Installation
Install dotsecenv on your system and verify it’s working correctly.
-
Choose your installation method
Homebrew is the recommended method for macOS:
Terminal window brew tap dotsecenv/tapbrew install dotsecenvThis automatically installs shell completions.
Download the binary directly:
Terminal window # Apple Silicon (M1/M2/M3)curl -LO https://get.dotsecenv.com/darwin/dotsecenv_0.4.6_Darwin_arm64.tar.gz# Intel Maccurl -LO https://get.dotsecenv.com/darwin/dotsecenv_0.4.6_Darwin_x86_64.tar.gz# Verify and installcurl -s https://get.dotsecenv.com/darwin/checksums.txt | sha256sum -c --ignore-missingtar -xzf dotsecenv_*.tar.gzsudo mv dotsecenv /usr/local/bin/Add the apt repository:
Terminal window # Trust the GPG keycurl -fsSL https://get.dotsecenv.com/key.asc | \sudo gpg --dearmor -o /etc/apt/keyrings/dotsecenv.gpg# Add the repositoryecho "deb [signed-by=/etc/apt/keyrings/dotsecenv.gpg] \https://get.dotsecenv.com/apt/ ./" | \sudo tee /etc/apt/sources.list.d/dotsecenv.list# Installsudo apt-get updatesudo apt-get install dotsecenvAdd the yum repository:
Terminal window cat <<EOF | sudo tee /etc/yum.repos.d/dotsecenv.repo[dotsecenv]name=DotSecEnv Repositorybaseurl=https://get.dotsecenv.com/yum/enabled=1gpgcheck=1repo_gpgcheck=1gpgkey=https://get.dotsecenv.com/key.ascEOFsudo dnf install dotsecenvAdd to pacman:
Terminal window # Add to pacman.confcat <<'EOF' | sudo tee -a /etc/pacman.conf[dotsecenv]Server = https://get.dotsecenv.com/arch/$archSigLevel = Required DatabaseOptionalEOF# Trust the keycurl -fsSL https://get.dotsecenv.com/key.asc | sudo pacman-key --add -sudo pacman-key --lsign-key E60A1740BAEF49284D22EA7D3C376348F0921C59# Installsudo pacman -Sy dotsecenvIf you use mise:
Terminal window mise use github:dotsecenv/dotsecenvDownload the
.zipfor your architecture from the Releases page:dotsecenv_vX.X.X_Windows_x86_64.zipfor 64-bit Intel/AMDdotsecenv_vX.X.X_Windows_arm64.zipfor ARM64
Extract and add the binary location to your PATH.
GPG Requirement: Install Gpg4win for GPG support. When you run
dotsecenv init config, it will detect GPG automatically and set the path. You can also manually configure it in your config file:gpg:program: "C:\\Program Files (x86)\\GnuPG\\bin\\gpg.exe"Build from source (requires Go 1.25+):
Terminal window git clone https://github.com/dotsecenv/dotsecenv.gitcd dotsecenvmake buildsudo mv bin/dotsecenv /usr/local/bin/ -
Verify the installation
Terminal window dotsecenv versionYou should see output like:
version: v0.4.6commit: abc1234build at: 2025-01-15T10:30:00Zgo version: go1.24.0crypto: GOFIPS140=v1.0.0 (FIPS 140-3 mode enabled) -
Install shell completions (if not automatic)
Terminal window # System-widedotsecenv completion bash | sudo tee /etc/bash_completion.d/dotsecenv# Or user-level (add to ~/.bashrc)eval "$(dotsecenv completion bash)"Terminal window # Add to ~/.zshrceval "$(dotsecenv completion zsh)"Terminal window # Add to ~/.config/fish/config.fishdotsecenv completion fish | sourceTerminal window # Add to your PowerShell profile ($PROFILE)dotsecenv completion powershell | Out-String | Invoke-Expression
Expected Result
Section titled “Expected Result”After installation, you should be able to:
# Check versiondotsecenv version
# See available commandsdotsecenv --help
# Tab-complete commands (after shell restart)dotsecenv <TAB>Variations
Section titled “Variations”Installing a Specific Version
Section titled “Installing a Specific Version”Download a specific version from GitHub releases:
VERSION="0.4.6"curl -LO "https://github.com/dotsecenv/dotsecenv/releases/download/v${VERSION}/dotsecenv_${VERSION}_Linux_x86_64.tar.gz"Verifying Package Signatures
Section titled “Verifying Package Signatures”All packages are signed with the dotsecenv release key:
pub rsa4096 2025-12-19 [SC] [expires: 2027-12-19] E60A1740BAEF49284D22EA7D3C376348F0921C59uid DotSecEnv Releases <release@dotsecenv.com>Verify the key from multiple sources:
# OpenPGP Keyservergpg --keyserver keys.openpgp.org --recv-keys E60A1740BAEF49284D22EA7D3C376348F0921C59
# Keybasecurl https://keybase.io/dotsecenv/pgp_keys.asc | gpg --importVerifying macOS Notarization
Section titled “Verifying macOS Notarization”All macOS binaries are code-signed with an Apple Developer ID certificate and notarized by Apple. This ensures Gatekeeper allows the binary to run without security warnings.
Verify code signature:
codesign --verify --verbose /usr/local/bin/dotsecenv# Expected: valid on diskVerify notarization status:
spctl --assess --verbose /usr/local/bin/dotsecenv# Expected: accepted# source=Notarized Developer IDView signature details:
codesign -dv --verbose=4 /usr/local/bin/dotsecenvUninstalling
Section titled “Uninstalling”brew uninstall dotsecenvbrew untap dotsecenv/tapsudo apt-get remove dotsecenvsudo rm /etc/apt/sources.list.d/dotsecenv.listsudo rm /usr/local/bin/dotsecenvNext Steps
Section titled “Next Steps”- First Secret — Store and use your first secret
- Getting Started — Complete initial setup