Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello,
We are adding hashicorp vault to manage our secrets. We are doing a ton of work to roll our secrets and keep them safe.
But at the end of the day, secrets still need to live in a .env file and the bootstrap/cache/config.php.
Assuming I set proper permissions, if a bad actor somehow gets into our server with the application's account, they will be able to get these files and our secrets?
Is there anything I can do to lock down these files besides set proper permissions?
But at the end of the day, secrets still need to live in a .env file
@davidconrad They don‘t. An .env file is just a convenience for simulating proper environment variables in environments where it’s not possible or impractical to set machine-level environment variables, such as locally. For remote environments (such as production), you should be using actual environment variables; not .env files.
@martinbean Oh interesting. My group may be doing it wrong then. What would the best way of having prod env variables be? Could you link some docs?
Thanks so much!!
Please or to participate in this conversation.