Skip to content
logo dotsecenv
Blog

Migrate from .env

Goal

Section titled “Goal”

Take an existing .env file, move the sensitive values into your dotsecenv vault, and set up .secenv so everything still loads automatically.

Prerequisites

Section titled “Prerequisites”

Steps

Section titled “Steps”

  1. Start with your .env file

    A typical project .env looks like this:

    .env
    DATABASE_HOST=localhost
    DATABASE_PORT=5432
    DATABASE_NAME=myapp
    DATABASE_PASSWORD=super-secret-password
    API_KEY=sk-live-abc123xyz

    Three of these are non-sensitive configuration. Two are secrets you would not want in a public repo.

  2. Identify the secrets

    Ask yourself: would I panic if this value appeared on a public GitHub repo? If yes, it belongs in the vault.

    In this example: DATABASE_PASSWORD and API_KEY.

  3. Store the secrets in your vault

    Terminal window
    echo "super-secret-password" | dotsecenv secret store DATABASE_PASSWORD
    echo "sk-live-abc123xyz" | dotsecenv secret store API_KEY

  4. Create a .secenv file

    Terminal window
    cat > .secenv << 'EOF'
    DATABASE_PASSWORD={dotsecenv}
    API_KEY={dotsecenv}
    EOF

    The {dotsecenv} syntax tells the shell plugin to fetch the secret with the same name as the variable.

  5. Remove the secrets from .env

    Your .env now contains only non-sensitive values:

    .env
    DATABASE_HOST=localhost
    DATABASE_PORT=5432
    DATABASE_NAME=myapp

  6. Verify everything loads

    Terminal window
    cd ~
    cd ~/my-project
    # dotsecenv: loaded 2 secret(s) from .secenv: DATABASE_PASSWORD, API_KEY
    

    echo $DATABASE_HOST
    # Output: localhost
    

    echo $DATABASE_PASSWORD
    # Output: super-secret-password
    

    echo $API_KEY
    # Output: sk-live-abc123xyz

    All five variables are available. Only three are on disk in plaintext.

  7. Update version control

    Terminal window
    echo ".env" >> .gitignore
    git add .secenv .gitignore
    git commit -m "chore: move secrets to dotsecenv vault"

Expected result

Section titled “Expected result”
VariableSourceOn disk in plaintext?
DATABASE_HOST.envYes
DATABASE_PORT.envYes
DATABASE_NAME.envYes
DATABASE_PASSWORDvault via .secenvNo
API_KEYvault via .secenvNo

Next steps

Section titled “Next steps”