.env.vault.local
在你的项目根目录创建一个 .env.vault.local 文件:
Often, this file contains the DOTENV_KEY for the specific local environment. This key acts as the "handshake" that allows the application to unlock the encrypted .env.vault and load the variables into memory. Security and Best Practices
:
你会得到一个 .env.vault 文件,其中包含开发和生产环境的加密内容。同时还会生成一个 .env.keys 文件,存储解密密钥。 .env.vault.local
If an attacker gains access to your repository and steals the .env.vault file, they cannot read the secrets within it. They would need the corresponding decryption key (usually stored in a separate .env.keys file) to unlock the secrets 1.2.4 . Why Use .env.vault.local ?
Manual sync is slow. Secrets rotate, causing drift. Production keys end up scattered on laptops.
This setup provides a "dual-key" security model. An attacker needs both the encrypted vault file and the decryption key to see any secrets. Best Practices 在你的项目根目录创建一个
While powerful, is not a silver bullet. Be aware of these limitations:
运行构建命令:
What (Node.js, Python, Next.js, etc.) are you pairing with Dotenv Vault? They would need the corresponding decryption key (usually
// index.js require('dotenv-vault').config(); console.log(process.env.DB_PASSWORD); // Works securely Use code with caution. .env.vault vs. .env.local It is crucial to distinguish between these two: .env.local .env.vault Git Safety Must be ignored (.gitignore) Safe to commit Sharing Hard (manual sharing) Easy (via commit) Security
Because .env.vault.local is ignored by Git, other developers won't know it exists on your machine. If a specific local variable is required for a new tool or docker container to function, document it in the project’s README.md or a .env.example file so teammates can replicate the setup on their own machines. Troubleshooting Common Issues Issue: Changes in .env.vault.local are not taking effect.
开发者 A(使用本地 PostgreSQL):
# .env.keys(不要提交到版本控制!) DOTENV_KEY_DEVELOPMENT="dotenv://:key_f4516b0077d9...@dotenv.local/vault/.env.vault?environment=development" DOTENV_KEY_PRODUCTION="dotenv://:key_18a137f844e3...@dotenv.local/vault/.env.vault?environment=production"