The answer by luisnike19 provides good information about encryption. I don't think you need encryption in all cases though.
As to the environment variables, here it what I think:
- You can work without environment variables; store all you need in your configuration which can be as custom as you want.
- You should avoid using environment variables by all means.
—SA