Open source
Fully open source. Audit the code yourself.
dotsecenv
Safe environment secrets — encrypted at rest, ready to commit, easy to share.
What can go wrong?
Section titled “What can go wrong?”echo "AWS_SECRET_ACCESS_KEY=your-secret-key" > .envgit add --all && git commit -m "..."git push
# Credentials leaked to the world!In 2024, according to GitHub 39 million secrets were committed to public repositories. Once exposed, attackers can compromise your infrastructure, sometimes within minutes.
How dotsecenv helps
Section titled “How dotsecenv helps”dotsecenv encrypts your secrets at rest using GPG and AES-256-GCM, making them safe to commit alongside your code:
# Store a secret (encrypted in vault, safe to commit)echo "your-secret-key" | dotsecenv secret put AWS_SECRET_ACCESS_KEY
# Retrieve when needed (decrypted on-demand)dotsecenv secret get AWS_SECRET_ACCESS_KEY
# Share with teammatesdotsecenv secret share AWS_SECRET_ACCESS_KEY teammate@company.com
# Decrypt on-demand using the dotsecenv shell pluginecho 'echo "AWS_SECRET_ACCESS_KEY={dotsecenv}" > .secenv'cd . # loads secrets defined in .secenvecho "$AWS_SECRET_ACCESS_KEY" # is now set to 'your-secret-key'Principles
Section titled “Principles”No data collection
No telemetry, no call-home features. Your secrets stay yours.
No centralized keys
Uses existing GPG keys. No cloud services required.
Unix philosophy
Does one thing well. Composable with git, gpg, and your shell. Read more →
What It Does
Section titled “What It Does”dotsecenv is a secrets management CLI and shell integration that protects credentials from accidental exposure. It uses hybrid encryption (AES-256-GCM for data, GPG for key exchange) to encrypt secrets in a portable vault file that’s safe to commit to git.
Key capabilities:
- Store secrets encrypted in a JSONL vault file
- Share secrets with teammates using GPG multi-recipient encryption
- Auto-load secrets when entering directories, via shell plugins (zsh/bash/fish)
- Built-in auditability with append-only operations
- Validate integrity with cryptographic signatures
Here’s what a typical dotsecenv workflow looks like:
# 1. Configure dotsecenvdotsecenv init configdotsecenv init vaultdotsecenv login [YOUR_PUBLIC_KEY_FINGERPRINT] # see `gpg --list-secret-keys`
# 2. Create your first secretecho "my-database-password" | dotsecenv secret put DATABASE_PASSWORD
# 3. Retrieve itdotsecenv secret get DATABASE_PASSWORD# Output: my-database-password
# 4. Load secrets ondemand with built-in shell integrationecho 'DATABASE_PASSWORD={dotsecenv}' > .secenvcd . # Trigger shell pluginecho $DATABASE_PASSWORD# Output: my-database-passwordInstall
Section titled “Install”# Homebrew (recommended)brew tap dotsecenv/tapbrew install dotsecenvOr download directly:
# Apple Silicon (M1/M2/M3)curl -LO https://get.dotsecenv.com/darwin/dotsecenv_0.4.3_Darwin_arm64.tar.gz
# Intel Maccurl -LO https://get.dotsecenv.com/darwin/dotsecenv_0.4.3_Darwin_x86_64.tar.gz
# Verify and installcurl -s https://get.dotsecenv.com/darwin/checksums.txt | sha256sum -c --ignore-missingtar -xzf dotsecenv_*.tar.gzsudo mv dotsecenv /usr/local/bin/# 1. Trust the GPG keycurl -fsSL https://get.dotsecenv.com/key.asc | \ sudo gpg --dearmor -o /etc/apt/keyrings/dotsecenv.gpg
# 2. Add the repositoryecho "deb [signed-by=/etc/apt/keyrings/dotsecenv.gpg] \ https://get.dotsecenv.com/apt/ ./" | \ sudo tee /etc/apt/sources.list.d/dotsecenv.list
# 3. Installsudo apt-get updatesudo apt-get install dotsecenv# 1. Add the repositorycat <<EOF | sudo tee /etc/yum.repos.d/dotsecenv.repo[dotsecenv]name=DotSecEnv Repositorybaseurl=https://get.dotsecenv.com/yum/enabled=1gpgcheck=1repo_gpgcheck=1gpgkey=https://get.dotsecenv.com/key.ascEOF
# 2. Installsudo dnf install dotsecenv# 1. Add to pacman.confcat <<'EOF' | sudo tee -a /etc/pacman.conf[dotsecenv]Server = https://get.dotsecenv.com/arch/$archSigLevel = Required DatabaseOptionalEOF
# 2. Trust the keycurl -fsSL https://get.dotsecenv.com/key.asc | sudo pacman-key --add -sudo pacman-key --lsign-key E60A1740BAEF49284D22EA7D3C376348F0921C59
# 3. Installsudo pacman -Sy dotsecenv# Linux x86_64curl -LO https://get.dotsecenv.com/linux/dotsecenv_0.4.3_Linux_x86_64.tar.gz
# Linux ARM64curl -LO https://get.dotsecenv.com/linux/dotsecenv_0.4.3_Linux_arm64.tar.gz
# Verify and installcurl -s https://get.dotsecenv.com/linux/checksums.txt | sha256sum -c --ignore-missingtar -xzf dotsecenv_*.tar.gzsudo mv dotsecenv /usr/local/bin/mise use github:dotsecenv/dotsecenvmise is a universal version manager.
Key Features
Section titled “Key Features”| Feature | Description |
|---|---|
| Encrypted at Rest | All secrets encrypted using AES-256-GCM (RFC 9580) |
| Portable Vault | Vault files are safe to commit to git and share between machines |
| Multi-User Support | Share secrets with teammates using GPG multi-recipient encryption |
| Shell Integration | Automatically load secrets when entering directories via .secenv files |
| Append-Only Audit Trail | Cryptographic history preserved for compliance and security audits |
| SLSA Build Level 3 | Release binaries include verified provenance attestations |
Next Steps
Section titled “Next Steps” Getting Started Get up and running in 5 minutes
Installation Guide Detailed platform-specific instructions
Security Model Understand how dotsecenv protects your secrets
CLI Reference Complete command documentation