Menu
After reading several articles about secrets, I understand that all secrets must not be deployed to a production repository. Thus, using a .env file is recommended by many posts. However, now I wonder where should I keep these .env files. Is there any best practice for where to keep them?
442
You can create an. env file in the application's root directory that contains key/value pairs defining the project's required environment variables. The dotenv library reads this. env file and appends it to process.
You can create a . env file at the root of the project directory and put the credential in the file. You can also choose to store your environment variables within a virtual environment; the environment variables will be accessible once the virtual environment is activated.
env file should be committed to version control. The trouble is that blindly committing it creates a huge security risk. Here I discuss a few pointers on how to do so in a safe manner.
After reading this, that, this, and other articles, I concluded that there is no certain answer for this question; it depends on your organization / your preferences.
The recommended method for most applications is to save them at the root of your project, but include them in your .gitignore file in order to avoid them from being committed to your main repo (one .env file corresponds to each device/environment).
Other methods suggest including them in your repo, but encrypting and decrypting all the passwords inside of them once they load. Another method is to store them in password management programs like KeyPass, It really depends on how much effort you want to invest in the security and the time you would like to spend maintaining your application.
188
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
