← Back to home
← All articles
2026-05-066 min readTutorial

How to Manage .env Files Securely (Stop Committing Secrets to Git)

A practical guide to .env file security. Learn how to encrypt, sync, and share environment variables without leaking secrets.

Every developer has a .env file. Most developers have committed one to git at least once. Here's how to stop that from happening — and what to do instead.

The Problem

Your .env file contains database passwords, API keys, and tokens. It sits in your project root, one git add . away from being public. The .gitignore line helps, but it doesn't solve the real problems:

  • Sharing: How does a new teammate get the .env?
  • Syncing: How do you keep dev/staging/prod in sync?
  • Rotation: When was the last time you rotated a key?
  • History: What was the old database password?

Option 1: Encrypt .env files (dotenvx)

dotenvx encrypt encrypts your .env in place. You commit the encrypted version to git. At runtime, dotenvx run decrypts it.

Pros: Simple, no server, git-native versioning

Cons: Sharing requires passing raw private keys. No per-secret history.

Option 2: Encrypted vault (MeowPass)

mp init scans your .env, creates an encrypted vault, and pushes all secrets. Then mp run -- npm start injects them at runtime without writing to disk.

Pros: Zero-knowledge, team sharing via key exchange, per-secret versioning, AI integration

Cons: Requires an account (free)

Option 3: Cloud secret manager (AWS/GCP)

Store secrets in AWS Secrets Manager or GCP Secret Manager. Access via SDK in your application code.

Pros: Enterprise-grade, automatic rotation

Cons: Cloud lock-in, expensive at scale, no CLI-first workflow

Best Practices (Regardless of Tool)

  1. Never commit .env to git. Add it to .gitignore on day one.
  2. Rotate keys regularly. Use mp rotate or dotenvx rotate.
  3. Use different secrets per environment. Don't share keys between dev and prod.
  4. Audit access. Know who has access to which secrets.
  5. Inject at runtime. Use mp run or dotenvx run instead of writing .env to disk.

Quick Start with MeowPass

brew install meowrithm/tap/meowpass
mp login
mp init          # scans .env → encrypts → pushes
mp run -- npm start   # injects secrets, nothing on disk

Your secrets are now E2E encrypted, versioned, and shareable. Full CLI reference →

Ready to try MeowPass?

$brew install meowrithm/tap/meowpass && meowpass init
CLI Reference·Workflows·GitHub