SikkerKey Blog
Security writeups, engineering deep-dives, and practical guides from the team building SikkerKey.
RSS feed
Stop Using .env Files for Secrets in 2026: dotenv Alternatives for Every Language
Node, Python, Go, .NET, Kotlin, and PHP each have a dotenv, and they all load the same plaintext .env file on disk. The 2026 fix is the same in every language: inject secrets at runtime with SikkerKey's CLI or one of its six SDKs, so no .env file holds them.
How to Create and Read Your First Secret in SikkerKey
Create a project, store your first secret, enroll the machine that needs it, and read the value back from the CLI and your code. A full walkthrough of SikkerKey's create-and-read flow, with no API key or bearer token to copy around.
Which Secrets Manager Is Best for Cloud? Pick the One That Works on All of Them
The instinct is to reach for your cloud's built-in secrets manager. But the best secrets manager for cloud is the one that does not depend on which cloud you are on, so it still works when you add a second, go hybrid, or migrate.
Your Secrets Manager Causes Secret Sprawl, and Sells It as a Feature
Turning on a secrets manager integration means writing a copy of your secret into that platform's storage. Enable five and your one secret is now stored across five more companies' systems. That is secret sprawl.
What Is a Secrets Manager?
A secrets manager stores credentials like API keys and database passwords in one encrypted, access-controlled place and serves them to machines at runtime. How they work, why secrets sprawl makes them essential, and why complexity stops teams from adopting one.
The Best Secrets Management Tools in 2026
A practical 2026 comparison of the top secrets management tools, from HashiCorp Vault and the cloud-native managers to Doppler, Infisical, Akeyless, and SikkerKey, covering how each authenticates machines, rotates secrets, deploys, and which teams it fits.
Why we sign every secret request instead of handing out bearer tokens
Bearer tokens authenticate whoever holds the string. SikkerKey signs each secret request with a per-machine Ed25519 key, so a captured credential can't be replayed and every read traces back to a real machine.