SecretSpec

SecretSpec separates secret declaration from secret provisioning. You define what secrets your application needs in a secretspec.toml file, and each developer, CI system, and production environment can provide those secrets from their preferred secure provider.

Quick Start

Follow SecretSpec Quick Start.

Best Practice: Runtime Loading

While you can enable SecretSpec in devenv to load secrets into secretspec.secrets option, we recommend:

a) Use Rust SDK

b) Your application load secrets at runtime instead:

$ devenv shell
$ secretspec run -- npm start

This approach: - Keeps secrets out of your shell environment - Reduces exposure of sensitive data - Makes secret rotation easier - Follows the principle of least privilege

Configuration (Optional)

If you do need secrets in your devenv environment:

devenv.yaml

secretspec:
  enable: true
  # these are optional global overrides
  provider: keyring  # keyring, dotenv, env, 1password, lastpass
  profile: default   # profile from secretspec.toml

Then access in devenv.nix:

devenv.nix

{ config, ... }:

{
  env.DATABASE_URL = config.secretspec.secrets.DATABASE_URL or "";
}

Learn More

secretspec.dev
Providers - Keyring, 1Password, dotenv, and more
Profiles - Environment-specific configurations
Rust SDK - Type-safe secret access