The other day while browsing social media, I saw someone asking how to share a .env file with others. At that time, the post was still new and only had a few comments. Clicking to read, I saw someone reply, "just copy it" and send it to the other person. I don't know how it is at your workplace, but at mine, people still often send .env files to each other via messaging. But not through Messenger, Telegram, or Slack... instead, we use an internal messaging app based on Mattermost.
.env files often contain important information, and sending them directly through messaging channels is not always advisable due to potential security risks. In today's article, I will summarize some ways to manage and share .env files that I know of.
These are software tools designed to manage environment variables. Such software offers many advantages, such as centralized management, enhanced security, access control, and multi-platform support. Imagine, instead of "copying" and sending the .env file to each individual, you just need to grant them access to specific projects so they can "clone" them to their machines. Very convenient!
There are many such tools, ranging from open-source to completely proprietary. Open-source options include hashicorp/vault, Infisical/infisical... Additionally, there are renowned service providers such as doppler.com, hashicorp.com/vault, amazon.com/secrets-manager...
In general, this method brings many benefits and impressive security capabilities, but it comes with the cost of operation and data management.
Instead of sending the .env file directly over the Internet, you can encrypt it before sending it. Provide the decryption password to the recipient using a different method.
If you're using Linux, you can leverage the gpg command.
$ gpg -c .env
Enter a password to encrypt, then send the encrypted .env.gpg file to the intended recipient.
To decrypt, simply use the gpg command:
$ gpg -d .env.gpg
Imagine if the entire office uses macOS; you could share files via AirDrop. Otherwise, there are many software options for sharing content over a local network (LAN).
Additionally, Telegram, Slack, Signal... all have end-to-end encryption (E2EE) messaging features. Any messages sent through these channels are encrypted, much better than sending plain text.
No matter where you send it, human factors still play a critical role. Therefore, always be cautious when managing and sharing .env files with others. Another method I often use is OpenNotas. Enable synchronization, create a new note, paste the .env file into it, and set a password for protection—simple as that.
And what method are you using? Feel free to leave a comment below this article. Thank you.