Current Situation:
I have a server running a NestJS using .env file to handle environment variables (including secrets). I use GitHub Actions to do the whole CI flow, storing the secret values in the GitHub Actions Secrets. When pushing the commits, CI Server will create the .env file (write secrets in it) and build the service, then rsync over ssh to the production server. But I am thinking of if my server is being hacked, the attacker will be able to see my .env file and know all the secrets. Then I studied a bit about secret management tools, it seems that I have to install their SDK and get the secret, but I think it is bad because I don't want to bind a specific secret manager in my code.
So my question is
- Is using a secret manager more secure than .env file because it loads the secrets from the manager to the memory directly instead of having a middleware (the .env file) to store the secrets?
- If 1 is yes, then am I achieving the same security level if I delete the .env file after loading the service?
- How about just setting the .env file permission to 600 root:root? Is finding secrets in memory commonly harder than privilege escalation?
- (Extra) Is there any potential security issue in my CI flow?
Thanks
