Skip to content
logo dotsecenv

First Secret

Goal

Section titled “Goal”

Store an encrypted secret in your vault and configure a shell plugin to automatically load it when you enter a project directory.

Prerequisites

Section titled “Prerequisites”

Steps

Section titled “Steps”

  1. Verify your setup

    Make sure you’re logged in:

    Terminal window
    dotsecenv vault describe

    You should see your identity listed. If not, complete the Getting Started guide first.

  2. Store a secret

    Let’s store a database password:

    Terminal window
    echo "super-secret-db-password" | dotsecenv secret put DATABASE_PASSWORD

    Verify it was stored:

    Terminal window
    dotsecenv secret get DATABASE_PASSWORD
    # Output: super-secret-db-password

  3. Store a namespaced secret

    Use namespaces to organize secrets by environment:

    Terminal window
    echo "prod-password" | dotsecenv secret put prod::DATABASE_PASSWORD
    echo "staging-password" | dotsecenv secret put staging::DATABASE_PASSWORD

    List all secrets:

    Terminal window
    dotsecenv vault describe

  4. Install the shell plugin

    Add to ~/.bashrc:

    Terminal window
    # dotsecenv shell plugin
    eval "$(dotsecenv completion bash)"
    

    # Auto-load .secenv files
    _dotsecenv_hook() {
      if [[ -f .secenv ]]; then
        eval "$(dotsecenv env load)"
      fi
    }
    if ! [[ "${PROMPT_COMMAND:-}" =~ _dotsecenv_hook ]]; then
      PROMPT_COMMAND="_dotsecenv_hook${PROMPT_COMMAND:+;$PROMPT_COMMAND}"
    fi

    Reload your shell:

    Terminal window
    source ~/.bashrc  # or ~/.zshrc

  5. Create a .secenv file

    In your project directory, create a .secenv file:

    Terminal window
    cd ~/my-project
    

    cat > .secenv << 'EOF'
    # Secrets loaded from dotsecenv vault
    DATABASE_PASSWORD={dotsecenv}
    API_KEY={dotsecenv/prod::API_KEY}
    EOF

    The syntax is:

    • VAR={dotsecenv} — Load secret with same name as variable
    • VAR={dotsecenv/SECRET_NAME} — Load specific secret into variable
    • VAR={dotsecenv/namespace::SECRET_NAME} — Load namespaced secret

  6. Test automatic loading

    Leave and re-enter the directory:

    Terminal window
    cd ~
    cd ~/my-project
    # You may see a prompt: "Load secrets? [y]es / [n]o / [a]lways"
    # Type 'y' or 'a'
    

    echo $DATABASE_PASSWORD
    # Output: super-secret-db-password

Expected Result

Section titled “Expected Result”
  • Secrets stored encrypted in your vault
  • When you cd into a directory with .secenv, secrets auto-load
  • When you leave the directory, secrets are unloaded (environment cleared)
Terminal window
cd ~/my-project
echo $DATABASE_PASSWORD
# super-secret-db-password


cd ~
echo $DATABASE_PASSWORD
# (empty)

Variations

Section titled “Variations”

Using with .env files

Section titled “Using with .env files”

You can use both .env and .secenv together:

Terminal window
# .env - Non-sensitive configuration
DATABASE_HOST=localhost
DATABASE_PORT=5432
DATABASE_NAME=myapp


# .secenv - Sensitive secrets
DATABASE_PASSWORD={dotsecenv}

Interactive secret input

Section titled “Interactive secret input”

For sensitive secrets, avoid piping to prevent history leaks:

Terminal window
dotsecenv secret put API_KEY
# Type or paste your secret, then Ctrl+D

Reading from files

Section titled “Reading from files”
Terminal window
cat ~/.ssh/private_key | dotsecenv secret put SSH_PRIVATE_KEY

Multiple vaults

Section titled “Multiple vaults”

Store secrets in a project-specific vault:

Terminal window
dotsecenv init vault -v ./secrets/vault
echo "local-secret" | dotsecenv secret put -v ./secrets/vault LOCAL_SECRET

Troubleshooting

Section titled “Troubleshooting”

Secret not loading?

  1. Check the .secenv syntax
  2. Ensure the secret exists: dotsecenv vault describe
  3. Verify you’re logged in: dotsecenv vault describe should show your identity

Wrong secret value?

Secrets are versioned. Get the latest:

Terminal window
dotsecenv secret get --last DATABASE_PASSWORD

Next Steps

Section titled “Next Steps”