NoxKey vs dotenv
dotenv made environment variables easy. It also left every secret on your machine in plaintext with zero authentication. Here's what's different.
| Feature | NoxKey | dotenv |
|---|---|---|
| Storage | macOS Keychain (hardware encrypted) | Plaintext .env file on disk |
| Encryption | AES-256 (Secure Enclave) | None |
| Authentication | Touch ID on every access | None — any process can read |
| Git safety | Not a file — can't be committed | Relies on .gitignore (frequently fails) |
| AI agent exposure | Encrypted handoff — value never in context | Fully readable by any agent |
| Shell history | Never appears | Visible if echoed or logged |
| Rotation support | Guided rotation | Manual find-and-replace |
| Peek without exposing | First 8 chars only | View exposes entire value |
| Price | Free (AGPL-3.0 open source) | Free |
| Setup | Mac App Store — installs the app + bundled MCP server | npm install dotenv |
The problem with .env files
- Plaintext on disk — any process, script, or malware can read them
- Git accidents — 12.8 million secrets leaked on GitHub in 2024
- AI agents read them — Claude Code, Cursor, and Copilot can access every .env file on your machine
- No access control — once the file exists, everything has access
- No audit trail — no way to know when or what accessed a secret
How NoxKey replaces dotenv in your workflow
The old way:
1. Create .env file → 2. Add to .gitignore (hope it works) → 3. Load with require('dotenv').config() → 4. Access via process.env.KEY
The NoxKey way:
1. Open NoxKey, paste from clipboard → 2. Touch ID writes the secret to the macOS Keychain. Humans pull it from a Spotlight-style panel (Cmd+Shift+1); AI agents fetch it via the bundled MCP server (noxkey_get) — value never enters the model's context.
Migrate in 60 seconds
1
Drop your
.env onto the import sheet in the menu bar app
2
Review the keys (values masked) and approve with Touch ID — the whole batch lands in the Keychain
3
Delete the
.env file: rm .env — agents pick the secrets up via MCP, humans via Cmd+Shift+1
When to keep using dotenv
- Non-sensitive config — feature flags, port numbers, and other non-secret values are fine in .env
- Cross-platform teams — if your team uses Linux and Windows, NoxKey won't work (macOS only)
- CI/CD environments — use your CI provider's secret management; NoxKey is for local development
Replace .env files in 60 seconds
Free, no account, no cloud. Import your existing .env and delete it.
Download on the Mac App Store