Skip to content
logo dotsecenv

How-To Guides

Quick solutions for common tasks. Each section is a self-contained guide.

Work with .env Files

Section titled “Work with .env Files”

dotsecenv works seamlessly alongside .env files. Use .env for non-sensitive config and .secenv for secrets.

Section titled “Recommended Setup”
Terminal window
# .env — Non-sensitive configuration
DATABASE_HOST=localhost
DATABASE_PORT=5432
DATABASE_NAME=myapp
LOG_LEVEL=debug


# .secenv — Encrypted secrets from vault
DATABASE_PASSWORD={dotsecenv}
API_KEY={dotsecenv/prod::API_KEY}

Loading Both Files

Section titled “Loading Both Files”

With the shell plugin installed, both files load automatically when you cd into the directory:

  1. .env loads first (plain values)
  2. .secenv loads second (decrypted secrets)

Variables from .secenv can override .env if names match.

Migrate Secrets from .env

Section titled “Migrate Secrets from .env”

Move sensitive values from a plaintext .env to encrypted storage.

  1. Identify sensitive values

    Common sensitive values:

    • Passwords: DATABASE_PASSWORD, ADMIN_PASSWORD
    • API keys: API_KEY, SECRET_KEY, AUTH_TOKEN
    • Connection strings with credentials
    • Private keys or certificates

  2. Store each secret

    Terminal window
    # From .env: DATABASE_PASSWORD=super-secret
    echo "super-secret" | dotsecenv secret put DATABASE_PASSWORD
    

    # From .env: API_KEY=sk-abc123
    echo "sk-abc123" | dotsecenv secret put API_KEY

  3. Create .secenv file

    Terminal window
    cat > .secenv << 'EOF'
    DATABASE_PASSWORD={dotsecenv}
    API_KEY={dotsecenv}
    EOF

  4. Update .env

    Remove the sensitive values:

    Terminal window
    # .env (updated)
    DATABASE_HOST=localhost
    DATABASE_PORT=5432
    # DATABASE_PASSWORD=  ← Removed, now in .secenv

  5. Add .env to .gitignore (if not already)

    Terminal window
    echo ".env" >> .gitignore

  6. Commit .secenv (safe—it contains no secrets)

    Terminal window
    git add .secenv
    git commit -m "Move secrets to dotsecenv"

Create a Secret

Section titled “Create a Secret”

Store a new encrypted secret in your vault.

Section titled “From stdin (recommended)”
Terminal window
echo "my-secret-value" | dotsecenv secret put SECRET_NAME

Interactive input

Section titled “Interactive input”
Terminal window
dotsecenv secret put SECRET_NAME
# Type or paste the value
# Press Ctrl+D when done

From a file

Section titled “From a file”
Terminal window
cat ~/.ssh/private_key | dotsecenv secret put SSH_PRIVATE_KEY

With a namespace

Section titled “With a namespace”
Terminal window
echo "prod-password" | dotsecenv secret put prod::DATABASE_PASSWORD
echo "dev-password" | dotsecenv secret put dev::DATABASE_PASSWORD

To a specific vault

Section titled “To a specific vault”
Terminal window
echo "value" | dotsecenv secret put -v ./project/vault PROJECT_SECRET

Retrieve a Secret

Section titled “Retrieve a Secret”

Get a decrypted secret value.

Basic retrieval

Section titled “Basic retrieval”
Terminal window
dotsecenv secret get DATABASE_PASSWORD
# Output: my-secret-value

As JSON

Section titled “As JSON”
Terminal window
dotsecenv secret get DATABASE_PASSWORD --json
# {"name":"DATABASE_PASSWORD","value":"my-secret-value","available_to":["..."]}

Get all versions

Section titled “Get all versions”
Terminal window
dotsecenv secret get DATABASE_PASSWORD --all
# Lists all historical values

Get latest version only

Section titled “Get latest version only”
Terminal window
dotsecenv secret get DATABASE_PASSWORD --last

From a specific vault

Section titled “From a specific vault”
Terminal window
dotsecenv secret get -v 2 DATABASE_PASSWORD  # Vault index (1-based)
dotsecenv secret get -v ./path/to/vault DATABASE_PASSWORD

Share a Secret

Section titled “Share a Secret”

Give another identity access to decrypt a secret.

  1. Import their GPG public key

    Terminal window
    gpg --import teammate-public.asc

  2. Share the secret

    The secret share command automatically adds the identity to the vault if needed:

    Terminal window
    dotsecenv secret share DATABASE_PASSWORD THEIR_FINGERPRINT

  3. Commit and push

    Terminal window
    git add vault
    git commit -m "Share DATABASE_PASSWORD with teammate"
    git push

Share all secrets at once

Section titled “Share all secrets at once”
Terminal window
dotsecenv secret share "*" THEIR_FINGERPRINT --all

Revoke Access to a Secret

Section titled “Revoke Access to a Secret”

Remove someone’s ability to decrypt future values.

Terminal window
dotsecenv secret revoke DATABASE_PASSWORD THEIR_FINGERPRINT

Revoke from all secrets

Section titled “Revoke from all secrets”
Terminal window
dotsecenv secret revoke "*" THEIR_FINGERPRINT --all

Validate Configuration and Vault

Section titled “Validate Configuration and Vault”

Check for issues with your config and vault files.

