How to Securely Store Secrets in Environment Variables

You may have seen the recent reports of a malware that stole API keys, tokens and other secrets from a large number of developers. From where were these secrets stolen from? You guessed it, they were mostly stolen from environment variables.

We use environment variables to configure information that processes need to run, but this type of storage was not designed for security, so using the environment for secrets always comes with risk. Given how serious this recent attack was, I thought it would be good to write a short article describing how I manage my secrets as part of my open source work.