On a more theoretical level, I tend to think about levels for security in the following ways (in order of increasing strength) :

在更理论的层面上，我倾向于通过以下方式（按强度增加的顺序）考虑安全级别：

• No security. Plain text. Anyone that knows where to look, can access the data.
• Security by Obfuscation. You store the data (plaintext) someplace tricky, like an environment variable, or in a file that is meant to look like a configuration file. An attacker will eventually figure out what's going on, or stumble across it.
• Security provided by encryption that is trivial to break, (think caesar cipher!).
• Security provided by encryption that can be broken with some effort.
• Security provided by encryption that is impractical to break given current hardware.
• The most secure system is one that nobody can use! :)

• 没有安全感。纯文本。任何知道在哪里查看的人都可以访问数据。
• 混淆的安全性。您将数据（明文）存储在一些棘手的地方，例如环境变量，或存储在看起来像配置文件的文件中。攻击者最终会弄清楚发生了什么，或者偶然发现了它。
• 加密提供的安全性很容易破解，（想想凯撒密码！）。
• 加密提供的安全性可以通过一些努力来破解。
• 加密提供的安全性无法破解当前硬件。
• 最安全的系统是任何人都无法使用的系统！:)

Environment variables are moresecure than plaintext files, because they are volatile/disposable, not saved; i.e. if you set only a local environment variable, like "set pwd=whatever," and then run the script, with something that exits your command shell at the end of the script, then the variable no longer exists. Your case falls into the first two, which I'd say is fairly insecure. If you were going to do this, I wouldn't recommend deploying outside your immediate intranet/home network, and then only for testing purposes.

环境变量比纯文本文件更安全，因为它们是易失性/一次性的，不保存；即，如果您只设置一个本地环境变量，例如“set pwd=whatever”，然后运行脚本，并在脚本末尾退出命令 shell，则该变量将不再存在。你的情况属于前两个，我认为这是相当不安全的。如果您打算这样做，我不建议在您的直接内部网/家庭网络之外进行部署，然后仅用于测试目的。

As mentioned before, both methods do not provide any layer of additional "security" once your system is compromised. I believe that one of the strongest reasons to favor environment variables is version control: I've seen way too many database configurations etc. being accidentially stored in the version control system like GIT for every other developer to see (and whoops! it happened to me as well ...).

如前所述，一旦您的系统受到威胁，这两种方法都不会提供任何额外的“安全”层。我相信支持环境变量的最有力的原因之一是版本控制：我见过太多的数据库配置等被意外地存储在像 GIT 这样的版本控制系统中，供其他所有开发人员看到（哎呀！它发生在我也是 ...）。

Not storing your passwords in files makes it impossible for them to be stored in the version control system.

不将密码存储在文件中会使它们无法存储在版本控制系统中。

Anytime you have to store a password, it is insecure. Period. There's no way to store an un-encrypted password securely. Now which of environment variables vs. config files is more "secure" is perhaps debatable. IMHO, if your system is compromised, it doesn't really matter where it's stored, a diligent hacker can track it down.

无论何时您必须存储密码，它都是不安全的。时期。没有办法安全地存储未加密的密码。现在，哪个环境变量与配置文件更“安全”可能是有争议的。恕我直言，如果您的系统遭到入侵，它的存储位置并不重要，勤奋的黑客可以追踪到它。

Sorry I didn't have enough rep to comment, but I also wanted to add that if you're not careful, your shell might capture that password in it's command history as well. So running something like $ pwd=mypassword my_progmanually isn't as ephemeral as you might have hoped.

抱歉，我没有足够的代表发表评论，但我还想补充一点，如果您不小心，您的 shell 也可能会在其命令历史记录中捕获该密码。因此，$ pwd=mypassword my_prog手动运行之类的程序并不像您希望的那样短暂。

I think when possible you should store your credentials in a gitignored file and not as environment variables.

我认为如果可能，您应该将您的凭据存储在 gitignored 文件中，而不是作为环境变量。

One of the things to consider when storing credentials in ENV (environment) variables vs a file is that ENV variables can very easily be inspected by any library or dependency you use.

在 ENV（环境）变量与文件中存储凭据时要考虑的一件事是，您使用的任何库或依赖项都可以很容易地检查 ENV 变量。

This can be done maliciously or not. For example a library author could email stack traces plus the ENV variables to themselves for debugging (not best practice, but it's possible to do).

这可以是恶意的，也可以是非恶意的。例如，库作者可以将堆栈跟踪和 ENV 变量通过电子邮件发送给自己以进行调试（不是最佳实践，但可以这样做）。

If your credentials are in a file, then peaking into them is much harder.

如果您的凭据在一个文件中，那么获取它们的峰值要困难得多。

Specifically, think about an npm in node. For an npm to look at your credentials if they are in the ENV is a simple matter of process.ENV. If on the other hand they are in a file, it's a lot more work.

具体来说，考虑 node.js 中的 npm。让 npm 查看您的凭据（如果它们在 ENV 中）是一个简单的process.ENV. 另一方面，如果它们在一个文件中，则需要做更多的工作。

Whether your credentials file is version controlled or not is a separate question. Not version controlling your credentials file exposes it to fewer people. There's no need for all devs to know the production credentials. Since this lives up to the principle of least privilege, I would suggest git ignoring your credentials file.

您的凭据文件是否受版本控制是一个单独的问题。不是版本控制您的凭据文件会将其暴露给更少的人。无需所有开发人员都知道生产凭据。由于这符合最小权限原则，我建议 git 忽略您的凭据文件。

It depends on your threat model.

这取决于您的威胁模型。

Are you trying to prevent your users from sprinkling passwords all over their file systems where they are likely to be forgotten and mishandled? If so, then yes, because environmental variables are less persistent than files.

您是否试图阻止您的用户将密码散布在他们可能被遗忘和错误处理的文件系统中？如果是，那么是，因为环境变量的持久性不如文件。

Are you trying to secure against something malicious that is directly targeting your program? If so, then no, because environment variables do not have the same level of access control that files do.

您是否试图防范直接针对您的程序的恶意软件？如果是，则否，因为环境变量的访问控制级别与文件不同。

Personally, I think that negligent users are more common than motivated adversaries, so I'd go with the environment variable approach.

就我个人而言，我认为疏忽的用户比有动机的对手更常见，所以我会采用环境变量方法。