Encrypt your .env files. Commit them safely. Share with your team.
dotlock encrypts .env files into a single .dotlock vault file using a shared passphrase. Fully offline!
curl -fsSL https://raw.githubusercontent.com/mrprincerawat/dotlock/main/install.sh | sh# Homebrew
brew install mrprincerawat/tap/dotlock
# Go
go install github.com/mrprincerawat/dotlock@latestOr download binaries from Releases.
# 1. Initialize (encrypts all .env files)
dotlock init
# 2. Commit the vault
git add .dotlock .env.example .dotlock.readme
git commit -m "add encrypted env files"
# 3. On another machine, unlock
dotlock unlock| Command | Description |
|---|---|
dotlock init |
Detect .env files, encrypt them, set up git protection |
dotlock lock [env] |
Encrypt .env files into the vault |
dotlock unlock [env] |
Decrypt environments from the vault |
dotlock diff [env1] [env2] |
Compare environments |
dotlock ls |
List environments in the vault |
dotlock doctor |
Diagnose setup health |
dotlock scan |
Scan codebase for hardcoded secrets |
- Encryption: Passphrase → Argon2id → AES-256-GCM
- Storage: All environments stored in a single
.dotlockJSON file - Key caching: Derived key cached in
~/.dotlock/keys/after first use - Git protection:
.gitignore+.git/info/exclude+ pre-commit hook - Auto-lock: Pre-commit hook automatically re-locks on commit
Set the DOTLOCK_PASSPHRASE environment variable:
# GitHub Actions
env:
DOTLOCK_PASSPHRASE: ${{ secrets.DOTLOCK_PASSPHRASE }}
steps:
- run: dotlock unlock- Argon2id key derivation (time=1, memory=64MB, threads=4)
- AES-256-GCM authenticated encryption
- Cached keys stored with
0600permissions - Pre-commit hook blocks
.envfiles and scans for secrets
MIT