Security is an evermoving target - an arms race. But that doesn't mean it should be hard to use. Good design can make complex things simple, and that is what we are after at Dotenv.
Dotenv is a security tool. It has been since it was first developed in 2013. We saw developers struggling to keep their secrets safe so we pioneered the
.env file format standard. The design led to better DSX (Developer Security Experience) - which led to safer secrets for millions of developers.
What is the problem with
.env files today? The world has changed. Developers manage secrets at greater scale than a decade ago.
.env files are not easily shareable between machines, environments, and team members. As a result, developers often share secrets over Slack and email. It's not scaleable and fraught with security risks. For a CTO or CSO it is a risk they should not take.
The other side of the coin is not so good either. Complex security software like HashiCorp Vault is difficult to fully understand and introduces new friction, complexities, and attack vectors. Friction and complexity almost always lead to negative security events because people are lazy.
But another word for lazy in software is elegance. Developers often chose
.env because it was an elegant security alternative. Elegance has a great deal of value when it comes to security because it increases the likelihood of an individual working toward security rather than against it.
So all this said, we have an elegant solution for yesteryear and new problems today. What do we do?
The .env.vault Solution
We've decided to introduce the
.env.vault file format and a few supporting file formats to make syncing, encrypting, and deploying your secrets elegant and safe at modern scale.
It's an exciting development, and we hope you come on this journey with us. We remember when people were telling us the
.env file was unnecesary, too simple, just put your secrets in code !, etc.
.env.vault is predictably getting some of the same pushback, but we are just as confident the
.env.vault file format standard will follow the same adoption trajectory as the
.env file format.
Get involved early with its development and usage! Try it out, contribute to its development, and keep your secrets safer.
Tried and true. For development secrets
Modern encryption standard for deploying secrets just-in-time
Authorizes you to access a project's shared .env file
The DOTENV_KEY unlocks your encrypted .env.vault secrets
Integration tokens, also known as IT tokens, are limited access tokens
Vault stores your secrets securely