Manage your secrets using dotenv-vault's all-in-one toolkit. Say goodbye to scattered secrets across multiple platforms and tools.
dotenv-vault combats scattered secrets with a single source of truth. It builds on top of the proven dotenv standard, adding syncing and encryption to .env files.
See how dotenv-vault works or sign up right nowYour developers manage secrets independently, exchanging .env files over insecure channels like email and Slack. Meanwhile, your DevOps team sets secrets through various different platforms and tools, resulting in secrets being spread across multiple locations.
HashiCorp Vault locks you into an expensive solution by requiring your team to rewrite code. Solutions like AWS Secrets and GCP Secret Manager are also pricey and rely on frequent API calls to their services, driving up costs. New solutions like Doppler and Infisical are moving toward code rewrites, and they rely on risky third-party integrations that increase your attack surface area, making it more likely for your secrets to leak.
dotenv-vault replaces storing and setting your secrets across multiple platforms and tools with a single source of truth. It builds on top of the proven dotenv standard, adding syncing and encryption to .env files.
You're steps away from fixing your secrets management problem for good.
See how dotenv-vault works or sign up nowStep 1
Sync your secrets similarly to how you sync your code. Run npx dotenv-vault push to push changes to your .env file and npx dotenv-vault pull to pull changes. It works a lot like git.
$ npx dotenv-vault push
This is better than having to learn a new tool or stand up infrastructure just to sync and backup your secrets. If you're already using .env files you can benefit in literally a few seconds of your time. You should try it right now!
ⓘ What is npx?
npx is an npm package runner. It let's you run a node executable. This way there are no error prone libraries to install, infrastructure to maintain, or custom code to run. Just have node installed, run npx dotenv-vault push, and you're off to the races.
ⓘ Are my secrets safe?
Your secrets go through a ten-step process to split their parts, encrypt, and tokenize them into Dotenv Vault Store. This includes using AES-GCM - trusted by governments to transport top secret information. Read more about the ten-step process on the security page.
Step 2
After you've pushed your first .env file, dotenv-vault automatically sets up multiple environments for you. This includes a robust UI to manage them.
$ npx dotenv-vault open production
This is better than maintaining your secrets somewhere like AWS Secrets or GCP Secrets Manager because your developers can still quickly add and change development keys without bothering DevOps. Meanwhile, DevOps can see new keys when added and proceed to set production values. No more wondering if a value has been set in production or not.
ⓘ Can I customize my environments?
Yes, you can customize the number and names of your environments and also select which is your 'main' development environment.
ⓘ What if I prefer to manage my production values from the cli?
You can do that. In fact, a lot of our users prefer it so they can maintain their own custom DevOps flows. Run the command npx dotenv-vault pull production to do it.
Step 3
dotenv-vault works everywhere you already deploy your code. Run the build command to generate your encrypted .env.vault file, commit that safely to code, and deploy. There's nothing else like it.
$ npx dotenv-vault build
This is better than using tools like Doppler or Infisical that increase your attack surface area by syncing your secrets to third-parties. Those tools don't prevent you from third-party risks like the Circle CI breach. dotenv-vault does.
ⓘ Is it safe to commit my encrypted secrets to code?
Yes. AES-256 GCM encryption was developed for the needs of US Government agencies like the CIA. AES-256 takes billions of years to crack using current computing technology. Your secrets are much more likely to be leaked by a third-party. This is why we are so committed to this technology while everyone else is focused on syncing secrets to third-party integrations. They are taking a terrible risk with your secrets.
ⓘ How does it protect me from third-party breaches like CircleCI?
In the CircleCI breach the attacker accessed environment variables only. They could not access codebases. To steal your encrypted .env.vault secrets they would need both – the decryption key (stored as an environment variable), AND the codebase's encrypted .env.vault file.
ⓘ Is this a new standard?
Not officially, but our goal is towards that. We're building things in a way that a proprietary service is not necessary. As long as you can generate a .env.vault file you can use the technology. It is open to all.
ⓘ What languages are supported?
dotenv-vault works with node, ruby, python, and php so far. If you like the .env.vault concept and know a language well, consider creating the library for it in that language. It could be used by millions of developers someday!
ⓘ Will dotenv get first class support for decrypting .env.vault files?
Yes, eventually. For now, we are still working through the rough spots of the technology and developer experience. Our docs instruct you to use dotenv-vault-core until then.
dotenv-vault integrates everywhere you already deploy your code. If you can deploy your code there, you can use dotenv-vault. That's more than any competing solution.
Here's a small selection of them. Your team could be next.
FirstVet trusts dotenv-vault to keep their secrets safe while helping you keep your pets healthy. With their app, you can talk to a vet online at the click of a button.
firstvet.comWhen it comes to SecretOps, Supernova, one of the world's premier DesignOps solutions, reaches for dotenv-vault.
supernova.ioHoneylove, a YC company, makes body-shaping apparel designed to make you feel more confident and improve your posture. When it comes to their security posture, they choose dotenv-vault.
honeylove.com / ycSound is a collaborative music discovery platform built on web3 technology and values. For their secrets, they trust dotenv-vault.
sound.xyzAlameda County is one of the most innovative counties in the United States. Home to 1.7 million people, in cities like Berkeley and Oakland, they use and trust dotenv-vault.
acgov.orgBuilt on blockchain technology, Snackclub is a gaming community that uses dotenv-vault to keep their secrets safe.
snackclub.gg5 Million+ users trust Zengaming's Tradeit.gg and Lootbear.com products. dotenv-vault helps support these users by powering Zengaming's secrets.
zengaming.comHappyMoney is a unicorn-sized company that has raised almost $200 million dollars. For keeping their secrets safe, they chose dotenv-vault as the superior option.
happymoney.comSungage Financial innovates in the solar space - making it so more people can have solar. To innovate on their secrets they chose dotenv-vault.
sungagefinancial.com✅ Sync your first .env file
✅ Set a production value in the UI
✅ Deploy your encrypted .env.vault for the first time