[sakisv]

The way I solve the plain text problem is through a combination of direnv[1] and pass[2].

For a given project, I have a `./creds` directory which is managed with pass and it contains all the access tokens and api keys that are relevant for that project, one per file, for example, `./creds/cloudflare/api_token`. Pass encrypts all these files via gpg, for which I use a key stored on a Yubikey.

Next to the `./creds` directory, I have an `.envrc` which includes some lines that read the encrypted files and store their values in environment variables, like so: `export CLOUDFLARE_API_TOKEN=$(pass creds/cloudflare/api_token)`.

Every time that I `cd` into that project's directory, direnv reads and executes that file (just once) and all these are stored as environment variables, but only for that terminal/session.

This solves the problem of plain-text files, but of course the values remain in ENV and something malicious could look for some well known variable names to extract from there. Personally I try to install things in a new termux tab every time which is less than ideal.

I'd like to see if and how other people solve this problem

[1]: https://direnv.net/ [2]: https://www.passwordstore.org/

[gerardnico]

You can even go further and delete all your secrets from your env by creating wrapper scripts

Example : https://github.com/combostrap/devfiles/blob/main/dev-scripts...

It’s not completely full proof but at least gpg asks my passphrase only when I run the script

[hrimfaxi]

At least with direnv your exports are removed when you leave the directory.

[internet_points]

but if you `cd project && npm install compromised-package` then compromised-package's setup script can still read your env vars, right?

[tinodb]

Yes, but I guess that is still much better than that it can read all your .env files on your machine