dotsecenv

Why dotsecenv?

On March 19, 2026, attackers compromised Aqua Security’s Trivy vulnerability scanner in a supply chain attack (CVE-2026-33634). The malicious code swept 50+ filesystem locations on CI/CD runners, harvesting SSH keys, AWS/GCP/Azure credentials, .env files, database passwords, Docker configs, and Kubernetes tokens, then dumped process memory for good measure. Stolen credentials were used to compromise dozens of npm packages downstream.

This wasn’t an isolated incident. In August 2024, Palo Alto’s Unit 42 documented an extortion campaign that found exposed .env files on 110,000+ domains and stole 90,000+ environment variables. GitHub’s own data shows 39 million secrets were committed to public repositories in 2024 alone.

And even without a supply chain attack, plaintext secrets are one mistake away from exposure:

echo "AWS_SECRET_ACCESS_KEY=AKIA..." >> .env
git add . && git commit -m "update config"
git push
# Credentials accidentally pushed to a public repo.

.gitignore helps with accidental commits, but it can’t protect you from malware that reads plaintext files off disk. And it means your secrets can’t travel with your code, so you end up sharing them over Slack, sticky notes, or shared drives, none of which are encrypted or auditable.

dotsecenv takes a different approach: secrets are encrypted at rest using GPG and AES-256-GCM, stored in a vault file that is safe to keep on disk and even safe to commit to git. Even if an attacker reads your vault file from a repo, a CI runner, or a compromised dependency they get ciphertext, not credentials. No cloud service, no proprietary key management, just your existing GPG keys.

---

Install

The quickest way to get started. This single command installs the dotsecenv binary, shell plugins, completions, and the Terraform credentials helper:

curl -fsSL https://get.dotsecenv.com/install.sh | bash

Other installation methods

macOS (Homebrew)

brew tap dotsecenv/tap
brew install dotsecenv

Ubuntu/Debian

curl -fsSL https://get.dotsecenv.com/key.asc | \
  sudo gpg --dearmor -o /etc/apt/keyrings/dotsecenv.gpg

echo "deb [signed-by=/etc/apt/keyrings/dotsecenv.gpg] \
  https://get.dotsecenv.com/apt/ ./" | \
  sudo tee /etc/apt/sources.list.d/dotsecenv.list

sudo apt-get update && sudo apt-get install dotsecenv

Fedora/RHEL

cat <<EOF | sudo tee /etc/yum.repos.d/dotsecenv.repo
[dotsecenv]
name=DotSecEnv Repository
baseurl=https://get.dotsecenv.com/yum/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://get.dotsecenv.com/key.asc
EOF

sudo dnf install dotsecenv

Arch

cat <<'EOF' | sudo tee -a /etc/pacman.conf
[dotsecenv]
Server = https://get.dotsecenv.com/arch/$arch
SigLevel = Required DatabaseOptional
EOF

curl -fsSL https://get.dotsecenv.com/key.asc | sudo pacman-key --add -
sudo pacman-key --lsign-key E60A1740BAEF49284D22EA7D3C376348F0921C59
sudo pacman -Sy dotsecenv

mise

mise use github:dotsecenv/dotsecenv

From source

bin/dotsecenv

git clone https://github.com/dotsecenv/dotsecenv.git
cd dotsecenv && make build

See the Installation Guide for full details, including verification and platform-specific notes.

---

Your first secret

Once installed, you’re three commands away from your first encrypted secret.

1. Initialize dotsecenv

   This creates your config file and vault, then links your GPG key:

   dotsecenv init config
   dotsecenv init vault
   dotsecenv login   # select your GPG key interactively

   Tip

   Don’t have a GPG key? Generate one with dotsecenv identity create, which creates a FIPS-compliant key with sensible defaults, abstracting away the complexity of GPG key creation!

2. Store a secret

   Pipe any value into dotsecenv secret store:

   echo "my-database-password" | dotsecenv secret store DATABASE_PASSWORD

   The value is encrypted with AES-256-GCM and stored in your vault. The vault file is safe to commit.

3. Retrieve it

   dotsecenv secret get DATABASE_PASSWORD
   # Output: my-database-password

That’s it! Your secret is encrypted at rest and can travel safely in version control.

---

Go further

Now that you have dotsecenv running, here’s what you can do with it.

Shell plugin that auto-loads secrets Secrets load automatically when you cd into a directory. Create a .secenv file and your environment is ready.

CLI deep dive Encrypt, decrypt, store, retrieve, share, and revoke secrets from the command line.

Share secrets with your team Use GPG multi-recipient encryption to share secrets with teammates - no Slack DMs required.

Terraform & OpenTofu credentials Use dotsecenv as a credentials helper for terraform login and registry authentication.

GitHub Actions Install dotsecenv in CI/CD pipelines with the official GitHub Action - with signature and provenance verification.

Security model & compliance AES-256-GCM, FIPS 186-5 signatures, hermetic testing, SLSA Build Level 3 - understand the security guarantees.

---

How it works, briefly

dotsecenv uses hybrid encryption: secrets are encrypted with AES-256-GCM (fast, symmetric), and the encryption key is wrapped with your GPG key (asymmetric). This means:

• Only you (and anyone you explicitly share with) can decrypt your secrets
• No cloud service is involved; your GPG keyring is the only trust anchor
• The vault is append-only; every operation is cryptographically signed, giving you a built-in audit trail
• Safe to commit - the vault file is just encrypted JSONL, safe to push to any git remote

Open source

Fully open source. Audit the code yourself.

No data collection

No telemetry, no call-home. Tested with network disabled as proof.

No centralized keys

Uses your existing GPG keys. No cloud services required.

Unix philosophy

Does one thing well. Composable with git, gpg, and your shell.