Every tutorial tells you to add .env to .gitignore. That's not enough.

Here's something nobody talks about. .gitignore doesn't encrypt your secrets. It just hides them...

sabato 30 maggio 2026 New tab

414 words~2 min read

Here's something nobody talks about.

.gitignore doesn't encrypt your secrets. It just hides them from git.

They're still sitting on your laptop as plaintext. Every tool you install can read them. Every script that runs can read them. One accidental commit and your database password is public on GitHub forever.

So I built dotlock — an encrypted .env vault with a terminal UI, written in Go.

Before and after

Every tutorial tells you to add .env to .gitignore. That's not enough.

Every tutorial tells you to add .env to .gitignore. That's not enough.

Related reading

Stop Leaking API Keys: Why I Built a Local-First Vault for Developers 🔐

I Leaked API Keys Through My .env File — Here's What I Learned About Secret…

SECPAC: A Lightweight CLI Tool to Password-Protect Your Environment Variables 🚀

Security by Design: Keeping API Tokens Out of Git with a 3-Layer Setup

DevSecOps for Git: Security Starts at Commit Time

How to Stop Leaking AWS Keys to GitHub (And What to Do When You Already Did)

Related reading

Stop Leaking API Keys: Why I Built a Local-First Vault for Developers 🔐

I Leaked API Keys Through My .env File — Here's What I Learned About Secret…

SECPAC: A Lightweight CLI Tool to Password-Protect Your Environment Variables 🚀

Security by Design: Keeping API Tokens Out of Git with a 3-Layer Setup

DevSecOps for Git: Security Starts at Commit Time

How to Stop Leaking AWS Keys to GitHub (And What to Do When You Already Did)