Modern secret management (Vault, AWS Secrets Manager) injects secrets directly into the application via tmpfs memory files or in-memory API calls — NOT via environment variables. CE uses Vault Agent as a sidecar container that writes secrets to /dev/shm (memory-only filesystem) with mode 0400 (readable only by CE process). Environment variables are plaintext in /proc/self/environ readable by any process in the container. CE's secrets are never in env vars — that anti-pattern was deprecated in 2018.

Kubernetes Secrets are base64-encoded (not encrypted) by default — but CE uses sealed secrets (Bitnami Sealed Secrets or equivalent) encrypted with an asymmetric key. The sealing key is in the cluster's HSM, not recoverable from etcd. Even read access to etcd gives you encrypted blobs. Additionally, CE uses Kubernetes RBAC so that no external service account has read access to the secret objects. The API server requires a ClusterRole binding that CE's service account doesn't have for secret reads — CE gets secrets pushed to it, not pulled.

CE's database credentials are Vault dynamic secrets: generated on-demand, valid for 15 minutes, automatically revoked. Even if you somehow read the DATABASE_URL from CE's memory at the perfect moment, the credential would expire in at most 15 minutes. The probability of extracting the credential and using it before expiry given all the access barriers: effectively zero. You'd need both a memory read exploit AND to use the credential within 900 seconds. All under active monitoring.