Announcing SecretSpec: Declarative Secrets Management
We've supported .env integration for managing secrets, but it has several issues:
Apps are disconnected from their secrets - applications lack a clear contract about which secrets they need
- applications lack a clear contract about which secrets they need Parsing .env is unclear - comments, multiline values, and special characters all have ambiguous behavior across different parsers
- comments, multiline values, and special characters all have ambiguous behavior across different parsers Password manager integration is difficult - requiring manual copy-paste or template workarounds
- requiring manual copy-paste or template workarounds Vendor lock-in - applications use custom parsing logic, making it hard to switch providers
- applications use custom parsing logic, making it hard to switch providers No encryption - .env files are stored as plain text, vulnerable to accidental commits or unauthorized access
While we could recommend solutions like dotenvx to encrypt .env files or sops for general secret encryption, these bring new challenges:
Don't you feel some anxiety given we've normalized committing encrypted secrets to git repos? — Domen Kožar (@domenkozar) July 18, 2025
Single key management - requires distributing and managing a master key
... continue reading