Traditional .env vs KMS Secret Manager
Side-by-side comparison showing the difference between storing secrets in plain text versus fetching them from KMS at runtime.
Traditional Approach: Plain Text .env
# Traditional .env approach - ALL secrets in plain text
DB_PASSWORD=super_secret_password_123
OSS_ACCESS_KEY_ID=LTAI5t8xxxxxxxxxxxx
OSS_ACCESS_KEY_SECRET=kA9xxxxxxxxxxxxxxxx
API_KEY=sk-live-xxxxxxxxxxxxxxxx
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Risks:
- Secrets visible in plain text on disk
- Committed to version control by mistake
- Anyone with server access can read them
- No audit trail of who accessed secrets
- Rotation requires redeployment
KMS Approach: Runtime Secret Fetch
# KMS approach - ONLY bootstrap config in .env
ALICLOUD_REGION_ID=cn-hangzhou
ALICLOUD_ACCESS_KEY_ID=LTAI5t8xxxxxxxxxxxx
ALICLOUD_ACCESS_KEY_SECRET=kA9xxxxxxxxxxxxxxxx
# Secret names only - VALUES fetched from KMS at runtime
KMS_SECRET_DB_PASSWORD=prod/db/password
KMS_SECRET_OSS_ACCESS_KEY=prod/oss/access-key
KMS_SECRET_OSS_SECRET=prod/oss/secret
KMS_SECRET_API_KEY=prod/api/key
Benefits:
- .env only contains non-sensitive bootstrap config
- Secret values never touch the filesystem
- Access controlled by Alibaba Cloud IAM
- Full audit trail via ActionTrail
- Rotate secrets without redeploying
Detailed Comparison
| Aspect | Traditional .env | KMS Secret Manager | Winner |
|---|---|---|---|
| Secret Storage | Plain text in .env file on disk | Encrypted in Alibaba Cloud KMS Secret Manager | KMS |
| Rotation | Manual edit of .env + redeploy | Rotate in KMS console, app picks up new value automatically (after cache expires) | KMS |
| Access Control | Anyone with server/file access can read secrets | Controlled by Alibaba Cloud RAM policies and KMS permissions | KMS |
| Audit Logging | No built-in audit trail for secret access | Full audit log via Alibaba Cloud ActionTrail for every secret retrieval | KMS |
| Complexity | Simple - just edit the file | Requires network call to KMS on boot (cached with TTL) | Traditional |
| Disaster Recovery | Secrets lost if server/files are compromised or lost | Secrets are backed up and replicated by Alibaba Cloud | KMS |