dotenv-vault is a cli to sync .env files across machines, environments, and team members.
Note
dotenv-vault is a paid only cloud service for syncing your .env files (as of May 2025).
Looking for a free cloud-less alternative? See my new product dotenvx – that lets you:
- encrypt your .env files
- commit them to code
- and securely sync them over git
It works with a single command. Run npx dotenv-vault@latest push.
npx dotenv-vault@latest pushremote: Securely pushing (.env)... done
remote: Securely pushed development (.env)
remote: Securely built vault (.env.vault)
That's it. You securely synced your .env file. Next, tell your teammate to run npx dotenv-vault@latest pull
npx dotenv-vault@latest pullNice!
See further usage and commands.
When you make a change to your .env file, push it up.
$ npx dotenv-vault@latest pushCommit your .env.vault file safely to code.
$ git add .env.vault
$ git commit -am "Add .env.vault"
$ git pushNow your teammate can pull the latest .env changes.
$ git pull
$ npx dotenv-vault@latest pullThat's it!
Stop scattering your production secrets across multiple third-parties and tools. Instead, use an encrypted .env.vault file.
Generate your encrypted .env.vault file.
$ npx dotenv-vault@latest buildFetch your production DOTENV_KEY.
$ npx dotenv-vault@latest keys production
remote: Listing .env.vault decryption keys... done
dotenv://:key_1234…@dotenv.org/vault/.env.vault?environment=productionSet DOTENV_KEY on your server.
# heroku example
heroku config:set DOTENV_KEY=dotenv://:key_1234…@dotenv.org/vault/.env.vault?environment=productionCommit your .env.vault file safely to code and deploy.
$ git add .env.vault
$ git commit -am "Update .env.vault"
$ git push
$ git push heroku main # heroku exampleThat's it! On deploy, your .env.vault file will be decrypted and its secrets injected as environment variables – just in time.
After you've pushed your .env file, dotenv-vault automatically sets up multiple environments. Manage multiple environments with the included UI. learn more
$ npx dotenv-vault@latest open production
That's it! Manage your ci, staging, and production secrets from there.
Would you also like to pull your production .env to your machine? Run the command:
$ npx dotenv-vault@latest pull production
Vercel
Heroku
GitHub Actions
GitLab CI/CD
Netlify
Docker
CircleCI
Serverless
Railway
Render
Travis CI
Google Cloud
Fly.io
Slack
Buddy
Cloud66
Digital Ocean
Dagger
Bitbucket
Node.js
Express
NextJS
Remix
Astro
Rails
Ruby
Sinatra
Flask
Python
Supabase
Pulumi
Angular
Nuxt
Vite
$ npx dotenv-vault@latest help
Create your project at Dotenv Vault.
Example:
$ npx dotenv-vault@latest new[DOTENV_VAULT]
Set .env.vault identifier. Defaults to generated value.
$ npx dotenv-vault@latest new vlt_6beaae5…
local: Adding .env.vault (DOTENV_VAULT)... done
local: Added to .env.vault (DOTENV_VAULT=vlt_6beaa...)
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
Log in to dotenv-vault.
Example:
$ npx dotenv-vault@latest login[DOTENV_ME]
Set .env.me identifier. Defaults to generated value.
$ npx dotenv-vault@latest login me_00c7fa…
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault@latest login -y
Log out of dotenv-vault.
Example:
$ npx dotenv-vault@latest logout-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault@latest logout -y
Push .env securely.
Example:
$ npx dotenv-vault@latest push[ENVIRONMENT]
Set environment to push to. Defaults to development
$ npx dotenv-vault@latest push production
[FILENAME]
Set input filename. Defaults to .env for development and .env.{environment} for other environments
$ npx dotenv-vault@latest push production .env.production
-m, --dotenvMe
Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)
$ npx dotenv-vault@latest push --dotenvMe=me_b1831e…
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault@latest push -y
Pull .env securely.
Example:
$ npx dotenv-vault@latest pull[ENVIRONMENT]
Set environment to pull from. Defaults to development
$ npx dotenv-vault@latest pull production
[FILENAME]
Set output filename. Defaults to .env for development and .env.{environment} for other environments
$ npx dotenv-vault@latest pull production .env.production
-m, --dotenvMe
Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)
$ npx dotenv-vault@latest pull --dotenvMe=me_b1831e…
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault@latest pull -y
If you want to pull a specific version you can do so. For example,
npx dotenv-vault@latest pull development@v14
Open project page.
