Encrypt your .env with AWS KMS: Secrets that never touch process.env

A year ago I'd have told you a .env file was fine.

Then we patched a CVSS 10.0 RCE in Next.js (CVE-2025-66478) and spent the next two days rotating every secret we owned — because we couldn't prove which ones an attacker could have read. They were all sitting in process.env. One env dump away from gone.

That incident is why I built @faizahmed/secret-keystore.

The actual problem isn't committing .env

Everyone knows not to commit secrets. The part that hurts you is what happens the moment your process is compromised. The default Node setup: