[nrub]

I no longer keep my dotenv files in plaintext. I use `sops` to keep an encrypted env around and you can use tools like direnv to make them available to your shell while you're working. Obviously the LLM could print any of these secrets, but it's less likely. Additionally I find that at least claude seems to avoid reading the dotenv. And lastly, don't make any local secrets that important. Limited scope, dev accounts, etc.

[theozero]

You might like varlock - it helps keep secrets out of plaintext by using plugins to pull from various backends (aws ssm, gcp, vault, 1pass, etc). Also has built in local encryption with shared team vaults coming soon.

Additionally provides pre commit scanning, log redaction, and much more.

[Sohcahtoa82]

But then you need creds to access AWS SSM, Vault, etc., and those end up getting stored the same way the actual creds you needed were being stored, and you're back at square one.

[sneak]

Nah you can get machine creds automatically via the metadata service when running inside AWS. Nothing need be on disk.

[Sohcahtoa82]

That's still not any better.

If the LLM can run any code it writes itself, it can retrieve those credentials. It's just one `curl` away. If you don't let it run `curl`, but you let it run `python`, it can just run a Python script that fetches it using `requests`. Or a Node script that calls `fetch`.

Point is, if creds are accessible programmatically, the LLM can and may try to retrieve them if it thinks it needs them.

[epistasis]

Aws credentials are short lived precisely so that leaking them has a time limited blast radius.

Automatic retrieval, instead of keeping them on disk, is what makes short lived credentials possible.

[Sohcahtoa82]

I'm not convinced that time-limiting the blast radius matters. It just means that malicious use of the credentials has to be automated, and that's a pretty damn low bar.

[epistasis]

SOPS is exactly what I use too, and since it's so old I was using a planning session with an LLM to figure out if there was something more recent that might be more convenient. But Claude stuck with the SOPS rec! (Coupled with `age` for encryption, probably because I had shown an interest in that tool in a different session... memory poisoning is a huge problem I'm having with these tools right now too.)

[simgoh]

I've used `sops` "manually" before and I'm interested. What is your workflow? I'm assuming you set certain directories to have access to the sops key you're storing somewhere else to be able to encrypt/decrypt files?

[raxxorraxor]

Tools like cursor make typical files like .env inaccessible to models. Now the models have become quite apt to just extract the content through the console.