Environment variables are the standard way to pass configuration and credentials to applications, but they introduce security risks when mismanaged. Leaked API keys, exposed database passwords, and world-readable .env files are among the most common security incidents in modern DevOps. This guide covers practical techniques for securing environment variables across development, CI/CD, and production environments.
Common Environment Variable Security Risks
The most frequent security issues with environment variables include:
- Committed .env files β Accidentally pushing .env files to version control exposes all credentials
- World-readable permissions β .env files with 644 or 666 permissions are readable by all users
- Process listing exposure β Commands like
ps auxcan reveal environment variables passed via command line - Docker layer caching β Secrets in Dockerfile ENV instructions are baked into image layers permanently
- Log exposure β Applications that log their full environment or configuration dump secrets to log files
Securing .env Files
# Set restrictive permissions
chmod 600 .env
# Ensure .env is in .gitignore
echo ".env" >> .gitignore
echo ".env.*" >> .gitignore
echo "!.env.example" >> .gitignore
# Verify it is not tracked
git status .env
git rm --cached .env 2>/dev/nullAlways provide a .env.example file with placeholder values (never real credentials) so team members know which variables are needed.
Detecting Leaked Secrets
Scan your environment and .env files for accidentally exposed credentials:
pip install dargslan-env-audit
dargslan-envaudit report # Full security audit
dargslan-envaudit env # Scan environment variables
dargslan-envaudit dotenv # Scan .env files
dargslan-envaudit gitignore # Check .gitignore coverageProduction Secret Management
For production environments, avoid .env files entirely. Use dedicated secret management:
- HashiCorp Vault β Industry-standard secret management with dynamic credentials
- AWS Secrets Manager / SSM Parameter Store β Native AWS secret management
- Kubernetes Secrets β Built-in secret management for K8s workloads (encrypt at rest!)
- Docker Secrets β Swarm-mode secret management mounted as files
CI/CD Pipeline Security
# Never echo secrets in CI
# BAD:
echo "Deploying with key: $API_KEY"
# GOOD: Use masked variables
echo "Deploying with key: ***"
# Use CI platform secret storage (GitHub Actions, GitLab CI)
# Never hardcode secrets in pipeline filesBest Practices Checklist
- Never commit .env files to version control
- Set .env file permissions to 600 (owner read/write only)
- Use .env.example with placeholder values for documentation
- Rotate credentials regularly (at least quarterly)
- Use secret management tools in production instead of .env files
- Audit environment variables periodically for leaked secrets
- Avoid passing secrets via command-line arguments
Download our free Environment Variable Security Cheat Sheet for a quick reference. For comprehensive security training, explore our Cybersecurity & DevSecOps eBooks.
