Writing · 2026-06-26Tokyo · Incoming Cambridge HSPS

moved every runtime secret into the OS keychain and ripped the

moving runtime secrets into one canonical OS keychain made rotation and recovery a one-place problem across four services.

TL;DR

moving runtime secrets into the OS keychain changed secret handling from copy hunting to one-place rotation and recovery. the real win was knowing exactly where to look if something leaks.

why did plaintext env files break down so fast?

the problem showed up as soon as the same key lived in four places. rotating one copy meant hunting down every other copy and hoping none were missed.

that workflow turns a simple change into a scavenger hunt. once the copies spread, you stop trusting that you know where the secret exists.

what changed once there was one canonical store?

moving every runtime secret into the OS keychain changed the shape of the problem. the secret stopped being a scattered set of plaintext copies and became something with one source of truth.

from there, rotation got simpler because there was one place to update and one place to recover from. that also made leak response clearer, since you know where to look first.

why does copy count matter more than people think?

the post points to four services, which is already enough to create drift. if you run more than one service, the spread is usually worse than it feels.

the useful question is not whether you have secrets somewhere. it is how many copies exist and whether you could find them all quickly if one leaked.

what is the practical takeaway for builders?

the takeaway is small and direct: stop treating secret storage as a per-service habit and start treating it as one canonical store. the fewer plaintext copies you keep around, the less you have to hunt later.

this is less about tooling preference and more about reducing uncertainty. one store gives you one place to rotate, one place to recover, and one place to investigate.

FAQ
how many services was the key copied across?

the post says it was copied across four services. that was enough to make rotation a hunt for every copy.

what was the main benefit of one canonical store?

one place to rotate, one place to recover, and one place to check if something leaks. that was the change in the post.

why move runtime secrets out of env files?

because plaintext env files made the secret easy to duplicate and hard to track. once the copies spread, rotation became fragile.

More writing