Secrets multiply quietly.
One API key for backups. Another for DNS. A handful for databases. Before long, half your services rely on strings hidden in text files you barely remember creating.
Enterprise solves this with vaults and access control teams. You don’t have that. You need something lighter.
The Wrong Defaults
Most self-hosters start with:
- Plaintext
.envfiles in random directories - Keys buried in scripts
- Passwords hardcoded in configs
It works — until you forget where they live or they leak into backups.
Keep Secrets Separate
Rule one: separate secrets from configs.
- Store configs in version control, but keep keys out
- Reference environment variables or include files for sensitive data
- Document paths so future you doesn’t guess
A config repo without secrets is survivable.
Encryption That’s Boring
You don’t need elaborate PKI:
- Use tools like
age,sops, orgpgto encrypt secrets at rest - Store encrypted files in git, with decryption keys kept offline or on hardware
- Automate decryption for deployment only where needed
Small, repeatable steps matter more than fancy gear.
Automate Injection
Manual copy-paste is fragile:
- Use systemd units or Docker secrets to inject keys at runtime
- Keep secrets on disk with tight permissions only if absolutely necessary
- Rotate when compromised, not when convenient
Automation reduces human error.
Audit and Rotate
Once a quarter, ask:
- Where do my secrets live?
- Are any hardcoded?
- Do I know how to revoke and replace them quickly?
If you can’t rotate in under an hour, you’re exposed.
Scale Later If Needed
Start small.
If your stack grows, you can graduate to HashiCorp Vault or step-ca.
But most homelabs don’t need the overhead — they need clarity and containment.
Quiet Confidence
Secrets management doesn’t have to be heroic.
It just has to be deliberate.
The goal is boring: you know where your keys are, how to protect them, and how to change them when it goes wrong.
That’s sovereignty at homelab scale.