npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

dotenv-vault

v1.27.0

Published

A secrets manager for .env files – from the same people that pioneered dotenv.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

motdotlamotdotla

Keywords

dotenvdotenv-vaultenv.envenvironmentvariablesconfigsettings

Readme

dotenv-vault is a cli to sync .env files across machines, environments, and team members.

NPM Version

 

[!NOTE] dotenv-vault is a paid only cloud service for syncing your .env files (as of May 2025).

Looking for a free cloud-less alternative? See my new product dotenvx – that lets you:

  • encrypt your .env files
  • commit them to code
  • and securely sync them over git

🌱 Install

It works with a single command. Run npx dotenv-vault@latest push.

npx dotenv-vault@latest push
remote:   Securely pushing (.env)... done
remote:   Securely pushed development (.env)
remote:   Securely built vault (.env.vault)

That's it. You securely synced your .env file. Next, tell your teammate to run npx dotenv-vault@latest pull

npx dotenv-vault@latest pull

Nice!

See further usage and commands.

🏗️ Usage

When you make a change to your .env file, push it up.

$ npx dotenv-vault@latest push

Commit your .env.vault file safely to code.

$ git add .env.vault
$ git commit -am "Add .env.vault"
$ git push

Now your teammate can pull the latest .env changes.

$ git pull
$ npx dotenv-vault@latest pull

That's it!

Learn more about usage

🚀 Deploying

Stop scattering your production secrets across multiple third-parties and tools. Instead, use an encrypted .env.vault file.

Generate your encrypted .env.vault file.

$ npx dotenv-vault@latest build

Fetch your production DOTENV_KEY.

$ npx dotenv-vault@latest keys production
remote:   Listing .env.vault decryption keys... done
dotenv://:key_1234…@dotenv.org/vault/.env.vault?environment=production

Set DOTENV_KEY on your server.

# heroku example
heroku config:set DOTENV_KEY=dotenv://:key_1234…@dotenv.org/vault/.env.vault?environment=production

Commit your .env.vault file safely to code and deploy.

$ git add .env.vault
$ git commit -am "Update .env.vault"
$ git push
$ git push heroku main # heroku example

That's it! On deploy, your .env.vault file will be decrypted and its secrets injected as environment variables – just in time.

Learn more about deploying

🌴 Manage Multiple Environments

After you've pushed your .env file, dotenv-vault automatically sets up multiple environments. Manage multiple environments with the included UI. learn more

$ npx dotenv-vault@latest open production

That's it! Manage your ci, staging, and production secrets from there.

Would you also like to pull your production .env to your machine? Run the command:

$ npx dotenv-vault@latest pull production

Learn more about environments

📚 Examples

See more integration guides

📖 Commands

$ npx dotenv-vault@latest help

new

Create your project at Dotenv Vault.

Example:

$ npx dotenv-vault@latest new
ARGUMENTS

[DOTENV_VAULT]

Set .env.vault identifier. Defaults to generated value.

$ npx dotenv-vault@latest new vlt_6beaae5…
local:    Adding .env.vault (DOTENV_VAULT)... done
local:    Added to .env.vault (DOTENV_VAULT=vlt_6beaa...)
FLAGS

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

login

Log in to dotenv-vault.

Example:

$ npx dotenv-vault@latest login
ARGUMENTS

[DOTENV_ME]

Set .env.me identifier. Defaults to generated value.

$ npx dotenv-vault@latest login me_00c7fa…
FLAGS

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault@latest login -y

logout

Log out of dotenv-vault.

Example:

$ npx dotenv-vault@latest logout
FLAGS

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault@latest logout -y

push

Push .env securely.

Example:

$ npx dotenv-vault@latest push
ARGUMENTS

[ENVIRONMENT]

Set environment to push to. Defaults to development

$ npx dotenv-vault@latest push production

[FILENAME]

Set input filename. Defaults to .env for development and .env.{environment} for other environments

$ npx dotenv-vault@latest push production .env.production
FLAGS

-m, --dotenvMe

Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)

$ npx dotenv-vault@latest push --dotenvMe=me_b1831e…

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault@latest push -y

pull

Pull .env securely.

Example:

$ npx dotenv-vault@latest pull
ARGUMENTS

[ENVIRONMENT]

Set environment to pull from. Defaults to development

$ npx dotenv-vault@latest pull production

[FILENAME]

Set output filename. Defaults to .env for development and .env.{environment} for other environments

$ npx dotenv-vault@latest pull production .env.production
FLAGS

-m, --dotenvMe

Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)

$ npx dotenv-vault@latest pull --dotenvMe=me_b1831e…

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault@latest pull -y

If you want to pull a specific version you can do so. For example,

npx dotenv-vault@latest pull development@v14

open

Open project page.

Example:

$ npx dotenv-vault@latest open
ARGUMENTS

[ENVIRONMENT]

Set environment to open to. Defaults to development.

$ npx dotenv-vault@latest open production
FLAGS

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault@latest open -y

whoami

Display the current logged in user.

