Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/dotenv-org/dotenv-vault

sync .env filesβ€”from the creator of `dotenv`.
https://github.com/dotenv-org/dotenv-vault

dotenv env secrets

Last synced: 5 days ago
JSON representation

sync .env filesβ€”from the creator of `dotenv`.

Awesome Lists containing this project

README 

        
![dotenv.org](https://dotenv.org/banner.png)



`dotenv-vault` is a cli to *sync .env files across machines, environments, and team members*.



[![NPM Version](https://img.shields.io/npm/v/dotenv-vault.svg?style=flat-square)](https://npmjs.org/package/dotenv-vault)



## 🌱 Install



It works with a single command. Run `npx dotenv-vault@latest push`.



```sh

npx dotenv-vault@latest push

```

```

remote:   Securely pushing (.env)... done

remote:   Securely pushed development (.env)

remote:   Securely built vault (.env.vault)

```



That's it. You securely synced your `.env` file. Next, tell your teammate to run `npx dotenv-vault@latest pull`



```sh

npx dotenv-vault@latest pull

```



Nice!



See further [usage](#%EF%B8%8F-usage) and [commands](#-commands).



---



#### Other Ways to Install



Don't want to use [npx](https://docs.npmjs.com/cli/v7/commands/npx)? Install a number of other ways.



apple icon Install via Homebrew



```bash

$ brew install dotenv-org/brew/dotenv-vault

$ dotenv-vault help

```



windows icon Install on Windows



* [32-bit installer](https://dotenv-vault-assets.dotenv.org/channels/stable/dotenv-vault-x86.exe)

* [64-bit installer](https://dotenv-vault-assets.dotenv.org/channels/stable/dotenv-vault-x64.exe)



docker icon Install and run commands via Docker



```bash

$ docker run -w $(pwd) -v $(pwd):$(pwd) -it dotenv/dotenv-vault help

```



Learn more about installation



## πŸ—οΈ Usage



When you make a change to your `.env` file, push it up.



```bash

$ npx dotenv-vault@latest push

```



Commit your `.env.vault` file safely to code.



```bash

$ git add .env.vault

$ git commit -am "Add .env.vault"

$ git push

```



Now your teammate can pull the latest `.env` changes.



```bash

$ git pull

$ npx dotenv-vault@latest pull

```



That's it!



Learn more about usage



## πŸš€ Deploying



Stop scattering your production secrets across multiple third-parties and tools. Instead, use an encrypted `.env.vault` file.



Generate your encrypted `.env.vault` file.



```bash

$ npx dotenv-vault@latest build

```



Fetch your production `DOTENV_KEY`.



```bash

$ npx dotenv-vault@latest keys production

remote:   Listing .env.vault decryption keys... done

dotenv://:key_1234…@dotenv.org/vault/.env.vault?environment=production

```



Set `DOTENV_KEY` on your server.



```bash

# heroku example

heroku config:set DOTENV_KEY=dotenv://:key_1234…@dotenv.org/vault/.env.vault?environment=production

```



Commit your `.env.vault` file safely to code and deploy.



```bash

$ git add .env.vault

$ git commit -am "Update .env.vault"

$ git push

$ git push heroku main # heroku example

```



That's it! On deploy, your `.env.vault` file will be decrypted and its secrets injected as environment variables – just in time.



Learn more about deploying



## 🌴 Manage Multiple Environments



After you've pushed your `.env` file, dotenv-vault automatically sets up multiple environments. Manage multiple environments with the included UI. [learn more](/docs/tutorials/environments)



```

$ npx dotenv-vault@latest open production

```



That's it! Manage your ci, staging, and production secrets from there.



Would you also like to pull your production `.env` to your machine? Run the command:



```

$ npx dotenv-vault@latest pull production

```



ℹ️  **πŸ” Vault Managed vs πŸ’» Locally Managed**: The above example, for brevity's sake, used the πŸ” Vault Managed solution to manage your `.env.vault` file. You can instead use the πŸ’» Locally Managed solution. [See the faq further below](#how-do-i-use--locally-managed-dotenv-vault). Our vision is that other platforms and orchestration tools adopt the `.env.vault` standard as they did the `.env` standard. We don't expect to be the only ones providing tooling to manage and generate `.env.vault` files.



