Environment Vault
Store, organize, and manage environment variables for each project environment. All values are encrypted with AES-256-GCM at rest and decrypted only in-memory for authorized requests.
Environments
Each project supports four tiers:
| Environment | Purpose |
|---|---|
| DEVELOPMENT | Local development configuration. |
| STAGING | Pre-production for testing and QA. |
| PRODUCTION | Live production configuration. |
| GLOBAL | Shared defaults across all environments (e.g., API base URLs, feature flags). |
Environment-specific values take precedence over GLOBAL.
Vault Groups
Vault groups organize environments within a project — by microservice, region, or deployment target. Each group contains its own set of variables per environment tier.
To create one: open the Vault tab, click New Vault Group, and enter a name (e.g., api-server, us-east-1).
Managing Variables
Adding a Variable
Select an environment, click Add Variable, and fill in:
| Field | Required | Description |
|---|---|---|
| Key | Yes | Variable name (e.g., DATABASE_URL). Must be unique within the environment. |
| Value | Yes | Encrypted immediately upon save. |
| Description | No | What this variable is for. |
| Validation Rule | No | Regex pattern enforced on save and update. |
| Required for Local Setup | No | Included when generating .env.example files. |
| Rotation Policy | No | How often to rotate (30, 60, or 90 days). DepVault alerts when due. |
Editing and Deleting
Click a variable row to edit. Each save creates a new version automatically. To delete, click the delete icon and confirm — deletion is permanent.
Role-Based Access
| Role | View keys | Decrypt values | Edit variables |
|---|---|---|---|
| Owner / Editor | Yes | Yes | Yes |
| Viewer | Yes | No | No |
Version History
Every value update creates a version entry with the previous value, timestamp, and author. Open a variable’s History tab to browse versions. Click Rollback on any version to restore it as the current value.
Bulk Import and Export
Supported Formats
.env, appsettings.json, secrets.yaml, config.toml
Web UI
Use the Import and Export buttons in the Vault tab. On import, review parsed key-value pairs and choose to skip or overwrite existing keys.
CLI
# Export variables to a file
depvault env pull --vault-group <id> --environment PRODUCTION --format env --output .env
# Import variables from a file
depvault env push --vault-group <id> --file .envPull Flags
| Flag | Description | Default |
|---|---|---|
--vault-group | Vault group ID. | Required |
--environment | DEVELOPMENT, STAGING, PRODUCTION, or GLOBAL. | DEVELOPMENT |
--format | env, appsettings.json, secrets.yaml, config.toml. | env |
--output | File path. Omit for stdout. | stdout |
Push Flags
| Flag | Description | Default |
|---|---|---|
--vault-group | Vault group ID. Prompts interactively when omitted. | Interactive |
--file | Path to the file to import. Auto-detects env files when omitted. | Interactive |
--environment | Target environment. | DEVELOPMENT |
In interactive mode, the CLI prompts for vault group and file selection when flags are omitted.
List Variables
depvault env list --vault-group <id> --environment DEVELOPMENTValues are masked by default. Use --output json for full decrypted values (use with caution).
Diff Environments
depvault env diff --vault-group <id> --environments DEVELOPMENT,PRODUCTIONSee the Environment Diff guide for details.
Generate .env.example
Click Generate .env.example in the Vault tab to create a file with keys and placeholders — no real secrets. Variables flagged as Required for Local Setup are included automatically. Safe to commit to version control.