I have a private repository on GitHub which houses my NodeJS application. The NodeJS app requires few secret credentials (database user/pass etc) that I store in a .env file (i use the dotenv npm module), I do commit this .env file in my private repository since I know that it's only me who has access to the repo, so I consider it a safe place to store my env file.
And when I need to deploy my application to my digital ocean server, I just take a pull from my GitHub private repo which also pulls the .env file, that way I do not have to remember the credentials.
But lately, I have been told that this is not a good approach since my GitHub private repository may get hacked someday and that the credentials stored in the env file can be compromised.
Now my questions are:
1) if it's unsafe to store the env file to a private repo, isn't it also unsafe if the .env file is physically stored on my digital ocean instance (what if my digital ocean instance gets hacked someday)?
2) How do you store such sensitive information on your production server? Do you store them in the .env file as well? if so, how and where do you generate that env file? if not the env file how do you store sensitive information such as Database user/passwords? (here I am talking about deploying small scale apps manually and not using any CI/CD tools viz jenkins/travis etc)
3) If I store the sensitive information in the server's environmental variables (in memory), it will get wiped off if the server restarts.
4) If I store this information in the bash_profile on my server, it is as good as saving it in a .env file.
Please guide me
Thanks in advance.
