dotenvx

.env.keys

.env.keys holds your environment decryption DOTENV_KEYs. Here is what it looks like.

.env.keys

#/!!!!!!!!!!!!!!!!!!!.env.keys!!!!!!!!!!!!!!!!!!!!!!/
#/   DOTENV_KEYs. DO NOT commit to source control   /
#/   [how it works](https://dotenv.org/env-keys)    /
#/--------------------------------------------------/
DOTENV_KEY_DEVELOPMENT="dotenv://:key_e507c60efa8841d8d5bbb85bd701ee92406cf3b06506d1d80f1553c2a72791e4@dotenvx.com/vault/.env.vault?environment=development"
DOTENV_KEY_PRODUCTION="dotenv://:key_10283719af6a30ef49050048617f4fea10c23a38021fbebeb9fd858caa01852e@dotenvx.com/vault/.env.vault?environment=production"

Some quick takeaways:

It uses the .env format
DOTENV_KEY_DEVELOPMENT contains the decryption key to DOTENV_VAULT_DEVELOPMENT in .env.vault
DOTENV_KEY_PRODUCTION contains the decryption key to DOTENV_VAULT_PRODUCTION in .env.vault

Generating

It's auto-generated when running dotenvx encrypt.

$ dotenvx encrypt
✔ encrypted to .env.vault (.env)
✔ key added to .env.keys (DOTENV_KEY_DEVELOPMENT)

Do not commit .env.keys to source code. Keep them somewhere safe like 1Password or dotenvx hub.

History

The .env.keys file came out of development work on dotenv-vault – around early 2023.