Envshed vs dotenv-vault
dotenv-vault's model is 'commit an encrypted .env.vault to git, decrypt at deploy.' It's $5/user/month up to 2 teammates on Solo — $8/user on Team to get an audit log and access controls — with no free tier since May 2025 and a .env.vault format officially deprecated by its creator in May 2024. Envshed is the other trade: flat $5/user with audit log and expiration warnings included, a free tier for pairs, per-user overrides, and a monorepo-aware CLI.
dotenv-vault has real lineage. It's built by the maintainers of the dotenv library — which is essentially how every Node app reads .env — and the integration surface is wide. First-party adapters for Heroku, Vercel, Netlify, Fly.io, Kamal, Docker, CircleCI, and GitHub Actions cover most of the hosts a small team would care about. The mental model is clean: push your .env to the vault, npx dotenv-vault build produces an AES-GCM-encrypted .env.vault you commit to git, and DOTENV_KEY decrypts it at deploy. No runtime network call, one artifact, done.
Two facts cut against that picture. The .env.vault format has been officially deprecated by its own team since May 2024 — they now recommend dotenvx as its successor — and the hosted service removed its free tier in May 2025. Solo is $5/user/month capped at 2 teammates; audit log, access controls, and version history require Team at $8/user. Envshed is the opposite trade. Flat $5/user includes audit log and expiration warnings. Two users ship free, forever. A .envshed.json at the root of your monorepo auto-detects every workspace. Per-user overrides mean each dev keeps their own local DB URL or feature flags without editing the shared config. Secrets pull at runtime — no .env.vault artifact in your repo.
Feature comparison
| Envshed | dotenv-vault | |
|---|---|---|
Pricing model | $5/user/month flat (Team) | $5/user/month Solo (up to 2) · $8/user/month Team (unlimited) |
Free tier | 2 users · 3 projects · unlimited secrets | Removed in May 2025 — paid-only |
CLI | envshed (pull, push, run, export) | npx dotenv-vault (push, pull, build, keys, rotatekey) |
Distribution model | Hosted — secrets pulled at runtime, nothing committed to git | Build an AES-GCM-encrypted .env.vault file and commit it to git |
Per-user overrides | Yes — each dev overrides individual keys without touching shared config | No — one .env.vault per environment, values shared across teammates |
Monorepo-native config | Yes — .envshed.json auto-detects workspaces | No documented monorepo tooling — one project per repo is the norm |
Multi-environment model | First-class dev/staging/prod per project with per-environment roles | Multiple environments per project with per-environment DOTENV_KEY |
Audit log | Included on Team ($5/user/month) | Team tier only ($8/user/month) |
Secret expiration warnings | Yes — set an expiry, CLI and dashboard warn before and after | No built-in expiry or staleness warnings |
Encryption at rest | AES-256-GCM (per-record IV) | AES-GCM on the .env.vault artifact; service-stored values encrypted in transit and at rest |
Format status | Current — active development | .env.vault format deprecated by creator since May 2024; dotenvx recommended as successor |
Best for | 2–50-person dev teams that want env-var UX with free entry | Solo devs or pairs who want a 'commit one encrypted file, decrypt at deploy' flow |
Source:
dotenv-vault pricing verified on dotenv.org/vault/pricing on April 18, 2026. The .env.vault format deprecation notice is at dotenvx.com/docs/env-vault-file. Figures change — verify on the source before quoting.
When dotenv-vault is the right choice
- You want the largest first-party host integration surface — Heroku, Vercel, Netlify, Fly.io, Kamal, Docker, CircleCI — with zero glue code.
- You prefer a 'commit one encrypted file to git, decrypt at runtime' mental model over a network call at boot.
- You're a solo dev or pair and Solo at $5/user/month (capped at 2 teammates) fits your shape.
- You're comfortable staying on the deprecated .env.vault format or are planning a migration to dotenvx.
When Envshed is the right choice
- You need per-user overrides — each dev keeps their own local DB URL, Stripe test key, or feature flags without editing the shared config.
- Your code lives in a monorepo and you want .envshed.json auto-detecting workspaces instead of one dotenv-vault project per repo.
- You want a free tier for small teams — 2 users, 3 projects, unlimited secrets — not a removed free plan.
- You want audit log and expiration warnings at the $5 entry tier, not gated behind $8/user Team.
- You'd rather pull secrets at runtime than commit an encrypted .env.vault artifact to the repo.
Try Envshed free for 14 days
Free tier covers 2 users and 3 projects. No credit card required.
Start free