Are Symfony Secrets safe because both keys are saved on the server?

Are Symfony Secrets safe because both keys are saved on the server?

After reading some articles about the EmeraldWhale-malware collecting sensitive credentials through Git I am looking for best-practices to use environment variables in a Symfony project.

1. A option would be to set the environment variables at runtime like: DB_NAME=my_database DB_USER=my_user DB_PASSWORD=my_password symfony server:start By using this method you wouldn't even ever have a .env-file for production, mitigating the risk of even ever publishing the credentials through accidentally pushing a .env file to your VCS.

2. I also took a look at Symfony Secrets. This seems way more secure then using global CLI variables or a .env. But because both the private- and public-key for this asymmetric encryption is saved on the server, how exactly is this more secure? An intruder accessing the server could still use the private-key to get the credentials (same for CLI variables), but in this case the private key could still be pushed to a VCS by accident like a .env-file?

So, what is the most secure and best-practice way to store your credentials in a Symfony project?