dotenv-vault is a cli to sync .env files across machines, environments, and team members.
[!NOTE] dotenv-vault is a paid only cloud service for syncing your .env files (as of May 2025).
Looking for a free cloud-less alternative? See my new product dotenvx – that lets you: - encrypt your .env files - commit them to code - and securely sync them over git
It works with a single command. Run npx dotenv-vault@latest push.
npx dotenv-vault@latest push
remote: Securely pushing (.env)... done
remote: Securely pushed development (.env)
remote: Securely built vault (.env.vault)
That's it. You securely synced your .env file. Next, tell your teammate to run npx dotenv-vault@latest pull
npx dotenv-vault@latest pull
Nice!
See further usage and commands.
Don't want to use npx? Install a number of other ways.
Install via Homebrew
$ brew install dotenv-org/brew/dotenv-vault
$ dotenv-vault help
Install on Windows
Install and run commands via Docker
$ docker run -w $(pwd) -v $(pwd):$(pwd) -it dotenv/dotenv-vault help
When you make a change to your .env file, push it up.
$ npx dotenv-vault@latest push
Commit your .env.vault file safely to code.
$ git add .env.vault
$ git commit -am "Add .env.vault"
$ git push
Now your teammate can pull the latest .env changes.
$ git pull
$ npx dotenv-vault@latest pull
That's it!
Stop scattering your production secrets across multiple third-parties and tools. Instead, use an encrypted .env.vault file.
Generate your encrypted .env.vault file.
$ npx dotenv-vault@latest build
Fetch your production DOTENV_KEY.
$ npx dotenv-vault@latest keys production
remote: Listing .env.vault decryption keys... done
dotenv://:key_1234…@dotenv.org/vault/.env.vault?environment=production
Set DOTENV_KEY on your server.
# heroku example
heroku config:set DOTENV_KEY=dotenv://:key_1234…@dotenv.org/vault/.env.vault?environment=production
Commit your .env.vault file safely to code and deploy.
$ git add .env.vault
$ git commit -am "Update .env.vault"
$ git push
$ git push heroku main # heroku example
That's it! On deploy, your .env.vault file will be decrypted and its secrets injected as environment variables – just in time.
After you've pushed your .env file, dotenv-vault automatically sets up multiple environments. Manage multiple environments with the included UI. learn more
$ npx dotenv-vault@latest open production
That's it! Manage your ci, staging, and production secrets from there.
Would you also like to pull your production .env to your machine? Run the command:
$ npx dotenv-vault@latest pull production
$ npx dotenv-vault@latest help
newCreate your project at Dotenv Vault.
Example:
$ npx dotenv-vault@latest new
[DOTENV_VAULT]
Set .env.vault identifier. Defaults to generated value.
$ npx dotenv-vault@latest new vlt_6beaae5…
local: Adding .env.vault (DOTENV_VAULT)... done
local: Added to .env.vault (DOTENV_VAULT=vlt_6beaa...)
-y, --yes
Automatic yes to prompts. Assume yes to all prompts and run non-interactively.
loginLog in to
$ claude mcp add dotenv-vault \
-- python -m otcore.mcp_server <graph>