Basic validation

Section titled “Basic validation”
Terminal window
dotsecenv validate

Output:

✓ Config file: valid
✓ Vault header: valid
✓ Identity entries: 2 valid
✓ Secret entries: 5 valid
✓ All signatures verified

Auto-fix issues

Section titled “Auto-fix issues”
Terminal window
dotsecenv validate --fix

This can fix:

  • Regenerate corrupted header indexes
  • Remove orphaned entries
  • Update outdated format versions

Validate specific vault

Section titled “Validate specific vault”
Terminal window
dotsecenv validate -v ./project/vault

List All Secrets

Section titled “List All Secrets”

View identities and secrets in your vaults.

Describe vaults

Section titled “Describe vaults”
Terminal window
dotsecenv vault describe

Output:

Vault 1 (~/.config/dotsecenv/vault):
  Identities:
    - Alice <alice@example.com> (E60A1740...)
    - Bob <bob@example.com> (ABC12345...)
  Secrets:
    - DATABASE_PASSWORD
    - API_KEY
    - prod::API_KEY

JSON output

Section titled “JSON output”
Terminal window
dotsecenv vault describe --json

Filter by namespace

Section titled “Filter by namespace”
Terminal window
dotsecenv vault describe | grep "prod::"

Use Multiple Vaults

Section titled “Use Multiple Vaults”

Work with secrets from different vaults.

Configure multiple vaults

Section titled “Configure multiple vaults”
~/.config/dotsecenv/config
vault:
  - name: personal
    path: ~/.config/dotsecenv/vault
  - name: work
    path: ~/work/secrets/vault

Access by name

Section titled “Access by name”
Terminal window
dotsecenv secret get -v personal DATABASE_PASSWORD
dotsecenv secret get -v work CORP_API_KEY

Access by index

Section titled “Access by index”
Terminal window
dotsecenv secret get -v 1 DATABASE_PASSWORD  # personal (1-based)
dotsecenv secret get -v 2 CORP_API_KEY       # work

Set Up Shell Completions

Section titled “Set Up Shell Completions”

Enable tab completion for dotsecenv commands.

Terminal window
# Add to ~/.bashrc
eval "$(dotsecenv completion bash)"


# Or install system-wide
dotsecenv completion bash | sudo tee /etc/bash_completion.d/dotsecenv

Reload your shell to activate:

Terminal window
source ~/.bashrc  # or ~/.zshrc

Export Secrets as Environment Variables

Section titled “Export Secrets as Environment Variables”

Export all secrets for a shell session or script.

Install shell plugins

Section titled “Install shell plugins”
Terminal window
curl -fsSL https://raw.githubusercontent.com/dotsecenv/plugin/main/install.sh | bash

Auto-load secrets

Section titled “Auto-load secrets”
/path/to/directory/.secenv
# the secret(s) will be auto-loaded on cd
cd /path/to/directory


# and your app can use them
./my-app

Export specific secrets

Section titled “Export specific secrets”
Terminal window
export DATABASE_PASSWORD=$(dotsecenv secret get DATABASE_PASSWORD)
export API_KEY=$(dotsecenv secret get API_KEY)

Run Vault Health Checks

Section titled “Run Vault Health Checks”

Run health checks on vaults and the GPG environment, and fix any issues.

Run doctor

Section titled “Run doctor”
Terminal window
dotsecenv vault doctor

Output:

Health checks:
  [✓] gpg-agent is available
  [✓] ~/.config/dotsecenv/vault: format v2 (latest)
  [✓] ~/.config/dotsecenv/vault: 0.0% fragmentation


Status: healthy


All vaults are up to date.

Doctor checks and fixes

Section titled “Doctor checks and fixes”

The doctor command performs these checks:

  • GPG agent availability — verifies gpg-agent is running
  • Vault format version — checks if vaults need upgrading
  • Vault fragmentation — checks if defragmentation is needed

After displaying health check results, doctor offers to fix any issues found (upgrade outdated vaults, defragment fragmented vaults).

JSON output (for CI)

Section titled “JSON output (for CI)”
Terminal window
dotsecenv vault doctor --json

Use with CI/CD

Section titled “Use with CI/CD”

Access secrets in CI/CD pipelines.

GitHub Actions

Section titled “GitHub Actions”
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4


      - name: Install dotsecenv
        run: |
          curl -LO https://get.dotsecenv.com/linux/dotsecenv_latest_Linux_x86_64.tar.gz
          tar -xzf dotsecenv_*.tar.gz
          sudo mv dotsecenv /usr/local/bin/


      - name: Import GPG key
        run: echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --import


      - name: Deploy
        run: |
          export DATABASE_PASSWORD=$(dotsecenv secret get DATABASE_PASSWORD)
          ./deploy.sh

GitLab CI

Section titled “GitLab CI”
deploy:
  script:
    - apt-get update && apt-get install -y gpg
    - curl -LO https://get.dotsecenv.com/linux/dotsecenv_latest_Linux_x86_64.tar.gz
    - tar -xzf dotsecenv_*.tar.gz && mv dotsecenv /usr/local/bin/
    - echo "$GPG_PRIVATE_KEY" | gpg --import
    - export API_KEY=$(dotsecenv secret get API_KEY)
    - ./deploy.sh

Troubleshooting Quick Reference

Section titled “Troubleshooting Quick Reference”
ProblemSolution
”Not logged in”dotsecenv login FINGERPRINT
”Secret not found”Check vault: dotsecenv vault describe
”Cannot decrypt”Verify you’re in available_to
”GPG error”Check key: gpg --list-secret-keys
”Config not found”Run: dotsecenv init config
”Vault not found”Run: dotsecenv init vault