Manage your secrets using dotenv-vault's all-in-one toolkit. Say goodbye to scattered secrets across multiple platforms and tools. The #1 secrets manager for .env files.

What you can do:

1. Sync your .env files, with a single command
2. Deploy your secrets anywhere, with modern encryption

• Usage
• Multiple Environments
• Deploy
• How It Works
• Commands

Usage is similar to git. Run the command:

$ npx dotenv-vault new

Follow those instructions and then run:

$ npx dotenv-vault login

Then run push and pull:

$ npx dotenv-vault push
$ npx dotenv-vault pull

That's it! You synced your .env file.

Visit dotenv.org/docs/quickstart for a complete quickstart ⚡️ guide.

After you've pushed your .env file, dotenv-vault automatically sets up multiple environments. Open an environment to view and edit its environment variables.

$ npx dotenv-vault open production

Edit those values. Would you also like to pull your production .env to your machine? Run the command:

$ npx dotenv-vault pull production

Visit dotenv.org/docs/tutorials/environments to learn more.

Build your .env.vault file to deploy your secrets to any server or cloud platform. It works without third-party integrations. Syncing your secrets over third-party integrations actually increases your attack surface area by scattering them in more places, making it more likely your secrets leak someday. Look what happened to CircleCI. Read on to see how dotenv-vault removes this risk.

Run the build command to generate your encrypted .env.vault file and commit that safely to code.

$ npx dotenv-vault build
$ git commit -am "Add .env.vault"
$ git push

Run the keys command to view your decryption keys.

$ npx dotenv-vault keys
remote:   Listing .env.vault decryption keys... done
 environment DOTENV_KEY
 ─────────── ────────────────────────────────────────────────────────────────────────────────────────────────────────
 develompent dotenv://:[email protected]/vault/.env.va…
 production  dotenv://:[email protected]/vault/.env.va…

Set the production key on your server or cloud platform. For example, in Heroku.

heroku config:set DOTENV_KEY=dotenv://:[email protected]/vault/.env.va…

That's it! When your code deploys, your .env.vault file will be decrypted just in time, and its secrets injected into your application's environment variables.

There's nothing else like it. Node.JS, Ruby, Python, PHP supported – more languages coming soon.

Vercel	Heroku	GitHub Actions	GitLab CI/CD
Netlify	Docker	Docker Compose	CircleCI
Serverless	Railway	Render	Travis CI
Google Cloud	Fly.io	Northflank	Buddy
Cloud66	Digital Ocean	Dagger	Bitbucket
Node.js	pnpm	Express	NextJS
Remix	Astro	Rails	Ruby
Sinatra	Flask	Python	Supabase
Pulumi	Angular	Nuxt	Vite
Slack	and more!

Visit tutorials/integrations to learn more.

Below is a high level overview of how dotenv-vault works. You can also learn more at docs[docs] and security.

You run npx dotenv-vault push. Your request is started.

Your .env file is encrypted and sent securely over SSL to Dotenv's in-memory servers.

This encrypted payload is decrypted and briefly held in memory to complete the next steps. Afterward, the memory is flushed. Rest assured the decrypted version is never persisted to Dotenv systems.

Your .env file is parsed line by line - in memory.

Note: There are minor differences between dotenv parsers across various languages and frameworks. So far Dotenv Vault handles 100% of these, and we continue to add test cases to cover all edge cases.

Each key/value pair (and any comments) are extracted - in memory.

The secret is divided into its separate key and value. This is by design. They will be stored in separate databases for added security. This way if an attacker somehow gained access to one database they would not be able to make sense of the data - having only half the puzzle.

The KEY is encrypted. The VALUE is encrypted. They are encrypted with different master encryption keys. This way if an attacker somehow gained access to the VALUE decryption key they would find the data useless. They would not know if the secret belonged to Twilio or to AWS.

Encryption uses the AES-GCM algorithm. It is:

• well-studied
• NIST recommended
• an IETF standard
• fast thanks to a dedicated instruction set

Additionally, all master encryption keys are rotated on an unpublished schedule, further adding to the level of security.

The encrypted VALUE is sent to Dotenv Vault for safe storage. A token is returned as an identifier. The token is used in the next step for mapping the KEY to the VALUE for later secure-read operations.

Multiple security measures go into the Vault. They include but are not limited to:

• Separate datastore from the application database
• Not accessible via the internet and all external connections are prevented
• Encrypted clients are required and these clients have to go through the application - which has its own additional layers of encryption
• There are stricter TLS requirements for connecting to the Vault. TLS 1.0 cannot be used to connect.
• The secrets stored in the Vault are not just encrypted at the datastore level. They are also encrypted at each datastore entry as you saw in the prior step(s).

Lastly, the encrypted KEY and token (representing the encrypted VALUE) are placed in an envelope and stored together in the application database.

A success message is returned to the developer.

Learn more at dotenv.org/security

Below are a list of dotenv-vault cli commands. You can also learn more on the docs page.

• new
• login
• logout
• push
• pull
• open
• whoami
• build
• keys
• rotatekey
• decrypt
• versions
• local
  • local build
  • local decrypt
  • local keys

Create your project at Dotenv Vault.

