Serious security for your engineering team.
Dotenv Vault holds your secrets in a secure and sophisticated way.
We've been trusted with securing hundreds of billions of secrets through our dotenv node module, and we are bringing the same level of trust to Dotenv Vault.
See how it works below.
Sincerely,
Scott Motte
Founder & CTO
aka Mot
Dotenv Vault is easy to use, making security easy to do.
Step 1
Create a project at Dotenv Vault. Similar to GitHub.
$ npx dotenv-vault new
Step 2
Push your .env securely to Dotenv Vault.
$ npx dotenv-vault push
Step 3
Notify your team to pull the latest .env.
$ npx dotenv-vault pull
🎉 That's it!
Prefer to sign up with a form?
or see how Dotenv Vault works securely.
Dotenv Vault holds your secrets in a secure and sophisticated way.
Step 1
npx dotenv-vault push
You run npx dotenv-vault push. The request is started.
Step 2
Encrypted Connection
The .env file is encrypted and sent securely over SSL to Dotenv's in-memory servers.
Step 3
Dotenv Servers
This encrypted payload is decrypted and briefly held in memory to complete the next steps. Afterward, the memory is flushed. Rest assured the decrypted version is never peristed to Dotenv systems.
Step 4
Parsing
The .env file is parsed line by line - in memory.
Note: There are some differences between dotenv parsers across various languages and frameworks. So far Dotenv Vault handles these 100%, and we continue to add test cases to cover all edge cases.
Step 5
Secret Extraction
Each key/value pair (and any comments) are extracted - in memory.
Step 6
Secret Division
The secret is divided into its separate key and value. This is by design. They will be stored in separate databases for added security. This way if an attacker somehow gained access to one database they would not be able to make sense of the data - having only half of the puzzle.
Step 7
EncryptionAES-GCM Algorithm
The KEY is encrypted. The VALUE is encrypted. They are encrypted with different master encryption keys. This way if an attacker somehow gained access to the VALUE decryption key they would find the data useless. They would not know if the secret belonged to Twilio or to AWS.
Encryption uses the AES-GCM algorithm. It is:
Additionally, all master encryption keys are rotated on an unpublished schedule, further adding to the level of security.
Dotenv Vault Store
Step 8
TokenizationVALUE
The encrypted VALUE is sent to Dotenv Vault for safe storage. A token is returned as an identifier. The token is used in the next step for mapping the KEY to the VALUE for later secure-read operations.
Multiple security measures go into the Vault. They include but are not limited to:
Dotenv Application Database
Step 9
Store Key Part with Token
Lastly, the encrypted KEY and token (representing the encrypted VALUE) are placed in an envelope and stored together in the application database.
Step 10
Success 201
A success message is returned to the user.
We keep our secrets here too.
As you see, we go to great lengths to make sure your secrets are safe. Afterall, we keep our secrets here as well.
Join millions of developers that already trust and use Dotenv.
Dotenv Vault supports a wide range of 1-Click integrations. Managing environment variables across your infrastructure has never been easier.
💛 Est. 2013