Encrypt your .env files. Commit them safely. Share with your team.
dotlock encrypts .env files into a single .dotlock vault file using a shared passphrase. Fully offline!
Install
curl -fsSL https://raw.githubusercontent.com/mrprincerawat/dotlock/main/install.sh | shOther methods
# Homebrew brew install mrprincerawat/tap/dotlock # Go go install github.com/mrprincerawat/dotlock@latest
Or download binaries from Releases.
Quick Start
# 1. Initialize (encrypts all .env files) dotlock init # 2. Commit the vault git add .dotlock .env.example .dotlock.readme git commit -m "add encrypted env files" # 3. On another machine, unlock dotlock unlock
Commands
| Command | Description |
|---|---|
dotlock init |
Detect .env files, encrypt them, set up git protection |
dotlock lock [env] |
Encrypt .env files into the vault |
dotlock unlock [env] |
Decrypt environments from the vault |
dotlock diff [env1] [env2] |
Compare environments |
dotlock ls |
List environments in the vault |
dotlock doctor |
Diagnose setup health |
dotlock scan |
Scan codebase for hardcoded secrets |
How It Works
- Encryption: Passphrase → Argon2id → AES-256-GCM
- Storage: All environments stored in a single
.dotlockJSON file - Key caching: Derived key cached in
~/.dotlock/keys/after first use - Git protection:
.gitignore+.git/info/exclude+ pre-commit hook - Auto-lock: Pre-commit hook automatically re-locks on commit
CI/CD
Set the DOTLOCK_PASSPHRASE environment variable:
# GitHub Actions env: DOTLOCK_PASSPHRASE: ${{ secrets.DOTLOCK_PASSPHRASE }} steps: - run: dotlock unlock
Security
- Argon2id key derivation (time=1, memory=64MB, threads=4)
- AES-256-GCM authenticated encryption
- Cached keys stored with
0600permissions - Pre-commit hook blocks
.envfiles and scans for secrets
License
MIT