULTIPLE ENVIRONMENTS, with YES arrow pointing to a blue box labeled USE A SECRETS MANAGER listing Doppler, Infisical, or 1Password with benefits: access control, audit logs, environment separation, secure sharing. NO from that leads to third question COMPLIANCE REQUIREMENTS SOC2 HIPAA PCI, with YES arrow pointing to an orange box labeled USE A VAULT listing HashiCorp Vault with benefits: dynamic credentials, automatic rotation, fine-grained policies, compliance audit trails. A note at the bottom reads MOST TEAMS BELONG IN THE BLUE BOX.
Be honest about where your project actually is. Overengineering secrets management wastes time. Underengineering it creates breaches.

Practical Steps to Move Beyond Env Vars Today

If you are ready to graduate from .env files, here is the fastest path.

Audit your current secrets. Open every .env file in your project and list every secret. Check your hosting platform's environment settings too. Most projects have 5-15 secrets scattered across 2-3 locations.

Choose and set up a secrets manager. For most indie hackers, Doppler is the fastest to set up. Sign up, create a project, and import your secrets. Their free tier covers small teams. Replace npm run dev with doppler run -- npm run dev and remove the local .env file.

Connect your deployment platform. Doppler and Infisical both offer native integrations with Vercel, Netlify, Cloudflare, and most CI platforms. Set this up so secrets sync automatically and remove the manually entered environment variables from your hosting dashboard.

Set a rotation schedule. Pick a cadence (quarterly is reasonable) and set calendar reminders. When the reminder fires, generate new keys, update them in your secrets manager, and revoke the old ones.

Build Secure Applications from the Start

Get tutorials on security, deployment, and shipping real applications with AI tools.

Browse all tutorials

What This Means For You

The gap between "my app works" and "my app is secure" often comes down to how you handle secrets. Environment variables got you started, and they deserve credit for that. But they were designed for a simpler time when one developer shipped one app to one environment. The moment your project outgrows that, you need a system that provides access control, audit trails, and rotation.

Moving to a secrets manager takes an afternoon, not a week. The security improvement is immediate. You go from "secrets scattered across Slack messages and .env files with no visibility" to "centralized, access-controlled, and auditable."

Start with a secrets audit this week. List every secret your project uses and where it lives. That single step will show you exactly how exposed you are and what needs to change.

PJ
Pranay Joshi

20+ years building products at scale. VP of Product & Engineering, startup founder, and AI coach. Helping dreamers turn ideas into reality with vibe coding.

The Tuesday Shipping Report

Every Tuesday, one focused email:

  • - The tool or technique that's actually working right now
  • - A real problem from the community (and how to solve it)
  • - What changed this week in the vibe coding landscape

Read by 1,000+ founders, developers, and creators building with AI. Free forever. No spam.