From .env to Spring Boot Secrets from Your OS Keyring
· 5 min read
Photo by George Becker on Pexels
Every Spring Boot project I touch eventually grows a .env, an application-local.yml, or some secrets.properties that I'm told to "just not commit". It's convenient: one file, all your local keys, sourced in seconds.
But here's the catch: that file is plaintext, and it sits on disk. Anything running as you can read it — a misbehaving build plugin, a backup daemon, or, increasingly, a coding agent you let loose in your repo. Putting a sensitive API key or a production-adjacent DB password in there is something I'm not comfortable doing on my daily driver.