Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
GlossaryPlain-English definitions for secrets and machine identity
SikkerLinkShare a secret with a free self-destructing link
Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
GlossaryPlain-English definitions for secrets and machine identity
SikkerLinkShare a secret with a free self-destructing link

.env files

A plain-text file at the root of a project that defines environment variables as KEY=value lines, loaded by the application at startup so the same code can run against different configurations.

What they are

A .env file is a plain-text file at the root of a project that defines environment variables as KEY=value lines. It's loaded by the application at startup, via libraries like dotenv, python-dotenv, or framework conventions, so the same code can run against different configurations (local development, CI, staging, production) without anything being hardcoded.

The format originated with the Node dotenv package around 2013 and is now common across every major ecosystem. Node, Python, Ruby, Go, Rust, and most modern web frameworks read it natively.

How they work

A typical file is unremarkable:

DATABASE_URL=postgres://[email protected]:5432/prod
STRIPE_SECRET_KEY=sk_live_xxxxxxxxxxxxx
JWT_SECRET=8e93...
SMTP_PASSWORD=...

At startup, the loader reads each pair and exports them into the process's environment. Code reads them via process.env.STRIPE_SECRET_KEY (Node), os.environ["STRIPE_SECRET_KEY"] (Python), or whatever the language's environment API is. From the application's point of view there's no difference between a value injected from .env and one set by the shell, which is the appeal.

Most projects keep a .env.example checked into git with the keys but no values, and .env is added to .gitignore so the file with real secrets stays out of version control.

Where they break down

.env files solve a real problem (keeping secrets out of source code) and create new ones once a team grows past one developer:

What replaces them

A secrets manager keeps the same shape from the application's perspective. Values are still reachable as environment variables, but the file itself stops existing. A short-lived process pulls the current values at boot (or on each restart), and the audit log, rotation, access control, and scoping all live in one place instead of being scattered across laptops and runners.

With SikkerKey, this is the CLI's run command:

sikkerkey run --all -- node server.js

It fetches the project's secrets, sets them as environment variables on a child process, and never writes them to disk. The same code that read process.env.STRIPE_SECRET_KEY still works; the file it came from is gone.

For tools that truly need a file on disk, sikkerkey export --format dotenv > .env generates one on demand from the current secrets, with every read logged.

See also

Secrets managerA system that stores, encrypts, and serves credentials to applications and machines at runtime, with centralized access control and audit logging, so secrets don't live in env files, source code, or shared password managers.
Secret sprawlWhat happens when credentials end up scattered across env files, config maps, source code, chat threads, password managers, and forgotten clouds. The default state of any team without a secrets manager.
Secret rotationThe practice of replacing a credential's value on a schedule (or after suspected compromise) so a leaked value stops being useful within a bounded time window. Sometimes called credential rotation or key rotation.

SikkerKey is the secrets manager built around the patterns in this glossary. Encrypted vault, machine identity over signed requests, dynamic secrets — set up in minutes.

Start for Free