Announcing SecretSpec: Declarative Secrets Management We've supported .env integration for managing secrets, but it has several issues: Apps are disconnected from their secrets - applications lack a clear contract about which secrets they need Parsing .env is unclear - comments, multiline values, and special characters all have ambiguous behavior across different parsers Password manager integration is difficult - requiring manual copy-paste or template workarounds Vendor lock-in - applications use custom parsing logic, making it hard to switch providers No encryption - .env files are stored as plain text, vulnerable to accidental commits or unauthorized access While we could recommend solutions like dotenvx to encrypt .env files or sops for general secret encryption, these bring new challenges: Single key management - requires distributing and managing a master key Trust requirements - everyone with the key can decrypt all secrets Rotation complexity - departing team members require key rotation and re-encrypting all secrets Larger teams often adopt solutions like OpenBao (the open source fork of HashiCorp Vault), requiring significant infrastructure and operational overhead. Smaller teams face a gap between simple .env files and complex enterprise solutions. What if instead of choosing one tool, we declared secrets uniformly and let each environment use its best provider? The Hidden Problem: Conflating Three Concerns We've created SecretSpec and integrated it into devenv. SecretSpec separates secret management into three distinct concerns: WHAT - Which secrets does your application need? (DATABASE_URL, API_KEY) HOW - Requirements (required vs optional, defaults, validation, environment) WHERE - Where are these secrets stored? (environment variables, Vault, AWS Secrets Manager) By separating these concerns, your application declares what secrets it needs in a simple TOML file. Each developer, CI system, and production environment can provide those secrets from thei...
First seen: 2025-07-21 16:37
Last seen: 2025-07-22 01:41