Environment Variables vs HashiCorp Vault

Environment Variables

Pros

  • Simple — works everywhere (Docker, K8s, serverless)
  • No additional infrastructure
  • Standard 12-factor app pattern
  • Fast to set up for development and staging

Cons

  • Visible in process listings and crash dumps
  • No built-in rotation or versioning
  • Hard to audit who accessed secrets
  • Easy to leak via logs, screenshots, or git

HashiCorp Vault

Pros

  • Centralized secrets with access policies
  • Dynamic secrets and automatic rotation
  • Full audit log of every access
  • Encryption at rest and in transit

Cons

  • Requires dedicated infrastructure and ops
  • Added latency for secret retrieval
  • Complex to configure correctly
  • Single point of failure if not HA

Verdict

Environment variables are fine for development, staging, and small deployments where secrets are injected at deploy time and never logged. Move to HashiCorp Vault when you need audit trails, automatic rotation, dynamic credentials, or fine-grained access control across teams and services. For production JWT signing keys, at minimum use a cloud secrets manager or Vault — not plaintext in .env files committed to CI logs. The upgrade path is env vars for local dev, managed secrets for production.

Related Tools

Deeper Reading

Frequently Asked Questions

Are env vars insecure?

Not inherently — they are insecure when mishandled: committed to git, logged, or shared broadly across services.

When is Vault overkill?

Solo projects, local development, and early-stage apps with a single deployment and one operator.