Proven. Trusted. Secure.
From the same people that pioneered dotenv - trusted by more than 2.5 million developers.
Trust is earned. You and 2.5 million+ developers trust us with securing your secrets through dotenv. Thank you. It’s a solid foundation, but the challenges for Dotenv Vault are different and we are earning your trust again.
Let’s get started. See how it works below.
Learn more about security in the security docs.
Here's additional specifications that went into build Dotenv Vault.
✓ The Dotenv Vault is a separate datastore from the application database. This way if an attacker gains access to the application database they do not gain access to the vault datastore.
✓ The Dotenv Vault datastore is not accessible via the internet and all external connections are prevented. This way an attacker can not remotely access the Dotenv Vault datastore.
✓ Encrypted clients are required and these clients have to go through the application - which has its own layers of encryption.
✓ There are stricter TLS requirements for connecting to the Dotenv Vault datastore. TLS 1.0 cannot be used to connect.
✓ The secrets stored in the Dotenv Vault are not just encrypted at the datastore level. They are also encrypted at each VALUE. This way even if an attacker gains access to the datastore they could not make sense of the encrypted values.
✓ The VAULT does NOT store the KEY. It ONLY stores the VALUE. The KEY is stored in the application database and a shared pointer (in both datastores) allows them to be identified as a pair. This way an attacker must gain access to both the application database and the Dotenv Vault datastore to make sense of the values.
✓ The encryption key(s) used to encrypt the secret values are rotated on an unpublished schedule. This way an attacker might gain access to an old encryption key but not the most recent - foiling their ability to decrypt the secret values.
✓ Encryption uses AES-GCM encryption. It is a well-studied, NIST recommended, and IEFT standard algorithim.
As you see, we go to great lengths to make sure your secrets are safe. Afterall, we keep our secrets here too.
A message from Dotenv's Founder & CTO.
As you already know, security is an evermoving target - an arms race. But that doesn’t mean it should be hard to use. Good design can make complex things simple, and that is what we are after at Dotenv.
Dotenv is a security tool. It has been since it was first developed in 2013. We saw developers struggling to keep their secrets safe so we pioneered the .env security file format standard. The design led to a better Developer Security Experience - which led to safer secrets for millions of developers. Today, we are taking that to the next logical step.
What is the problem with .env files today? The world has changed. Developers manage secrets at greater scale than a decade ago. .env files are not easily shareable between machines, environments, and team members. As a result, developers share secrets over Slack, email, and other messaging services. It’s not scaleable and is a security risk. For a CTO or CSO it is a risk they should not take.
So, today, we are extending the .env file format to support syncing across machines, environments, and team members. It’s an exciting development and we welcome you to go on this journey with us.
Founder & CTO