Deploy .env.vault files in production
Deploy your encrypted
.env.vault files to production (or staging or ci) using this quickstart guide.
Begin by building your project's encrypted
.env.vault file. It securely encrypts your secrets in a cloud-agnostic payload.
npx dotenv-vault build
Commit that safely to code.
git add .env.vault git commit -am "Build encrypted .env.vault file for deploy"
Fetch your production decryption key - the
DOTENV_KEY - to decrypt your
npx dotenv-vault keys production
This will output your production
DOTENV_KEY to run your application in production mode locally - as a quick test.
You will know it is working if you see the log message
Loading env from encrypted .env.vault.
DOTENV_KEY decrypts the production contents of
.env.vault and injects its secrets just-in-time to your running process. All that's left to do is set your
DOTENV_KEY on your production server and deploy your code.
Set your production
DOTENV_KEY on your server. For example, on Heroku you set it with their cli.
$ heroku config:set DOTENV_KEY='dotenv://:[email protected]/vault/.env.vault?environment=production'
Here's a video showing the entire process.
Congrats! You now understand how
.env.vault files work.
This is much safer than syncing your secrets to third-parties where they could leak. CircleiCi had a secrets breach not long ago.
.env.vault protects you from breaches like that. An attacker would have to get their hands on both your
DOTENV_KEY AND your codebase.
In addition, you now have a single source of truth that is easy to manage. Make a change in the UI, run the build command, and redeploy. Spend less time juggling secrets and more time coding.
The best part is the technology is platform and framework agnostic. We've compiled a list of almost 100 guides (so far). Linked below are some of our most-visited guides. Click a logo and get started.
Thanks for using Dotenv!
What happens if
DOTENV_KEY is not set?
It gracefully falls back to loading from your
.env file. This is the default for development so that you can focus on editing your
.env file and save the
build command until you are ready to deploy those environment variables changes.
Should I commit my
Yes. It is safe and recommended to do so. It contains your encrypted envs, and your vault identifier.
Can I share the
No. It is the key that unlocks your encrypted environment variables. Be very careful who you share this key with. Do not let it leak.
Should I commit my
No. We strongly recommend against committing your
.env file to version control. It should only include environment-specific values such as database passwords or API keys. Your production database should have a different password than your development database.