在团队协作场景中,不同开发者可能有不同的本地配置需求:
开发者 A(使用本地 PostgreSQL):
At its core, the "local build" is an encryption engine.
The traditional .env file is a liability sitting in plain text on your machine. It works, but it requires discipline. You have to manage permissions, ensure your editor doesn't autosave to a temporary public location, and manually sync keys with your team via insecure channels like Slack or email. .env.vault.local
: A local-only file that stores the specific keys and identifiers needed to decrypt and sync the vault for a specific developer's machine. Key Characteristics:
Enter the file.
This setup provides a "dual-key" security model. An attacker needs both the encrypted vault file and the decryption key to see any secrets. Best Practices You have to manage permissions, ensure your editor
Since the .env.vault file is encrypted, it is safe to commit to Git, ensuring every developer has the same environment structure 1.2.2.
To combat this, the creators of dotenv introduced (and subsequently dotenvx ), which shifts the paradigm from plaintext .env files to encrypted .env.vault files. This means you can safely check your encrypted vault file into version control, and your application will use a decryption key at runtime to inject the secrets directly into your application just-in-time. The Role of dotenv.local and .env.vault
DOTENV_VAULT_DEVELOPMENT="dotenv://:key_1234567890abcdef@dotenv.org/vault/.env.vault?environment=development" Use code with caution. This URI contains: This setup provides a "dual-key" security model
But stored on disk as encrypted ciphertext:
The primary benefit is that it enforces a "Vault-First" mindset. You aren't manually editing a .env file and hoping you don't accidentally commit it. You are pulling from a secure source, and the .env.vault.local file is a generated artifact.