.env.vault.local May 2026
Unlike a standard .env file, this file does not contain plaintext. It contains a JSON structure with encrypted blobs.
Example .env.vault.local content:
"DOTENV_VAULT_SIG": "12345abcde",
"DOTENV_VAULT_DECRYPTION_KEY": "none",
"development":
"ciphertext": "U2FsdGVkX1/abcdefghijklmnop...",
"iv": "e3b0c44298fc1c14",
"tag": "c1c14e3b0c44298f"
,
"production":
"ciphertext": "U2FsdGVkX1/zxywvutsrqponmlk..."
You don't write this by hand. You generate it via CLI tools: .env.vault.local
npx dotenv-vault local push # Encrypt and push local overrides to .env.vault.local
Do not put DOTENV_KEY inside your .env.vault.local file. That defeats the purpose. Instead, set it in your shell profile (.bashrc, .zshrc) or use a secrets manager like 1Password CLI to inject it.
Developers often need to test specific configurations that differ from the team. For example, pointing the API to a local Docker container rather than the staging server. By using .env.vault.local, you can override specific variables pulled from the vault without altering the team's shared configuration. The local file takes precedence, allowing for custom sandboxing. Unlike a standard
At its core, .env.vault.local is a machine-specific, encrypted secrets vault file. It is a sibling to the standard .env.vault file.
To understand it, let’s break down the naming convention: You don't write this by hand
While the standard .env.vault file is designed to be safely committed to Git (yes, committed, because it’s encrypted), the .env.vault.local file is explicitly designed to stay out of version control. It is the entry in your .gitignore that protects your personal development secrets.
Have you ever accidentally committed a real AWS_SECRET_ACCESS_KEY to a public repo? It's a terrifying experience involving key rotation, incident reports, and potential financial loss. By using .env.vault.local, your raw secrets live outside Git. Even if your repo is hacked, the attacker only finds an encrypted vault they cannot crack (without the key).