Saturday, May 30, 2026AboutContactDisclaimerAdvertiseNewsletterWrite for Us
Subscribe Free
Home
LIVE
Back to Home
Every tutorial tells you to add .env to .gitignore. That's not enough.
Tutorials

Every tutorial tells you to add .env to .gitignore. That's not enough.

B
Blizine Admin
·2 min read·0 views

Muhammad Ahmad Posted on May 30 Every tutorial tells you to add .env to .gitignore. That's not enough. # go # security # opensource # devtools Here's something nobody talks about. .gitignore doesn't encrypt your secrets. It just hides them from git. They're still sitting on your laptop as plaintext. Every tool you install can read them. Every script that runs can read them. One accidental commit and your database password is public on GitHub forever. So I built dotlock — an encrypted .env vault with a terminal UI, written in Go. Before and after Before dotlock DATABASE_URL = postgres://localhost/myapp # plaintext, readable by anything STRIPE_KEY = sk_live_abc123 # one grep away from anyone Enter fullscreen mode Exit fullscreen mode After dotlock # .dotlock file on disk — looks like this: [ encrypted binary — unreadable without your private key] Enter fullscreen mode Exit fullscreen mode How it works under 10 seconds cd my-project dotlock set DATABASE_URL # prompts for value, input is masked dotloc # opens the terminal UI Enter fullscreen mode Exit fullscreen mode Secrets are encrypted with age — X25519 key agreement and ChaCha20-Poly1305 authenticated encryption. The same primitives serious security engineers use. No master password. No cloud. No telemetry. 100% offline. What it looks like Two panels — profiles on the left, secrets on the right. Values are masked by default. Press v to reveal for 30 seconds, then it hides itself automatically. Switch between dev , staging , and prod profiles. Run a diff before deploying to catch missing variables before they break your app. The interesting technical bit The hardest part wasn't the encryption — filippo.io/age makes that straightforward. It was the TUI. BubbleTea uses the Elm architecture — Model, Update, View. Everything is a message. A keypress is a message. A timer firing is a message. Your Update function receives messages and returns a new model. The 30-second auto-hide on secret reveal works like this — no t

📰Dev.to — dev.to

B
Blizine Admin

Staff Writer

View Profile

Related Articles

Apache Tomcat End of Life: Tomcat 9 is EOL — Migration Guide to Tomcat 10/11

May 30, 2026·2 min read

Stop Building Projects That Exist Only to Impress Other Beginners

May 30, 2026·2 min read

Harmonic Drive vs Planetary Reducer: A Practical Guide to Transmission Selection for Robot Joints

May 30, 2026·2 min read

Comments