Working with Secrets

Secrets are variables that contain sensitive information and require extra protection. EnvManager encrypts secrets at rest and provides controlled access with full audit logging.

What Are Secrets?

Secrets are environment variables marked as sensitive. Unlike regular variables, secret values are:

  • Encrypted at rest using Supabase Vault
  • Hidden by default in the user interface
  • Access controlled with permission checks
  • Audit logged whenever viewed or modified

What Should Be a Secret?

Mark variables as secrets when they contain:

  • API keys and access tokens
  • Database passwords and connection strings
  • Encryption keys and certificates
  • OAuth client secrets
  • Third-party service credentials
  • Payment processor keys (Stripe, PayPal, etc.)
  • Any value you wouldn't want visible in logs or screenshots

Common Secret Patterns

Variable NameWhy It's a Secret
DATABASE_URLContains database password
STRIPE_SECRET_KEYPayment processing credentials
JWT_SECRETToken signing key
AWS_SECRET_ACCESS_KEYCloud provider credentials
SMTP_PASSWORDEmail server authentication
OAUTH_CLIENT_SECRETAuthentication credentials

Creating Secrets

When adding a new variable, check the Store as Secret checkbox before saving.

You cannot change a regular variable to a secret after creation. If you need to convert a variable, delete it and create a new one with the secret option enabled.

How Secrets Are Protected

Encryption at Rest

When you save a secret:

  1. The value is sent securely to the server
  2. EnvManager encrypts it using Supabase Vault (pgsodium)
  3. Only the encrypted value is stored in the database
  4. The original value is never stored in plain text

Hidden by Default

In the variables list, secret values display as •••••••• instead of the actual value. This prevents accidental exposure when:

  • Sharing your screen
  • Taking screenshots
  • Working in public spaces
  • Leaving your computer unattended

Access Control

Only users with appropriate permissions can reveal secret values:

  • Owners and Admins can view all secrets in the organization
  • Members can only view secrets in environments they have access to

Audit Logging

Every secret access is logged, including:

  • Who revealed the value
  • When they revealed it
  • Which secret was accessed

This creates an audit trail for compliance and security reviews.

Revealing Secret Values

To view a secret's actual value:

Find the Secret

Locate the secret variable in your variables list. It will show •••••••• as the value.

Click the Eye Icon

Click the eye icon next to the hidden value.

View the Value

The decrypted value appears temporarily. You can copy it if needed.

Hide the Value

Click the eye icon again to hide the value, or it will auto-hide when you navigate away.

Secret values are decrypted on-demand. They're never stored in your browser longer than necessary.

Editing Secrets

To modify a secret's value:

  1. Click the edit icon on the secret row
  2. The current value is decrypted and shown in the edit form
  3. Enter the new value
  4. Click Save

The new value is encrypted before storage, and the change is logged.

Secrets and Import/Export

Importing

When importing from .env files, EnvManager automatically detects likely secrets based on variable names containing:

  • SECRET
  • KEY
  • TOKEN
  • PASSWORD
  • PRIVATE
  • AUTH
  • CREDENTIAL

You can adjust the secret detection during the import preview. See Importing Variables for details.

Exporting

When you export variables:

  • Secret values are included if you have permission to view them
  • The exported file contains plain text values
  • Handle exported files with care—don't commit them to version control

Exported files containing secrets should be treated as sensitive. Delete them after use and never share them through insecure channels.

Security Best Practices

Limit Secret Access

  • Only grant production environment access to team members who need it
  • Use the principle of least privilege when assigning roles
  • Regularly review who has access to sensitive environments

Rotate Secrets Regularly

  • Change API keys and passwords periodically
  • Rotate immediately if you suspect a compromise
  • Update all environments when rotating shared secrets

Use Environment-Specific Secrets

  • Never use the same secret value across Development and Production
  • Use test/sandbox credentials for Development
  • Keep Production secrets strictly separate

Monitor Access

  • Review audit logs periodically
  • Investigate unexpected secret access
  • Set up alerts for unusual patterns (if available)

Troubleshooting

Can't See Secret Value

If clicking the eye icon doesn't reveal the value:

  • Check that you have access to this environment
  • Verify your role allows viewing secrets
  • Try refreshing the page and logging in again

Can't Create Secrets

If the "Store as Secret" option isn't available:

  • Verify you have edit permissions for this environment
  • Check that your subscription tier supports secrets

Next Steps

Variables Overview

Learn the basics of creating and managing variables.

Roles & Permissions

Understand who can access secrets in your organization.

Environments

Control access to secrets by environment.

Previous
Dependencies & Access Tracking
Next
Importing Variables

Get DevOps tips in your inbox

Security best practices and product updates. No spam.

No spam. Unsubscribe anytime.