Manage your secrets using dotenv-vault's all-in-one toolkit. Say goodbye to scattered secrets across multiple platforms and tools. The #1 secrets manager for .env files.
Deploy your secrets anywhere with modern encryption and sync your .env files with a single command.
Install via Homebrew
$ brew install dotenv-org/brew/dotenv-vault
$ dotenv-vault help
Install on Windows
Install and run commands via Docker
$ docker run -w $(pwd) -v $(pwd):$(pwd) -it dotenv/dotenv-vault help
Install and run commands via npx
$ npx dotenv-vault help
Push your .env
file.
$ dotenv-vault push
Commit your .env.vault
file safely to code.
$ git add .env.vault
$ git commit -am "Add .env.vault"
$ git push
Pull the latest .env
changes.
$ git pull
$ dotenv-vault pull
That's it! You securely backed-up and synced your .env
file.
Encrypt your .env.vault
file.
$ dotenv-vault build
Fetch your production DOTENV_KEY
.
$ dotenv-vault keys production
remote: Listing .env.vault decryption keys... done
dotenv://:key_1234…@dotenv.org/vault/.env.vault?environment=production
Set DOTENV_KEY
on your server.
# heroku example
heroku config:set DOTENV_KEY=dotenv://:key_1234…@dotenv.org/vault/.env.vault?environment=production
Commit your .env.vault
file safely to code and deploy.
$ git add .env.vault
$ git commit -am "Update .env.vault"
$ git push
$ git push heroku main # heroku example
That's it! On deploy, your .env.vault
file will be decrypted and its secrets injected as environment variables – just in time.
Sync your .env
file. Run the push command and follow the instructions. learn more
$ dotenv-vault push
After you've pushed your .env
file, dotenv-vault automatically sets up multiple environments. Manage multiple environments with the included UI. learn more
$ dotenv-vault open production
That's it! Manage your ci, staging, and production secrets from there. Rebuild your .env.vault
file and redeploy when ready.
Would you also like to pull your production .env
to your machine? Run the command:
$ dotenv-vault pull production
ℹ️ 🔐 Vault Managed vs 💻 Locally Managed: The above example, for brevity's sake, used the 🔐 Vault Managed solution to manage your .env.vault
file. You can instead use the 💻 Locally Managed solution. See the faq further below. Our vision is that other platforms and orchestration tools adopt the .env.vault
standard as they did the .env
standard. We don't expect to be the only ones providing tooling to manage and generate .env.vault
files.
$ dotenv-vault help
Create your project at Dotenv Vault.
Example:
$ npx dotenv-vault new
[DOTENV_VAULT]
Set .env.vault identifier. Defaults to generated value.
$ npx dotenv-vault new vlt_6beaae5…
local: Adding .env.vault (DOTENV_VAULT)... done
local: Added to .env.vault (DOTENV_VAULT=vlt_6beaa...)
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
Log in to dotenv-vault.
Example:
$ npx dotenv-vault login
[DOTENV_ME]
Set .env.me identifier. Defaults to generated value.
$ npx dotenv-vault login me_00c7fa…
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault login -y
Log out of dotenv-vault.
Example:
$ npx dotenv-vault logout
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault logout -y
Push .env
securely.
Example:
$ npx dotenv-vault push
[ENVIRONMENT]
Set environment to push to. Defaults to development
$ npx dotenv-vault push production
[FILENAME]
Set input filename. Defaults to .env for development and .env.{environment} for other environments
$ npx dotenv-vault push production .env.production
-m, --dotenvMe
Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)
$ npx dotenv-vault push --dotenvMe=me_b1831e…
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault push -y
Pull .env
securely.
Example:
$ npx dotenv-vault pull
[ENVIRONMENT]
Set environment to pull from. Defaults to development
$ npx dotenv-vault pull production
[FILENAME]
Set output filename. Defaults to .env for development and .env.{environment} for other environments
$ npx dotenv-vault pull production .env.production
-m, --dotenvMe
Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)
$ npx dotenv-vault pull --dotenvMe=me_b1831e…
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault pull -y
If you want to pull a specific version you can do so. For example,
npx dotenv-vault pull development@v14
Open project page.
Example:
$ npx dotenv-vault open
[ENVIRONMENT]
Set environment to open to. Defaults to development.
$ npx dotenv-vault open production
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault open -y
Display the current logged in user.
Example:
$ npx dotenv-vault whoami
-m, --dotenvMe
Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)
$ npx dotenv-vault whoami dotenvMe=me_b1831e…
Build .env.vault file.
Example:
$ npx dotenv-vault build
-m, --dotenvMe
Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)
$ npx dotenv-vault build dotenvMe=me_b1831e…
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault build -y
List .env.vault decryption keys.
Example:
$ npx dotenv-vault keys
[ENVIRONMENT]
Set environment. Defaults to all.
$ npx dotenv-vault keys production…
remote: Listing .env.vault decryption keys... done
dotenv://:[email protected]/vault/.env.vault?environment=production
-m, --dotenvMe
Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)
$ npx dotenv-vault keys dotenvMe=me_b1831e…
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault keys -y
Rotate DOTENV_KEY.