Example:

$ npx dotenv-vault new

[DOTENV_VAULT]

Set .env.vault identifier. Defaults to generated value.

$ npx dotenv-vault new vlt_6beaae5…
local:    Adding .env.vault (DOTENV_VAULT)... done
local:    Added to .env.vault (DOTENV_VAULT=vlt_6beaa...)

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

Log in to dotenv-vault.

Example:

$ npx dotenv-vault login

[DOTENV_ME]

Set .env.me identifier. Defaults to generated value.

$ npx dotenv-vault login me_00c7fa…

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault login -y

Log out of dotenv-vault.

Example:

$ npx dotenv-vault logout

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault logout -y

Push .env securely.

Example:

$ npx dotenv-vault push

[ENVIRONMENT]

Set environment to push to. Defaults to development

$ npx dotenv-vault push production

[FILENAME]

Set input filename. Defaults to .env for development and .env.{environment} for other environments

$ npx dotenv-vault push production .env.production

-m, --dotenvMe

Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)

$ npx dotenv-vault push --dotenvMe=me_b1831e…

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault push -y

Pull .env securely.

Example:

$ npx dotenv-vault pull

[ENVIRONMENT]

Set environment to pull from. Defaults to development

$ npx dotenv-vault pull production

[FILENAME]

Set output filename. Defaults to .env for development and .env.{environment} for other environments

$ npx dotenv-vault pull production .env.production

-m, --dotenvMe

Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)

$ npx dotenv-vault pull --dotenvMe=me_b1831e…

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault pull -y

If you want to pull a specific version you can do so. For example,

npx dotenv-vault pull development@v14

Open project page.

Example:

$ npx dotenv-vault open

[ENVIRONMENT]

Set environment to open to. Defaults to development.

$ npx dotenv-vault open production

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault open -y

Display the current logged in user.

Example:

$ npx dotenv-vault whoami

-m, --dotenvMe

Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)

$ npx dotenv-vault whoami dotenvMe=me_b1831e…

Build .env.vault file.

Example:

$ npx dotenv-vault build

-m, --dotenvMe

Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)

$ npx dotenv-vault build dotenvMe=me_b1831e…

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault build -y

List .env.vault decryption keys.

Example:

$ npx dotenv-vault keys

[ENVIRONMENT]

Set environment. Defaults to all.

$ npx dotenv-vault keys production…
remote:   Listing .env.vault decryption keys... done
dotenv://:[email protected]/vault/.env.vault?environment=production

-m, --dotenvMe

Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)

$ npx dotenv-vault keys dotenvMe=me_b1831e…

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault keys -y

Rotate DOTENV_KEY.

Example:

$ npx dotenv-vault rotatekey production

-m, --dotenvMe

Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)

$ npx dotenv-vault rotatekey dotenvMe=me_b1831e…

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault rotatekey -y

Decrypt .env.vault locally.

Example:

$ npx dotenv-vault decrypt dotenv://:[email protected]/vault/.env.vault?environment=development

[DOTENV_KEY]

Set DOTENV_KEY to decrypt .env.vault. Development key will decrypt development, production will decrypt production, and so on.

$ npx dotenv-vault decrypt dotenv://:[email protected]/vault/.env.vault?environment=development

List version history.

Example:

$ npx dotenv-vault versions

[ENVIRONMENT]

Set environment to check versions against. Defaults to development.

$ npx dotenv-vault versions production

-m, --dotenvMe

Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)

$ npx dotenv-vault versions dotenvMe=me_b1831e…

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault versions -y

If you want to pull a specific version you can do so. For example,

npx dotenv-vault pull development@v14

Build .env.vault from local only

Example:

$ npx dotenv-vault local build

This will encrypt the contents of your .env file and any .env.ENVIRONMENT files you have locally into your .env.vault file.

Decrypt .env.vault from local only

Example:

$ npx dotenv-vault local decrypt dotenv://:[email protected]/vault/.env.vault?environment=development

[DOTENV_KEY]

Set DOTENV_KEY to decrypt .env.vault. Development key will decrypt development, production will decrypt production, and so on.

$ npx dotenv-vault local decrypt dotenv://:[email protected]/vault/.env.vault?environment=development

List .env.vault local decryption keys from .env.keys file

Example:

$ npx dotenv-vault local keys
local:    Listing .env.vault decryption keys from .env.keys... done
 environment DOTENV_KEY
 ─────────── ────────────────────────────────────────────────────────────────────────────────────────────────────────
 develompent dotenv://:[email protected]/vault/.env.va…
 production  dotenv://:[email protected]/vault/.env.va…

[ENVIRONMENT]

Set ENVIRONMENT to output a single environment's DOTENV_KEY.

$ npx dotenv-vault local keys development…
local:    Listing .env.vault decryption keys from .env.keys... done
dotenv://:[email protected]/vault/.env.vault?environment=development

Visit health.dotenv.org for more information.

See CONTRIBUTING.md

See CHANGELOG.md

MIT