Team Onboarding
As a new team member, get set up so you can decrypt the project’s shared secrets.
Prerequisites
Section titled “Prerequisites”- dotsecenv installed (steps 1-2)
- A GPG key (run
dotsecenv identity createif you do not have one)
-
Export your public key
Terminal window gpg --armor --export you@example.com > my-key.ascSend
my-key.ascto your team lead. This file contains only your public key and is safe to share. -
Wait for the team lead to share secrets with you
The team lead will:
- Import your public key:
gpg --import my-key.asc - Add your identity to the vault:
dotsecenv identity add YOUR_FINGERPRINT --all - Share secrets with you:
dotsecenv secret share DATABASE_PASSWORD YOUR_FINGERPRINT - Push the updated vault to the repo
They will tell you when this is done.
- Import your public key:
-
Pull the updated vault
Terminal window cd ~/projectgit pull -
Initialize dotsecenv and log in
Terminal window dotsecenv init configdotsecenv login# Select your GPG key when prompted -
Verify you can decrypt secrets
Terminal window dotsecenv secret get DATABASE_PASSWORD# Output: super-secret-passwordIf this works, you have access.
-
Enter the project directory
If the project has a
.secenvfile, secrets load automatically:Terminal window cd ~/project# dotsecenv: found .secenv in /home/you/project# Load secrets? [y]es / [n]o / [a]lways: a# dotsecenv: loaded 3 secret(s) from .secenv: DATABASE_PASSWORD, API_KEY, JWT_SECRETecho $DATABASE_PASSWORD# Output: super-secret-password
Troubleshooting
Section titled “Troubleshooting”“secret not found” or “access denied”
The team lead may not have shared all secrets yet. Run dotsecenv secret get (with no arguments) to list the secrets you can access.
“identity not found”
The team lead has not added your identity to the vault. Send them your fingerprint:
gpg --list-keys --keyid-format long you@example.comNext steps
Section titled “Next steps”- Reloading Secrets — keep your shell in sync when secrets rotate
- Revoke Access — what happens when someone leaves the team