Example:
$ npx dotenv-vault rotatekey production
-m, --dotenvMe
Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)
$ npx dotenv-vault rotatekey dotenvMe=me_b1831e…
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault rotatekey -y
Decrypt .env.vault locally.
Example:
$ npx dotenv-vault decrypt dotenv://:[email protected]/vault/.env.vault?environment=development
[DOTENV_KEY]
Set DOTENV_KEY
to decrypt .env.vault. Development key will decrypt development, production will decrypt production, and so on.
$ npx dotenv-vault decrypt dotenv://:[email protected]/vault/.env.vault?environment=development
List version history.
Example:
$ npx dotenv-vault versions
[ENVIRONMENT]
Set environment to check versions against. Defaults to development.
$ npx dotenv-vault versions production
-m, --dotenvMe
Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)
$ npx dotenv-vault versions dotenvMe=me_b1831e…
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault versions -y
If you want to pull a specific version you can do so. For example,
npx dotenv-vault pull development@v14
Build .env.vault from local only
Example:
$ npx dotenv-vault local build
This will encrypt the contents of your .env
file and any .env.ENVIRONMENT
files you have locally into your .env.vault
file.
Decrypt .env.vault from local only
Example:
$ npx dotenv-vault local decrypt dotenv://:[email protected]/vault/.env.vault?environment=development
[DOTENV_KEY]
Set DOTENV_KEY
to decrypt .env.vault. Development key will decrypt development, production will decrypt production, and so on.
$ npx dotenv-vault local decrypt dotenv://:[email protected]/vault/.env.vault?environment=development
List .env.vault local decryption keys from .env.keys file
Example:
$ npx dotenv-vault local keys
local: Listing .env.vault decryption keys from .env.keys... done
environment DOTENV_KEY
─────────── ────────────────────────────────────────────────────────────────────────────────────────────────────────
develompent dotenv://:[email protected]/vault/.env.va…
production dotenv://:[email protected]/vault/.env.va…
[ENVIRONMENT]
Set ENVIRONMENT
to output a single environment's DOTENV_KEY.
$ npx dotenv-vault local keys development…
local: Listing .env.vault decryption keys from .env.keys... done
dotenv://:[email protected]/vault/.env.vault?environment=development
First, make sure you are using [email protected]
or greater. (If you are using a different language make sure you have installed one of its libraries.)
Second, test decryption is working locally.
$ dotenv-vault decrypt dotenv://:[email protected]/vault/.env.vault?environment=production
# outputs environment variables
Third, test decryption on boot is working locally.
$ DOTENV_KEY=dotenv://:[email protected]/vault/.env.vault?environment=production npm start
# boots your app with production envs
Yes. It is safe and recommended to do so. DO commit your .env.vault
file to code. DO NOT commit your .env
file. The .env.vault
file contains ciphertext generated using AES-256. AES-256 is trusted by the US Government to transmit top-secret information and has a brute-force timescale of about a billion years.
Does that attacker also have access to your .env.vault
file?
- No: good, the attacker cannot do any damage. They need both the
DOTENV_KEY
and.env.vault
file to access your secrets. This extra layer of security sets the.env.vault
file apart as a superior solution to other SecretOps solutions. - Yes: IMMEDIATELY start rotating your secrets at your third-party API providers. This scenario would be the same no matter what SecretOps solution you use.
After completing the above, rotate your DOTENV_KEY
using the rotatekey command, rebuild your .env.vault
file, and redeploy.
It safer than scattering your secrets across multiple cloud providers. Those providers are focused on code deployment and server performance over secrets security.[1]
Dotenv Vault's singular focus is secrets security, and as a result we go to great lengths to make sure your secrets are safe. Afterall, we keep our secrets here too.[2]
The .env.vault
file and its encryption algorithm is language-agnostic so technically it works with any language. We've built convenience libraries for it in a handful of languages and are adding more quickly.
There are a series of 💻 Locally Managed commands available to you. Locally managed never makes a remote API call. It is completely managed on your machine.
🔐 Vault Managed adds conveniences like backing up your .env file, secure sharing across your team, access permissions, and version history.
💻 Locally Managed is a good choice for someone who would prefer to handle this coordination themselves and does not want to trust Dotenv Vault with their secrets.
Here's how it works.
Generate your .env.vault
file.
$ dotenv-vault local build
This creates two files:
.env.vault
- encrypted contents of .env* file(s).env.keys
- decryption key(s)
Boot using .env.vault
.
$ DOTENV_KEY=<key string from .env.keys> npm start
[[email protected]][INFO] Loading env from encrypted .env.vault
Great! Next, set the DOTENV_KEY
on your server. For example in heroku:
$ heroku config:set DOTENV_KEY=<key string from .env.keys>
Commit your .env.vault
file safely to code and deploy.
Your .env.vault
is decrypted on boot, its environment variables injected, and your app works as expected.
Congratulations, your secrets are now much safer than scattered across multiple servers and cloud providers!
See CONTRIBUTING.md
See CHANGELOG.md
MIT