Actually I think most techniques for secret management (e.g. putting them into environment variables) are pretty insecure if you can manage to get into the server?