npm.io
1.0.5 • Published 3 months agoCLI

@dotenvar/cli

Licence
MIT
Version
1.0.5
Deps
2
Size
213 kB
Vulns
0
Weekly
0

@dotenvar/cli

Zero-knowledge secrets manager — pull encrypted secrets into any environment, on any stack.

dotenvar is language and framework agnostic. It works with Node.js, Python, Go, Ruby, PHP, Rust, Docker, Kubernetes, or any other runtime — because it operates at the OS process level, not inside your application. All decryption happens locally; plaintext secrets never leave your machine or server.

For the full documentation, visit dotenvar.com/documentation/cli.

Installation

Via npm

npm install -g @dotenvar/cli
Via npx (no install needed)

For one-off usage or CI/CD:

npx @dotenvar/cli exec -- your-start-command
Via standalone binary

Download the latest binary for your platform from releases:

  • macOS (Apple Silicon): dotenvar-macos-arm64
  • macOS (Intel): dotenvar-macos-x64
  • Linux (x64): dotenvar-linux-x64
  • Linux (ARM64): dotenvar-linux-arm64
  • Windows (x64): dotenvar-win.exe

macOS:

# Apple Silicon
curl -L https://github.com/sheikh295/dotenvar-cli/releases/download/v1.0.2/dotenvar-macos-arm64 -o /usr/local/bin/dotenvar
chmod +x /usr/local/bin/dotenvar

# Intel
curl -L https://github.com/sheikh295/dotenvar-cli/releases/download/v1.0.2/dotenvar-macos-x64 -o /usr/local/bin/dotenvar
chmod +x /usr/local/bin/dotenvar

Linux (x64):

curl -L https://github.com/sheikh295/dotenvar-cli/releases/download/v1.0.2/dotenvar-linux-x64 -o /usr/local/bin/dotenvar
chmod +x /usr/local/bin/dotenvar

Linux (ARM64):

curl -L https://github.com/sheikh295/dotenvar-cli/releases/download/v1.0.2/dotenvar-linux-arm64 -o /usr/local/bin/dotenvar
chmod +x /usr/local/bin/dotenvar

Windows:

$url = "https://github.com/sheikh295/dotenvar-cli/releases/download/v1.0.2/dotenvar-win.exe"
$dest = "$env:PROGRAMFILES\dotenvar\dotenvar.exe"
New-Item -ItemType Directory -Path "$env:PROGRAMFILES\dotenvar" -Force
Invoke-WebRequest -Uri $url -OutFile $dest

Quick Start

# 1. Log in once (opens browser)
dotenvar auth login

# 2. Initialise your project
cd my-project
dotenvar init

# 3a. Pull to a .env file (for local dev tooling that reads .env)
dotenvar pull

# 3b. Or run directly without writing to disk
dotenvar exec -- npm run dev

Commands

Authentication
dotenvar auth login          # OAuth via browser, saves credentials to ~/.dotenvar/
dotenvar auth logout         # Revoke session and clear credentials
dotenvar auth status         # Show who is logged in
Project Setup
dotenvar init                                       # Interactive wizard
dotenvar init --env grp_abc123                      # Skip the env selector
dotenvar init --env grp_abc123 --out .env.local
Pulling Secrets
dotenvar pull                                       # Pull all envs in dotenvar.json
dotenvar pull --env grp_abc123                      # Pull a specific env
dotenvar pull --env grp_abc123 --out .env.staging
Running Commands
dotenvar exec -- npm start
dotenvar exec -- python -m uvicorn main:app
dotenvar exec --env grp_abc123 -- node scripts/seed.js

Secrets are injected into the child process environment only — nothing is written to disk.

Deploy Keys
dotenvar deploy-key print                           # Print the deploy key blob
dotenvar deploy-key print --env grp_abc123
dotenvar deploy-key revoke --env grp_abc123         # Revoke a deploy key
dotenvar deploy-key rotate --env grp_abc123         # Rotate (re-seals all DEKs)
Utilities
dotenvar list                # List all environments you have access to
dotenvar status              # Show auth, config, and deploy key health

CI/CD

# Generate and copy the deploy key blob on your local machine
dotenvar deploy-key print --env grp_abc123
# → DOTENVAR_DEPLOY_KEY=eyJ...

