In an effort to secure API keys, what should be avoided?

Storing keys in public repositories compromises the security of those keys. Public repositories are accessible to anyone on the internet, meaning that if API keys are stored there, they can be easily discovered and exploited by malicious actors. Such exposure can lead to unauthorized access to services, potential data breaches, and financial loss because anyone with access to the keys can perform actions under those credentials.

In contrast, the other options represent best practices for managing API keys. Using a version control system can actually help in tracking key changes, provided that sensitive data is excluded from the commits through proper configuration. Implementing rotation policies is a fundamental security measure that limits the duration any one key is valid, thus reducing the potential impact if a key is compromised. Lastly, using environment-specific keys helps to ensure that keys are only usable in specific contexts, adding another layer of security and reducing the risk of misuse.