First Secret

Tip

New to dotsecenv? The Getting Started guide is the fastest path to an auto-loading secret. This tutorial covers the underlying CLI flow, including namespaces.

Runnable example

A self-contained, copy-paste-able version of this flow ships in the CLI repo at examples/01-quickstart/. Run ./run.sh for an isolated, ephemeral end-to-end pass.

Goal

Create a vault, log in with your GPG key, store an encrypted secret, and read it back. By the end you will have a working vault and know the core secret store / secret get commands.

Prerequisites

• dotsecenv installed (Installation)
• A GPG key available (run dotsecenv identity create if you need one)

Steps

1. Initialize the config

   The config records where your vault lives and which identity you log in as:

   dotsecenv init config

   To point at a specific vault path, pass -v:

   dotsecenv init config -v ./vault

2. Initialize the vault

   Create the encrypted vault file:

   dotsecenv init vault

3. Log in

   Record a signed login proof in the config. Always log in by fingerprint:

   dotsecenv login <FINGERPRINT>

   To find your fingerprint:

   gpg --list-keys --with-colons you@example.com | awk -F: '/^fpr:/ { print $10; exit }'

4. Store a secret

   Store a database password. Values are read from stdin, the only way to write to a vault:

   echo "super-secret-db-password" | dotsecenv secret store DATABASE_PASSWORD

   Tip

   Reading from stdin keeps the secret out of your shell history.

5. Read it back

   dotsecenv secret get DATABASE_PASSWORD
   # Output: super-secret-db-password

   Run secret get with no name to list keys (never values):

   dotsecenv secret get

6. Store a namespaced secret

   Use namespaces to organize secrets by environment. The namespace lowercases and the key uppercases on store:

   echo "prod-password" | dotsecenv secret store prod::DATABASE_PASSWORD
   echo "staging-password" | dotsecenv secret store staging::DATABASE_PASSWORD

7. Inspect and validate

   vault describe shows identities and secret keys:

   dotsecenv vault describe

   validate runs a structural sanity check on the vault and config:

   dotsecenv validate

Expected Result

• A vault file holding your secrets, encrypted at rest with your GPG key
• dotsecenv secret get DATABASE_PASSWORD returns the value
• dotsecenv vault describe lists your identity and the secret keys, including the namespaced ones
• dotsecenv validate exits cleanly

Auto-loading into your shell

To export these secrets automatically when you cd into a project, add a .secenv file and install the shell plugin. That flow lives in Reloading Secrets and Getting Started; a minimal .secenv looks like:

DATABASE_PASSWORD={dotsecenv}

Variations

Interactive secret input

For sensitive secrets, avoid piping to prevent history leaks:

dotsecenv secret store API_KEY
# Type or paste your secret, then Ctrl+D

Reading from files

dotsecenv secret store SSH_PRIVATE_KEY < ~/.ssh/private_key

Multiple vaults

Store secrets in a project-specific vault:

dotsecenv init vault -v ./secrets/vault
echo "local-secret" | dotsecenv secret store -v ./secrets/vault LOCAL_SECRET

Caution

Add project vaults to your .gitignore if they hold secrets that should not be shared:

.gitignore

secrets/vault

Or commit them to share encrypted secrets with your team (more secure).

---

Troubleshooting

secret get fails to decrypt?

Your GPG fingerprint must be a recipient. Confirm you logged in with the right key:

dotsecenv vault describe

Wrong secret value?

Secrets are versioned. Get the latest:

dotsecenv secret get --last DATABASE_PASSWORD

---

Next Steps

• Reloading Secrets: auto-load secrets into your shell with .secenv
• Share a Secret: share secrets with teammates
• Revoke Access: remove someone’s access to secrets