https://krokotsch.eu/tags/security/Recent content in Security on Don't Repeat YourselfHugo -- 0.152.2en-usWed, 10 Jun 2026 00:00:00 +0000https://krokotsch.eu/posts/keep-secrets-out-of-your-env-file/Wed, 10 Jun 2026 00:00:00 +0000https://krokotsch.eu/posts/keep-secrets-out-of-your-env-file/<p>Recently there was a slew of supply chain attacks on several Python packages. One of them, named <a href="https://devops-daily.com/posts/shai-hulud-hades-pypi-wave-june-2026">Shai-Hulud</a>, was especially impressive because you only had to install the compromised package, no import needed. It then steals any credentials and secrets it can find on your machine, including ones in <code>.env</code> files.</p> <p>My main question was: do people still keep secrets in environment variables? API keys just lying around in plain text <code>.env</code> files on your hard drive sound like a terrible idea. Especially when the alternative is so simple and elegant. This is why I&rsquo;m sharing my favorite pattern for fetching secrets in Python: <em>the secret resolver</em>. It reads your secrets during application runtime from the secret provider of your choice, be it Azure Key Vault, KeePass, or 1Password.</p>