Learn more about environments



## πŸ“š Examples



  

    

      

        

          Vercel

          Vercel

        

      

      

        

          Heroku

          Heroku

        

      

      

        

          GitHub

          GitHub Actions

        

      

      

        

          GitLab

          GitLab CI/CD

        

      

    

    

      

        

          Netlify

          Netlify

        

      

      

        

          Docker

          Docker

        

      

      

        

          Docker Compose

          Docker Compose

        

      

      

        

          CircleCI

          CircleCI

        

      

    

    

      

        

          Serverless

          Serverless

        

      

      

        

          Railway

          Railway

        

      

      

        

          Render

          Render

        

      

      

        

          Travis CI

          Travis CI

        

      

    

    

      

        

          Google Cloud

          Google Cloud

        

      

      

        

          Fly.io

          Fly.io

        

      

      

        

          dotenv-vault + Slack

          Slack

        

      

      

        

          Buddy

          Buddy

        

      

    

    

      

        

          Cloud66

          Cloud66

        

      

      

        

          Digital Ocean

          Digital Ocean

        

      

      

        

          Dagger

          Dagger

        

      

      

        

          Bitbucket

          Bitbucket

        

      

    

    

      

        

          Node.js

          Node.js

        

      

      

        

          Express

          Express

        

      

      

        

          NextJS

          NextJS

        

      

    

    

      

        

          Remix

          Remix

        

      

      

        

          Astro

          Astro

        

      

      

        

          Rails

          Rails

        

      

      

        

          Ruby

          Ruby

        

      

    

    

      

        

          Sinatra

          Sinatra

        

      

      

        

          Flask

          Flask

        

      

      

        

          Python

          Python

        

      

      

        

          Supabase

          Supabase

        

      

    

    

      

        

          Pulumi

          Pulumi

        

      

      

        

          Angular

          Angular

        

      

      

        

          Nuxt

          Nuxt

        

      

      

        

          Vite

          Vite

        

      

    

  



See more integration guides



## πŸ“– Commands



```

$ npx dotenv-vault@latest help

```



* [new](#new)

* [login](#login)

* [logout](#logout)

* [push](#push)

* [pull](#pull)

* [open](#open)

* [whoami](#whoami)

* [build](#build)

* [keys](#keys)

* [rotatekey](#rotatekey)

* [decrypt](#decrypt)

* [versions](#versions)

* [local](#local-build)

  * [local build](#local-build)   

  * [local decrypt](#local-decrypt)   

  * [local keys](#local-keys)   



### `new`



Create your project at Dotenv Vault.



Example:



```bash

$ npx dotenv-vault@latest new

```



##### ARGUMENTS



*[DOTENV_VAULT]*



Set .env.vault identifier. Defaults to generated value.



```

$ npx dotenv-vault@latest new vlt_6beaae5…

local:    Adding .env.vault (DOTENV_VAULT)... done

local:    Added to .env.vault (DOTENV_VAULT=vlt_6beaa...)

```



##### FLAGS



*-y, --yes*



Automatic yes to prompts. Assume yes to all prompts and run non-interactively.



---



### `login`



Log in to dotenv-vault.



Example:



```bash

$ npx dotenv-vault@latest login

```



##### ARGUMENTS



*[DOTENV_ME]*



Set .env.me identifier. Defaults to generated value.



```

$ npx dotenv-vault@latest login me_00c7fa…

```



##### FLAGS



*-y, --yes*



Automatic yes to prompts. Assume yes to all prompts and run non-interactively.



```

$ npx dotenv-vault@latest login -y

```



---



### `logout`



Log out of dotenv-vault.



Example:



```bash

$ npx dotenv-vault@latest logout

```



##### FLAGS



*-y, --yes*



Automatic yes to prompts. Assume yes to all prompts and run non-interactively.



```

$ npx dotenv-vault@latest logout -y

```



---



### `push`



Push `.env` securely.



Example:



```bash

$ npx dotenv-vault@latest push

```



##### ARGUMENTS



*[ENVIRONMENT]*



Set environment to push to. Defaults to development



```

$ npx dotenv-vault@latest push production

```



*[FILENAME]*



Set input filename. Defaults to .env for development and .env.{environment} for other environments



```

$ npx dotenv-vault@latest push production .env.production

```



##### FLAGS



*-m, --dotenvMe*



Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)



```

$ npx dotenv-vault@latest push --dotenvMe=me_b1831e…

```



*-y, --yes*



Automatic yes to prompts. Assume yes to all prompts and run non-interactively.



```

$ npx dotenv-vault@latest push -y

```



---



### `pull`



Pull `.env` securely.



Example:



```bash

$ npx dotenv-vault@latest pull

```



##### ARGUMENTS



*[ENVIRONMENT]*



Set environment to pull from. Defaults to development



```

$ npx dotenv-vault@latest pull production

```



*[FILENAME]*



Set output filename. Defaults to .env for development and .env.{environment} for other environments



```

$ npx dotenv-vault@latest pull production .env.production

```



##### FLAGS



*-m, --dotenvMe*



Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)



```

$ npx dotenv-vault@latest pull --dotenvMe=me_b1831e…

```



*-y, --yes*



Automatic yes to prompts. Assume yes to all prompts and run non-interactively.



```

$ npx dotenv-vault@latest pull -y

```



If you want to pull a specific version you can do so. For example,



```

npx dotenv-vault@latest pull development@v14

```



---



### `open`



Open project page.



