Ask HN: How do you and your team manage secrets day to day?

2•markvm•1h ago

I used to work at a startup. In that company we were regularly switching between environments, connecting to different API's and databases. We were constantly juggling .env files, storing them on our laptops and sharing them on Slack. At some point I lost a set of credentials for a (richly filled) test database I created. I guess I deleted it when cleaning up the workspace, unaware I didn't store it somewhere. That was the moment I started looking for a better way to manage secrets. To be honest, the more I look the less I understand what the actual default is in 2026.

The GitGuardian report that came out recently says 29 million secrets leaked on GitHub in 2025, so it looks like I'm not the only one who is still figuring this out. At least my .env files were in .gitignore.

So I'm just curious: how do you/your team actually handle this in practice? Are you running Vault, Doppler, something locally, a folder of .env files that nobody talks about, a 1Password vault that everyone shares, something else entirely? What works, what doesn't, and what do you wish was different?

Comments

philmillman•1h ago

We built varlock.dev to solve this exact problem. It works with all the secret and password managers everyone is already using and gives you a schema that you can commit, better DX (type-safety, intellisense) and security guardrails (redaction, leak prevention, scanning). Would love to hear your thoughts!

markvm•14m ago

Thank you, just took a look. So, if I understand correctly varlock is designed to run on top of existing password/secrets managers. Do you have any idea which ones are typically used by varlock users? What do you use?

philmillman•3m ago

Yeah we're currently meant to run on top of whatever platforms/products people are already using. We're launching some first party encryption support imminently. It's mostly geared towards local overrides, but that will evolve into more of an end-to-end solution over time.

1Password is very popular, especially for dev/pre-prod where shared vaults are more the norm. I think it will continue to grow as their Environments product matures. Next most popular would be AWS (our plugin supports both of their secrets management solutions). And after that would be Infisical. Some of the other plugins are quite new so I expect some growth there as people find them.

We are pretty heavy 1Pass users internally.

Is SpaceX Worth $2T?

Federal Court Denies Anthropic's Motion to Lift 'Supply Chain Risk' Label

Show HN: BNNR – a closed-loop pipeline for improving vision models

Names and faces of those killed by Israel in its April 8 massacre

You're Looking at the Wrong Pretext Demo

Rolling your own crypto can make sense (sometimes)

Show HN: Haven – persistent SSH sessions without tmux

Status: Tariff Refunds

I gave every train in New York an instrument

France to ditch Windows for Linux to reduce reliance on US tech

Show HN: Figma for Coding Agents

Show HN: I built a project board where AI agents join as real teammates

eBPF-based PostgreSQL wait event tracer using hardware watchpoints

Physics stippling with headless simulation and batched rendering [video]

Will Lower Courts Find Ways Around Cox vs. Sony? You Betcha

Florida AG launches investigation into OpenAI

Writer Survey: 60% of Companies Plan to Lay Off Employees Who Won't Adopt AI

Show HN: Skilldeck – Desktop app to manage AI agent skill files across tools

We analyzed 5M App Store rankings – here's what moves the needle

Yikes, Encryption's Y2K Moment Is Coming Years Early

RemembrallMCP – persistent memory and code graph for AI agents

What does it mean to create with AI?

Wisconsin city passes nation's first anti-data center referendum

The Gentle Seduction [pdf]

Framework founder says that 'personal computing as we know it is dead'

GBrain – The memex, built for people who think for a living

Some Movement of Models

Honeywell and Odys Develop Laila VTOL Anti-Drone Platform

Helium Is Hard to Replace

Show HN: I created a leaderboard converting your LOC into garrytans. COPE