Does this actually work?

I assume an AI which wanted to read a secret and found it wasn't in .env would simply put print(os.environ) in the code and run it...

That's certainly what I do as a developer when trying to debug something that has complex deployment and launch scripts...

Alternative, and more robust approach is to give the agent surrogate credentials and replace them on the way out in a proxy. If proxy runs in an environment to which agent has no access to, the real secrets are not available to it directly; it can only make requests to scoped hosts with those.

I’ve built this in Airut and so far seems to handle all the common cases (GitHub, Anthropic / Google API keys, and even AWS, which requires slightly more work due to the request signing approach). Described in more detail here: https://github.com/airutorg/airut/blob/main/doc/network-sand...

I must have missed some trends changing in the last decade or so. People have production secrets in the open on their development machines?

Or what type of secrets are stored in the local .env files that the LLM should not see?

I try to run environments where developers don't get to see production secrets at all. Of course this doesn't work for small teams or solo developers, but even then the secrets are very separated from development work.

https://github.com/getsops/sops

This software has done this for years

This suffers from all the usual flaws of env variable secrets. The big one being that any other process being run by the same user can see the secrets once “injected”. Meaning that the secrets aren’t protected from your LLM agent at all.

So really all you’re doing is protecting against accidental file ingestion. Which can more easily be done via a variety of other methods. (None of which involve trusting random code that’s so fresh out of the oven its install instructions are hypothetical.)

There are other mismatches between your claims / aims and the reality. Some highlights: You’re not actually zeroizing the secrets. You call `std::process::exit()` which bypasses destructors. Your rotation doesn’t rotate the salt. There are a variety of weaknesses against brute forcing. `import` holds the whole plain text file in memory.

Again, none of these are problems in the context of just preventing accidental .env file ingestion. But then why go to all this trouble? And why make such grand claims?

Stick to established software and patterns, don’t roll your own. Also, don’t use .env if you care about security at all.

My favorite part: I love that “wrong password returns an error” is listed as a notable test. Thanks Claude! Good looking out.

Ive made different solution for my Laravel projects, saving them to the db encrypted. So the only thing living in the .env is db settings. 1 unencrypted record in the settings table with the key.

Won't stop any seasoned hacker but it will stop the automated scripts (for now) to easily get the other keys.

How did this get to the front page? We shouldn't be encouraging bad practices or drawing attention to people who make embarrassing mistakes

Is this a real protection? The AI agent could simply run: enveil run -- printenv

    MY_API_KEY=$(pass my/api/key | head -1) python manage.py runserver

1Password has this feature in beta. [1]

[1]: https://developer.1password.com/docs/environments/

The JSONL logs are the part this doesn't address. Even if the agent never reads .env directly, once it uses a secret in a tool call — a curl, a git push, whatever — that ends up in Claude Code's conversation history at `~/.claude/projects/*/`. Different file, same problem.

How does this compare with https://dotenvx.com/?

https://github.com/jdx/fnox

A recent project by the creator of mise is related too

This doesn’t really fix that it can echo the secrets and read the logs. `enveil run — printenv`

In the vein of related work, there is https://github.com/imbue-ai/latchkey which injects secrets into cURL commands issued by your agent.

Is configuration management dead? Sandbox the agent and provision unique credentials to that environment.

as you have stated 'And yes, this project was built almost entirely with Claude Code with a bunch of manual verification and testing.' this code is not copyright protected, therefore you are not allowed to apply a MIT LICENSE to this project.

Another thing to look at is the built-in sandboxing and permissions for your agent. Claude Code for example has the /sandbox command which uses Bubblewrap on Linux or Seatbelt on macOS for OS level sandboxing. Combine that with global default deny permissions for read & edit on your SSH, GPG keys and other secrets. You need both otherwise Claude can run bash commands which bypass the permissions.

This looks interesting. For agent-fecfile I used the system keyring + an out-of-process proxy (MCP Server) to try to maximize portability.¹

¹ https://github.com/hodgesmr/agent-fecfile?tab=readme-ov-file...

Sometimes I need to give Claude Code access to a secret to do something. (e.g. Use the OpenAI API to generate an image to use in the application.) Obviously I rotate those often. But what is interesting is what happens if I forget to provide it the secret. It will just grep the logs and try to find a working secret from other projects/past sessions (at least in --dangerously-skip-permissions mode.)

this won't solve the problem.

Instead you need to do what hardsnow is doing: https://news.ycombinator.com/item?id=47133573

Or what the https://github.com/earendil-works/gondolin is doing

I think it would be best if AI agents would honor either .gitignore or .aiexclude (https://developers.google.com/gemini-code-assist/docs/create...).

This works by obfuscating the keys in memory with a root-access risk model. It will work but as I've been told when I tried the same thing for another purpose, this is security by annoyance. It sounds harsh but the same gatekeepers mentioned that this was only a psychological trick.

I dislike the gatekeepers so I will follow this implementation and see where it goes. Maybe they like you better.

this solves a real problem. i run coding agents that have access to my workspace and the .env files are always the scariest part. even with .gitignore, the agent can still read them and potentially include secrets in context that gets sent to an API.

the approach of encrypting at rest and only decrypting into environment variables at runtime means the agent never sees the raw secrets even if it reads every file in the project. much better than the current best practice of just hoping your .gitignore is correct and your AI tool respects it.

one suggestion: it would be useful to have a "dry run" mode that shows which env vars would be set without actually setting them. helps verify the config is correct before you realize three services are broken because a typo in the key name.

I use bubblewrap to sandbox the agent to my projects folder, where the ai gets free read/write reign. Non-synthetic env cars are symlinked into my projects folder from outside that folder.

I use the combination of sops and age combined with pre-commit hooks to encrypt.env files. Works tremendously well.

What about something like Hashicorp secrets? We have a the hashicorp secrets in launch.json and load the values when the process is initialized (yeah it is still not great)

I'm using https://www.litellm.ai/ as a proxy

The way I did it now is to put everything in 1Password and just use the `op://vault/item/field` references in .env or configs

> can read files in your project directory, which means a plaintext .env file is an accidental secret dump waiting to happen

It's almost like having a plaintext file full of production secrets on your workstation is a bad fucking idea.

So this is apparently the natural evolution of having spicy autocomplete become such a common crutch for some developers: existing bad decisions they were ignoring cause even bigger problems than they would normally, and thus they invent even more ridiculous solutions to said problems.

But this isn't all just snark and sarcasm. I have a serious question.

Why, WHY for the love of fucking milk and cookies are you storing production secrets in a text file on your workstation?

I don't really understand the obsession with a .ENV file like that (there are significantly better ways to inject environment variables) but that isn't the point here.

Why do you have live secrets for production systems on your workstation? You do understand the purpose of having staging environments right? If the secrets are to non-production systems and can still cause actual damage, then they aren't non-production after all are they?

Seriously. I could paste the entirety of our local dev environment variables into this comment and have zero concerns, because they're inherently to non-production systems:

- payment gateway sandboxes;

- SES sending profiles configured to only send mail to specific addresses;

- DB/Redis credentials which are IP restricted;

For production systems? Absolutely protect the secrets. We use GPG'd files that are ingested during environment setup, but use what works for you.

Looks good. Almost stopped reading due the npm example, grasped it was just a use case, kept reading.

Kernel keyring support would be the next step?

PASS=$(keyctl print $(keyctl search @s user enveil_key))

I prefer waiting till it gets me in trouble. So far, it having access to all my .env secrets seems to work out okay.