Example:



```bash

$ npx dotenv-vault@latest open

```



##### ARGUMENTS



*[ENVIRONMENT]*



Set environment to open to. Defaults to development.



```

$ npx dotenv-vault@latest open production

```



##### FLAGS



*-y, --yes*



Automatic yes to prompts. Assume yes to all prompts and run non-interactively.



```

$ npx dotenv-vault@latest open -y

```



---



### `whoami`



Display the current logged in user.



Example:



```bash

$ npx dotenv-vault@latest whoami

```



##### FLAGS



*-m, --dotenvMe*



Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)



```

$ npx dotenv-vault@latest whoami dotenvMe=me_b1831e…

```



---



### `build`



Build .env.vault file.



Example:



```bash

$ npx dotenv-vault@latest build

```



##### FLAGS



*-m, --dotenvMe*



Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)



```

$ npx dotenv-vault@latest build dotenvMe=me_b1831e…

```



*-y, --yes*



Automatic yes to prompts. Assume yes to all prompts and run non-interactively.



```

$ npx dotenv-vault@latest build -y

```



---



### `keys`



List .env.vault decryption keys.



Example:



```bash

$ npx dotenv-vault@latest keys

```



##### ARGUMENTS



*[ENVIRONMENT]*



Set environment. Defaults to all.



```

$ npx dotenv-vault@latest keys production…

remote:   Listing .env.vault decryption keys... done

dotenv://:[email protected]/vault/.env.vault?environment=production

```



##### FLAGS



*-m, --dotenvMe*



Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)



```

$ npx dotenv-vault@latest keys dotenvMe=me_b1831e…

```



*-y, --yes*



Automatic yes to prompts. Assume yes to all prompts and run non-interactively.



```

$ npx dotenv-vault@latest keys -y

```



---



### `rotatekey`



Rotate DOTENV_KEY.



Example:



```bash

$ npx dotenv-vault@latest rotatekey production

```



##### FLAGS



*-m, --dotenvMe*



Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)



```

$ npx dotenv-vault@latest rotatekey dotenvMe=me_b1831e…

```



*-y, --yes*



Automatic yes to prompts. Assume yes to all prompts and run non-interactively.



```

$ npx dotenv-vault@latest rotatekey -y

```



---



### `decrypt`



Decrypt .env.vault locally.



Example:



```bash

$ npx dotenv-vault@latest decrypt dotenv://:[email protected]/vault/.env.vault?environment=development

```



##### ARGUMENTS



*[DOTENV_KEY]*



Set `DOTENV_KEY` to decrypt .env.vault. Development key will decrypt development, production will decrypt production, and so on.



```

$ npx dotenv-vault@latest decrypt dotenv://:[email protected]/vault/.env.vault?environment=development

```



---



### `versions`



List version history.



Example:



```bash

$ npx dotenv-vault@latest versions

```



##### ARGUMENTS



*[ENVIRONMENT]*



Set environment to check versions against. Defaults to development.



```

$ npx dotenv-vault@latest versions production

```



##### FLAGS



*-m, --dotenvMe*



Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)



```

$ npx dotenv-vault@latest versions dotenvMe=me_b1831e…

```



*-y, --yes*



Automatic yes to prompts. Assume yes to all prompts and run non-interactively.



```

$ npx dotenv-vault@latest versions -y

```



If you want to pull a specific version you can do so. For example,



```

npx dotenv-vault@latest pull development@v14

```



---



### `local build`



Build .env.vault from local only



Example:



```bash

$ npx dotenv-vault@latest local build

```



This will encrypt the contents of your `.env` file and any `.env.ENVIRONMENT` files you have locally into your `.env.vault` file.



### `local decrypt`



Decrypt .env.vault from local only



Example:



```bash

$ npx dotenv-vault@latest local decrypt dotenv://:[email protected]/vault/.env.vault?environment=development

```



##### ARGUMENTS



*[DOTENV_KEY]*



Set `DOTENV_KEY` to decrypt .env.vault. Development key will decrypt development, production will decrypt production, and so on.



```

$ npx dotenv-vault@latest local decrypt dotenv://:[email protected]/vault/.env.vault?environment=development

```



### `local keys`



List .env.vault local decryption keys from .env.keys file



Example:



```bash

$ npx dotenv-vault@latest local keys

local:    Listing .env.vault decryption keys from .env.keys... done

 environment DOTENV_KEY

 ─────────── ────────────────────────────────────────────────────────────────────────────────────────────────────────

 develompent dotenv://:[email protected]/vault/.env.va…

 production  dotenv://:[email protected]/vault/.env.va…

