Your .env file has been in 6 places it shouldn't be

TLW — Fri, 29 May 2026 07:34:31 +0000

Slack. Email. Notion. A shared Google Doc.
A DM from 2021 that's still sitting in someone's inbox.

That's where your .env file has been. And you probably didn't even notice.

The problem nobody talks about

It's not that developers are careless. It's that there's no good default.

You finish onboarding a new teammate. You send them the .env. They're set up in five minutes. It works. So you do it again next time. And the time after that.

But now that file — with your database URL, your Stripe keys, your API tokens — has been:

Sent over Slack (logged forever)
Emailed (sitting in someone's inbox)
Pasted into Notion (shared with the whole company)
Saved on three laptops that may or may not have full disk encryption

And when that person leaves the team? You hope they don't still have it. But you can't know for sure.

"Just use Doppler"

Fair. Tools like Doppler, Vault, and AWS Secrets Manager exist for exactly this reason.

But they come with tradeoffs that many teams aren't ready for.

You're now dependent on a third-party server being up. Your CI pipeline needs their API key. Your dev machines need internet access to decrypt anything. And if that SaaS goes down, gets hacked, or decides to change their pricing — your team is blocked.

You traded one trust problem for another. Instead of trusting your teammates with a file, you're trusting a vendor with all your secrets.

For large enterprises with dedicated DevOps teams, that's a reasonable trade. For a small team that just wants to ship — it's a lot of overhead.

What if secrets just lived in git?

Here's the idea behind envlock-git: secrets live in your repo, just like code. But encrypted — so the ciphertext in git is useless to anyone who doesn't have the right key.

Here's how it works:

Every developer has a keypair stored on their machine (~/.envlock/). The private key never leaves. When you add a secret, envlock encrypts it separately for every teammate who has access — using their public key. Only their private key can decrypt their copy.

# add a secret
envlock add STRIPE_KEY=sk_live_abc123 --env prod

# give alice access
envlock add-member alice --env prod --access read

# alice decrypts on her machine
envlock decrypt --env prod
# → writes .env.prod locally

The encrypted blobs get committed to git. Your repo becomes the source of truth. Diffs are readable. Access is auditable. Rollbacks are git revert.

No server. No account. No vendor. Just files.

What it looks like day to day

New teammate joins. They run:

envlock init    # generates their keypair
envlock join    # adds their public key to the repo
git push

You pull, see their key, and grant access:

envlock add-member sarah --env dev --access write

Say yes when it asks to sync. Done. Sarah can now decrypt her copy of every secret she needs.

When Sarah leaves, one command:

envlock revoke sarah --all-envs

This removes her token and re-encrypts everything for the remaining team. Her old decrypted files still work locally until she pulls — but she can never refresh them.

Git is your audit log. Every access change is a commit. Every secret change is a commit. You can always look back and see exactly what changed, when, and who did it.

There's also a web UI

For teams who prefer clicking over typing, envlock ui opens a local dashboard in your browser. Browse variables, reveal values, manage member access — all running locally, no data leaves your machine.

Works with any git host

GitHub, GitLab, Bitbucket, Azure DevOps, self-hosted Gitea — envlock doesn't care. It's just files in a repo. There's no platform integration to set up.

For CI, just add one step:

npm install -g envlock-git
envlock verify

This checks that every member has encrypted blobs for every variable — no missing keys, no tampered tokens. Fails the build if something's off.

Try it

npm install -g envlock-git

Then in any git repo:

envlock init
envlock setup

It'll walk you through the rest.

The source is on GitHub: github.com/tlw099999/envlock

Built this because I got tired of finding .env files in Slack search. If you've been in the same situation — give it a try and let me know what you think.

DEV Community: TLW