Deploy .env.vault files in production

Deploy your encrypted .env.vault files to production (or staging or ci) using this quickstart guide.

Build .env.vault

Begin by building your project's encrypted .env.vault file. It securely encrypts your secrets in a cloud-agnostic payload.

npx dotenv-vault build

Commit that safely to code.

git add .env.vault
git commit -am "Build encrypted .env.vault file for deploy"


Fetch your production decryption key - the DOTENV_KEY - to decrypt your .env.vault file.

npx dotenv-vault keys production

This will output your production DOTENV_KEY.

Use that DOTENV_KEY to run your application in production mode locally - as a quick test.

DOTENV_KEY='dotenv://:[email protected]/vault/.env.vault?environment=production' node index.js
# visit http://localhost:3000

You will know it is working if you see the log message Loading env from encrypted .env.vault.

$ quickstart: DOTENV_KEY='dotenv://:[email protected]/vault/.env.vault?environment=production' node index.js
[[email protected]][INFO] Loading env from encrypted .env.vault
Example app listening on port 3000

The DOTENV_KEY decrypts the production contents of .env.vault and injects its secrets just-in-time to your running process. All that's left to do is set your DOTENV_KEY on your production server and deploy your code.


Set your production DOTENV_KEY on your server. For example, on Heroku you set it with their cli.

$ heroku config:set DOTENV_KEY='dotenv://:[email protected]/vault/.env.vault?environment=production'

Here's a video showing the entire process.


Congrats! You now understand how .env.vault files work.

This is much safer than syncing your secrets to third-parties where they could leak. CircleiCi had a secrets breach not long ago. .env.vault protects you from breaches like that. An attacker would have to get their hands on both your DOTENV_KEY AND your codebase.

In addition, you now have a single source of truth that is easy to manage. Make a change in the UI, run the build command, and redeploy. Spend less time juggling secrets and more time coding.

The best part is the technology is platform and framework agnostic. We've compiled a list of almost 100 guides (so far). Linked below are some of our most-visited guides. Click a logo and get started.

Thanks for using Dotenv!


What happens if DOTENV_KEY is not set?

It gracefully falls back to loading from your .env file. This is the default for development so that you can focus on editing your .env file and save the build command until you are ready to deploy those environment variables changes.

Should I commit my .env.vault file?

Yes. It is safe and recommended to do so. It contains your encrypted envs, and your vault identifier.

Can I share the DOTENV_KEY?

No. It is the key that unlocks your encrypted environment variables. Be very careful who you share this key with. Do not let it leak.

Should I commit my .env file?

No. We strongly recommend against committing your .env file to version control. It should only include environment-specific values such as database passwords or API keys. Your production database should have a different password than your development database.