Example:

$ npx dotenv-vault@latest whoami
FLAGS

-m, --dotenvMe

Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)

$ npx dotenv-vault@latest whoami dotenvMe=me_b1831e…

build

Build .env.vault file.

Example:

$ npx dotenv-vault@latest build
FLAGS

-m, --dotenvMe

Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)

$ npx dotenv-vault@latest build dotenvMe=me_b1831e…

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault@latest build -y

keys

List .env.vault decryption keys.

Example:

$ npx dotenv-vault@latest keys
ARGUMENTS

[ENVIRONMENT]

Set environment. Defaults to all.

$ npx dotenv-vault@latest keys production…
remote:   Listing .env.vault decryption keys... done
dotenv://:[email protected]/vault/.env.vault?environment=production
FLAGS

-m, --dotenvMe

Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)

$ npx dotenv-vault@latest keys dotenvMe=me_b1831e…

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault@latest keys -y

rotatekey

Rotate DOTENV_KEY.

Example:

$ npx dotenv-vault@latest rotatekey production
FLAGS

-m, --dotenvMe

Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)

$ npx dotenv-vault@latest rotatekey dotenvMe=me_b1831e…

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault@latest rotatekey -y

decrypt

Decrypt .env.vault locally.

Example:

$ npx dotenv-vault@latest decrypt dotenv://:[email protected]/vault/.env.vault?environment=development
ARGUMENTS

[DOTENV_KEY]

Set DOTENV_KEY to decrypt .env.vault. Development key will decrypt development, production will decrypt production, and so on.

$ npx dotenv-vault@latest decrypt dotenv://:[email protected]/vault/.env.vault?environment=development

versions

List version history.

Example:

$ npx dotenv-vault@latest versions
ARGUMENTS

[ENVIRONMENT]

Set environment to check versions against. Defaults to development.

$ npx dotenv-vault@latest versions production
FLAGS

-m, --dotenvMe

Pass .env.me (DOTENV_ME) credential directly (rather than reading from .env.me file)

$ npx dotenv-vault@latest versions dotenvMe=me_b1831e…

-y, --yes

Automatic yes to prompts. Assume yes to all prompts and run non-interactively.

$ npx dotenv-vault@latest versions -y

If you want to pull a specific version you can do so. For example,

npx dotenv-vault@latest pull development@v14

❓ FAQ

Why is the .env.vault file not decrypting my environment variables successfully?

First, make sure you are using [email protected] or greater. (If you are using a different language make sure you have installed one of its libraries.)

Second, test decryption is working locally.

$ npx dotenv-vault@latest decrypt dotenv://:[email protected]/vault/.env.vault?environment=production
# outputs environment variables

Third, test decryption on boot is working locally.

$ DOTENV_KEY='dotenv://:[email protected]/vault/.env.vault?environment=production' npm start
# boots your app with production envs

Should I commit my .env.vault file?

Yes. It is safe and recommended to do so. DO commit your .env.vault file to code. DO NOT commit your .env file. The .env.vault file contains ciphertext generated using AES-256. AES-256 is trusted by the US Government to transmit top-secret information and has a brute-force timescale of about a billion years.

I accidentally leaked my DOTENV_KEY, what can I do?

Does that attacker also have access to your .env.vault file?

  • No: good, the attacker cannot do any damage. They need both the DOTENV_KEY and .env.vault file to access your secrets. This extra layer of security sets the .env.vault file apart as a superior solution to other SecretOps solutions.
  • Yes: IMMEDIATELY start rotating your secrets at your third-party API providers. This scenario would be the same no matter what SecretOps solution you use.

After completing the above, rotate your DOTENV_KEY using the rotatekey command, rebuild your .env.vault file, and redeploy.

Is it safe to store my secrets with dotenv-vault?

It safer than scattering your secrets across multiple cloud providers. Those providers are focused on code deployment and server performance over secrets security.[1]

Dotenv Vault's singular focus is secrets security, and as a result we go to great lengths to make sure your secrets are safe. Afterall, we keep our secrets here too.[2]

What languages does this work with?

The .env.vault file and its encryption algorithm is language-agnostic so technically it works with any language. We've built convenience libraries for it in a handful of languages and are adding more quickly.

Migrating to Dotenvx

With dotenvx you put your development, staging, ci, and production secrets IN your code - as encrypted .env.* files. So for example, to do production you would

  1. Create .env.production with HELLO=production (or in dotenv-vault's case npx dotenv-vault@latest pull production)
  2. Run dotenvx encrypt -f .env.production to encrypt it
  3. Commit that to code

Then when deploying your codebase you put dotenvx run -- out front of your run command.

  1. Add dotenvx run -- yourstartcommand
  2. Set DOTENV_PRIVATE_KEY_PRODUCTION on the server
  3. On boot dotenvx run will read the private key and use it to decrypt and inject your secrets just in time as environment variables

Here's a quickstart guide

Contributing

See CONTRIBUTING.md

Changelog

See CHANGELOG.md

License

MIT