Just-in-Time Secrets Access: Eliminating Plaintext Secrets in DevOps
Krzysztof Wiatrzyk
Secrets Mismanagement in Local Development
One of the most common security mistakes in software development is storing secrets - such as AWS access keys - in plaintext files like .env. Too often, we see sensitive credentials accidentally committed to Git repositories, posing a major security risk. Why does this keep happening?
Applications need access to cloud resources (e.g., SQS queues, databases, API keys).
.env files are mistakenly included in repositories due to missing .gitignore rules.
Developers assume that adding .env to .gitignore is a sufficient solution - until they forget to do it in a new project.
The real issue? Secrets are stored in plaintext somewhere on the filesystem. This makes them vulnerable to leaks, accidental sharing, and exposure in shell history logs.
Why This Is a Serious Security Risk
A single leaked credential can compromise an entire infrastructure. Attackers can escalate privileges, exfiltrate data, or even hijack cloud accounts. Traditional fixes, like manually updating .gitignore or using encrypted vaults that still require manual retrieval, don’t solve the core problem: developers are handling secrets insecurely.
Additionally, secrets stored in environment variables persist across sessions, increasing the risk of accidental exposure. This is especially dangerous in CI/CD pipelines, local development, and collaborative environments where multiple engineers access the same system.
Just-in-time Secrets Access with Direnv + Gopass
To eliminate the risk of secret leakage, we need a secure, automated way to manage them. Our approach:
Secrets should never be stored in unencrypted files.
Secrets should not be passed as CLI arguments (to avoid them being saved in shell history).
Secrets should be injected only when needed and removed when no longer required.
Step 1: Direnv – Context-Aware Secrets Loading
Direnv is a tool that automatically loads environment variables when entering a directory and removes them when leaving. This ensures that secrets are available only when necessary and never persist longer than required.
How it works:
Install direnv and integrate it with your shell.
Create a .envrc file inside your project directory.
Add environment variables dynamically, e.g.,
Run direnv allow to approve execution.
When you enter the directory, the secret is loaded; when you leave, it is automatically removed.
Step 2: Gopass – Secure Secrets Storage
Gopass is an encrypted password manager built for teams. It securely stores secrets using PGP encryption and integrates seamlessly with Direnv.
How it works:
Install gopass and set it up with a PGP key.
Store secrets securely:
gopass insert demo/secretRetrieve secrets dynamically via Direnv:
export SECRET=$(gopass show demo/secret)The secret is only available when needed and removed once the session ends.
Additional Use Cases: Extending to Cloud Secrets Providers
Direnv and Gopass can integrate with other secrets management tools, such as:
AWS SSM Parameter Store:
HashiCorp Vault:
Infisical (Open Source Doppler Alternative):
Advanced: Taskfile + Gopass for One-Time Secret Injection
For use cases where secrets should only exist within a single process (e.g., running Terraform or Ansible), we can use Taskfile to inject secrets at runtime:
This ensures secrets are never exposed in the shell and exist only for the duration of the command.
Conclusion: Secure Your Secrets Today
At Let’s Go DevOps, we help teams implement best practices for secure secrets management, reducing risks and improving operational security. Using tools like Direnv, Gopass, and cloud-based secrets managers, you can eliminate plaintext secrets exposure while maintaining developer productivity.
