# .github/workflows/deploy.yml (excerpt) - name: Backup production env before deploy run: | ssh production-server "cp .env.production .env.backup.production.pre-deploy-$(date +%s)"
openssl enc -aes-256-cbc -salt -in .env.backup.production -out .env.backup.production.enc -k your_strong_master_passphrase Use code with caution. How to Automate Your Backup Pipeline .env.backup.production
This article explores why a simple backup of your environment variables (with a .backup suffix) is not just a good practice, but the backbone of modern production resilience. If this file is pushed to a public
format and usually contains the following categories of sensitive data: Example Keys Description App Identity APP_ENV=production .env.backup.production
cat .env.backup.production | grep "DATABASE_URL"
It serves as a static record of what configuration was running at a specific point in time.
If this file is pushed to a public repository, anyone can see your production passwords. Even in a private repo, it increases the "attack surface" for anyone with access to the code.