```



##### ARGUMENTS



*[ENVIRONMENT]*



Set `ENVIRONMENT` to output a single environment's DOTENV_KEY.



```

$ npx dotenv-vault@latest local keys development…

local:    Listing .env.vault decryption keys from .env.keys... done

dotenv://:[email protected]/vault/.env.vault?environment=development

```



## ❓ FAQ



### Why is the `.env.vault` file not decrypting my environment variables successfully?



First, make sure you are using `[email protected]` or greater. (If you are using a different language make sure you have installed one of its [libraries](#what-languages-does-this-work-with).)



Second, test decryption is working locally.



```bash

$ npx dotenv-vault@latest decrypt dotenv://:[email protected]/vault/.env.vault?environment=production

# outputs environment variables

```



Third, test decryption on boot is working locally.



```bash

$ DOTENV_KEY='dotenv://:[email protected]/vault/.env.vault?environment=production' npm start

# boots your app with production envs

```



### Should I commit my `.env.vault` file?



Yes. It is safe and recommended to do so. DO commit your `.env.vault` file to code. DO NOT commit your `.env` file. The `.env.vault` file contains ciphertext generated using AES-256. AES-256 is trusted by the US Government to transmit top-secret information and has a brute-force timescale of about a billion years.



### I accidentally leaked my `DOTENV_KEY`, what can I do? 



Does that attacker also have access to your `.env.vault` file?



* No: good, the attacker cannot do any damage. They need both the `DOTENV_KEY` and `.env.vault` file to access your secrets. This extra layer of security sets the `.env.vault` file apart as a superior solution to other SecretOps solutions.

* Yes: IMMEDIATELY start rotating your secrets at your third-party API providers. This scenario would be the same no matter what SecretOps solution you use.



After completing the above, rotate your `DOTENV_KEY` using the [rotatekey](#rotatekey) command, rebuild your `.env.vault` file, and redeploy.



### Is it safe to store my secrets with dotenv-vault?



It safer than scattering your secrets across multiple cloud providers. Those providers are focused on code deployment and server performance over secrets security.[1]



Dotenv Vault's singular focus is secrets security, and as a result we go to great lengths to make sure your secrets are safe. Afterall, we keep our secrets here too.[2]



* [[1] CircleCI Breach](https://techcrunch.com/2023/01/05/circleci-breach/)

* [[2] Security at Dotenv Vault](https://www.dotenv.org/security)



### What languages does this work with?



The `.env.vault` file and its encryption algorithm is language-agnostic so technically it works with any language. We've built convenience libraries for it in a handful of languages and are adding more quickly.



* [Go](https://github.com/dotenv-org/godotenvvault)

* [Kotlin](https://github.com/dotenv-org/dotenv-vault-kotlin)

* [NodeJS](https://github.com/motdotla/dotenv)

* [PHP](https://github.com/dotenv-org/phpdotenv-vault)

* [Python](https://github.com/dotenv-org/python-dotenv-vault)

* [Ruby](https://github.com/dotenv-org/dotenv-vault-ruby)



### How do I use πŸ’» Locally Managed dotenv-vault?



There are a series of **πŸ’» Locally Managed** commands available to you. Locally managed never makes a remote API call. It is completely managed on your machine.



**πŸ” Vault Managed** adds conveniences like backing up your .env file, secure sharing across your team, access permissions, and version history.



**πŸ’» Locally Managed** is a good choice for someone who would prefer to handle this coordination themselves and does not want to trust Dotenv Vault with their secrets. 







how to deploy with a .env.vault file video tutorial

youtube/@dotenvorg






Here's how it works.



Generate your `.env.vault` file.



```shell

$ npx dotenv-vault@latest local build

```



This creates two files:



* `.env.vault` - encrypted contents of .env* file(s)

* `.env.keys` - decryption key(s)



Boot using `.env.vault`.



```

$ DOTENV_KEY= npm start



[[email protected]][INFO] Loading env from encrypted .env.vault

```



Great! Next, set the `DOTENV_KEY` on your server. For example in heroku:



```shell

$ heroku config:set DOTENV_KEY=

```



Commit your `.env.vault` file safely to code and deploy.



Your `.env.vault` is decrypted on boot, its environment variables injected, and your app works as expected.



Congratulations, your secrets are now much safer than scattered across multiple servers and cloud providers!



## Contributing



See [CONTRIBUTING.md](CONTRIBUTING.md)



## Changelog



See [CHANGELOG.md](CHANGELOG.md)



## License



MIT