Question 1

Why is dotenv insecure for storing API keys?

Accepted Answer

dotenv stores secrets as plaintext in .env files on disk. Any process, script, or AI agent with file system access can read them. They often get committed to git accidentally — GitHub reports 12.8 million secrets were exposed in public repos in 2024. There's no authentication, no encryption, and no access control.

Question 2

What is a good alternative to dotenv?

Accepted Answer

NoxKey is a free, open-source dotenv alternative for macOS that stores secrets in the Keychain with Touch ID authentication. Instead of reading from a plaintext file, you load secrets with eval "$(noxkey get org/KEY)" — the value is encrypted at rest and never appears in terminal output or shell history.

Question 3

How do I migrate from dotenv to NoxKey?

Accepted Answer

One command: noxkey import myorg .env — this reads your .env file and stores each key-value pair in the macOS Keychain. Then delete the .env file. Access secrets with eval "$(noxkey get myorg/KEY_NAME)" instead of process.env.KEY_NAME.

Feature	NoxKey	dotenv
Storage	macOS Keychain (hardware encrypted)	Plaintext .env file on disk
Encryption	AES-256 (Secure Enclave)	None
Authentication	Touch ID on every access	None — any process can read
Git safety	Not a file — can't be committed	Relies on .gitignore (frequently fails)
AI agent exposure	Encrypted handoff — value never in context	Fully readable by any agent
Shell history	Never appears	Visible if echoed or logged
Rotation support	Guided rotation	Manual find-and-replace
Peek without exposing	First 8 chars only	View exposes entire value
Price	Free (MIT open source)	Free
Setup	`brew install no-box-dev/noxkey/noxkey`	`npm install dotenv`

NoxKey vs dotenv

The problem with .env files

How NoxKey replaces dotenv in your workflow

Migrate in 60 seconds

When to keep using dotenv

Replace .env files in 60 seconds