Add it as a secret in your CI provider, then use it in your pipeline:

dotenvar pull             # writes .env
dotenvar exec -- npm test # or inject directly
GitHub Actions
- name: Pull secrets
  run: dotenvar pull
  env:
    DOTENVAR_DEPLOY_KEY: ${{ secrets.DOTENVAR_DEPLOY_KEY }}

- name: Run tests
  run: npm test
GitLab CI
pull_secrets:
  script:
    - dotenvar pull
  variables:
    DOTENVAR_DEPLOY_KEY: $DOTENVAR_DEPLOY_KEY

The preferred pattern for production

Backend / server applications (runtime injection)

The recommended approach is to prefix your start command with dotenvar exec --. Secrets are decrypted in memory and injected as environment variables into the child process. Nothing is written to disk.

dotenvar exec -- <your normal start command>

That's it. No code changes required inside your application. Your app reads process.env / os.environ / ENV exactly as it always did.

Examples across stacks:

# Node.js
dotenvar exec -- node dist/server.js
dotenvar exec -- npm start

# Python
dotenvar exec -- python manage.py runserver
dotenvar exec -- gunicorn app:app

# Go
dotenvar exec -- ./bin/server

# Ruby
dotenvar exec -- bundle exec rails server

# PHP
dotenvar exec -- php artisan serve

# Any binary
dotenvar exec -- ./my-app
Docker

Install dotenvar inside the image and change the CMD / ENTRYPOINT:

FROM node:22-alpine

# Install dotenvar globally
RUN npm install -g @dotenvar/cli

# Copy your app
WORKDIR /app
COPY . .
RUN npm ci && npm run build

# Inject secrets at startup — no .env file in the image
CMD ["dotenvar", "exec", "--", "node", "dist/server.js"]

Pass the deploy key as an environment variable when running the container:

docker run -e DOTENVAR_DEPLOY_KEY="$DOTENVAR_DEPLOY_KEY" my-image
docker-compose
services:
  api:
    build: .
    command: ["dotenvar", "exec", "--", "node", "dist/server.js"]
    environment:
      - DOTENVAR_DEPLOY_KEY=${DOTENVAR_DEPLOY_KEY}
Kubernetes

Store the deploy key as a Secret and mount it as an env var:

env:
  - name: DOTENVAR_DEPLOY_KEY
    valueFrom:
      secretKeyRef:
        name: dotenvar-secrets
        key: deploy-key

Then change your container command:

command: ["dotenvar", "exec", "--", "node", "dist/server.js"]

Frontend / build-time usage

For client-side apps (Next.js, Vite, Create React App, etc.) secrets are only needed at build time, not at runtime. Pull a .env file before running the build:

dotenvar pull && npm run build

In Vercel / Netlify / any build platform, set DOTENVAR_DEPLOY_KEY as a build environment variable and override the build command:

dotenvar pull && next build

Getting a deploy key

A deploy key lets any environment authenticate without a browser or passphrase. Generate one on first setup from your local machine (where you are logged in):

# 1. Run init in your project (generates the deploy key)
dotenvar init

# 2. Print the key blob to copy into your environment
dotenvar deploy-key print
# → DOTENVAR_DEPLOY_KEY=eyJ...

Store the printed value as a secret in your hosting platform, CI provider, or secret manager. From that point on, any environment that has DOTENVAR_DEPLOY_KEY set can pull secrets without any interactive login.


Security

  • Zero-knowledge: all decryption is local. The dotenvar server stores only ciphertext and never sees your plaintext secrets.
  • Per-environment deploy keys: each dotenvar init generates a unique RSA-4096 key pair. The private key lives in dotenvar.key (gitignored automatically) and is never transmitted.
  • No secrets on disk in production: use dotenvar exec -- to keep secrets in memory only.
  • dotenvar.key and .env are added to .gitignore automatically on init.

Requirements

  • Node.js ≥ 18

License

MIT