Production Secrets Management: From .env Files to Vault and Beyond

Your .env file has your database password, your Stripe secret key, and your JWT signing secret. It's also in your git history from that one commit six months ago. Let's fix this. The .env Problem Every Node.js tutorial starts the same way: # .env DATABASE_URL=postgres://admin:password123@localhost:5432/myapp STRIPE_SECRET_KEY=sk_live_abc123 JWT_SECRET=my-super-secret import dotenv from 'dotenv'; dotenv.config(); const db = new Pool({ connectionString: process.env.DATABASE_URL }); This works on your laptop. In production, it's a liability. Here's why: .env files are unencrypted plaintext sitting on disk. They get copied into Docker images, committed to repos, logged by process managers, and leaked through error dumps. They have no access control, no audit trail, and no rotation mechanism. The rule is simple: .env for development, secret managers for everything else. Secret Managers: The Production Way A secret manager gives you encrypted storage, access control, audit logs, and rotation