Example:
$ npx dotenv-vault@latest open[ENVIRONMENT]
Set environment to open to. Defaults to development.
$ npx dotenv-vault@latest open production
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault@latest open -y
Display the current logged in user.
Example:
$ npx dotenv-vault@latest whoami-m, --dotenvMe
Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)
$ npx dotenv-vault@latest whoami dotenvMe=me_b1831e…
Build .env.vault file.
Example:
$ npx dotenv-vault@latest build-m, --dotenvMe
Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)
$ npx dotenv-vault@latest build dotenvMe=me_b1831e…
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault@latest build -y
List .env.vault decryption keys.
Example:
$ npx dotenv-vault@latest keys[ENVIRONMENT]
Set environment. Defaults to all.
$ npx dotenv-vault@latest keys production…
remote: Listing .env.vault decryption keys... done
dotenv://:[email protected]/vault/.env.vault?environment=production
-m, --dotenvMe
Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)
$ npx dotenv-vault@latest keys dotenvMe=me_b1831e…
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault@latest keys -y
Rotate DOTENV_KEY.
Example:
$ npx dotenv-vault@latest rotatekey production-m, --dotenvMe
Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)
$ npx dotenv-vault@latest rotatekey dotenvMe=me_b1831e…
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault@latest rotatekey -y
Decrypt .env.vault locally.
Example:
$ npx dotenv-vault@latest decrypt dotenv://:[email protected]/vault/.env.vault?environment=development[DOTENV_KEY]
Set DOTENV_KEY to decrypt .env.vault. Development key will decrypt development, production will decrypt production, and so on.
$ npx dotenv-vault@latest decrypt dotenv://:[email protected]/vault/.env.vault?environment=development
List version history.
Example:
$ npx dotenv-vault@latest versions[ENVIRONMENT]
Set environment to check versions against. Defaults to development.
$ npx dotenv-vault@latest versions production
-m, --dotenvMe
Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)
$ npx dotenv-vault@latest versions dotenvMe=me_b1831e…
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
$ npx dotenv-vault@latest versions -y
If you want to pull a specific version you can do so. For example,
npx dotenv-vault@latest pull development@v14
First, make sure you are using [email protected] or greater. (If you are using a different language make sure you have installed one of its libraries.)
Second, test decryption is working locally.
$ npx dotenv-vault@latest decrypt dotenv://:[email protected]/vault/.env.vault?environment=production
# outputs environment variablesThird, test decryption on boot is working locally.
$ DOTENV_KEY='dotenv://:[email protected]/vault/.env.vault?environment=production' npm start
# boots your app with production envsYes. It is safe and recommended to do so. DO commit your .env.vault file to code. DO NOT commit your .env file. The .env.vault file contains ciphertext generated using AES-256. AES-256 is trusted by the US Government to transmit top-secret information and has a brute-force timescale of about a billion years.
Does that attacker also have access to your .env.vault file?
- No: good, the attacker cannot do any damage. They need both the
DOTENV_KEYand.env.vaultfile to access your secrets. This extra layer of security sets the.env.vaultfile apart as a superior solution to other SecretOps solutions. - Yes: IMMEDIATELY start rotating your secrets at your third-party API providers. This scenario would be the same no matter what SecretOps solution you use.
After completing the above, rotate your DOTENV_KEY using the rotatekey command, rebuild your .env.vault file, and redeploy.
It safer than scattering your secrets across multiple cloud providers. Those providers are focused on code deployment and server performance over secrets security.[1]
Dotenv Vault's singular focus is secrets security, and as a result we go to great lengths to make sure your secrets are safe. Afterall, we keep our secrets here too.[2]
The .env.vault file and its encryption algorithm is language-agnostic so technically it works with any language. We've built convenience libraries for it in a handful of languages and are adding more quickly.
With dotenvx you put your development, staging, ci, and production secrets IN your code - as encrypted .env.* files. So for example, to do production you would
- Create
.env.productionwithHELLO=production(or in dotenv-vault's casenpx dotenv-vault@latest pull production) - Run
dotenvx encrypt -f .env.productionto encrypt it - Commit that to code
Then when deploying your codebase you put dotenvx run -- out front of your run command.
- Add
dotenvx run -- yourstartcommand - Set
DOTENV_PRIVATE_KEY_PRODUCTIONon the server - On boot
dotenvx runwill read the private key and use it to decrypt and inject your secrets just in time as environment variables
Here's a quickstart guide
See CONTRIBUTING.md
See CHANGELOG.md
MIT