dotenv-vault rotatekey

Rotate a project environment's DOTENV_KEY.


1. Run rotatekey command

Specify the environment. In the example below, we're rotating our production DOTENV_KEY.

$ npx dotenv-vault rotatekey production
remote:   Rotating decryption key... done
dotenv://:[email protected]/vault/.env.vault?environment=production

1. Update DOTENV_KEY by comma-appending the new value
2. Rebuild and deploy your .env.vault file
3. Update DOTENV_KEY by removing the old value

DOTENV_KEY='dotenv://:[email protected]/vault/.env.vault?environment=production,dotenv://:[email protected]/vault/.env.vault?environment=production'

2. Append the new DOTENV_KEY

Open your server where you have previously set your DOTENV_KEY value. Comma-append the new value.

For example, here is how you might set it on Heroku.

heroku config:set DOTENV_KEY='dotenv://:[email protected]/vault/.env.vault?environment=production,dotenv://:[email protected]/vault/.env.vault?environment=production' 

Note that the new value comes after the old one. The order doesn't matter, but we recommend placing the new value at the end so that you remember to delete the old (leading) value after you deploy.

3. Build and deploy

Next, we need to rebuild our encrypted .env.vault file with the new encryption key. Run dotenv-vault build.

$ npx dotenv-vault build

Commit those changes safely to code and deploy.

That's it! Your code will now be running off the new DOTENV_KEY.

4. Clean up old value

It is a good idea to clean up the old value.

Return to your server and remove the old value inside the comma-separated list DOTENV_KEY. In heroku, it might look like this:

heroku config:set DOTENV_KEY='dotenv://:[email protected]/vault/.env.vault?environment=production' 

Nice work rotating your keys! If you really want to go the extra mile you can automate this into your CI/CD process. That way you rotate your decryption key on some set schedule - every quarter for example.

Command Details

For more information on the rotatekey command, run dotenv-vault help rotatekey.

$ npx dotenv-vault help rotatekey

  $ dotenv-vault rotatekey [ENVIRONMENT] [-m ] [-y]

  ENVIRONMENT  Set environment to rotate. Required.

  -m, --dotenvMe=  Pass (DOTENV_ME) credential directly (rather than reading from file)
  -y, --yes               Automatic yes to prompts. Assume yes to all prompts and run non-interactively.


  $ dotenv-vault rotatekey