Dotvault vs 1Password (Secrets Automation)
A general password manager versus a purpose-built .env editor
1Password is the password manager a lot of developers already have open in a browser tab, and over the last few years it’s grown a serious developer product around it — Secrets Automation, the 1Password CLI, an SSH agent, shell integrations. Dotvault is a desktop app that does one specific thing: manage the .env files on your own Mac. They overlap at the edges (“somewhere to keep secrets”), but almost nowhere in the middle.
Quick comparison
| Feature | Dotvault | 1Password |
|---|---|---|
| Primary purpose | Edit and manage .env files | Store passwords, secrets, SSH keys, and credentials |
.env file features | Snapshots, diffs, framework awareness, inline notes | Secrets can be referenced via CLI; no file editor |
| Pricing | £29 one-time | Per-user monthly subscription |
| Where secrets live | Encrypted on your Mac | 1Password’s end-to-end encrypted vault |
| Team sharing | None — single-user tool | Shared vaults, access control, audit logs |
| Platform | macOS desktop app | macOS, Windows, Linux, iOS, Android, browser |
| Best for | Managing .env files locally | A team’s whole password and credential story |
General password manager versus purpose-built editor
1Password is an excellent password manager that has, over the last few years, turned itself into something wider: a secrets platform. You can stash API keys in a vault, reference them in a .env template as op://Vault/Item/field, and have the 1Password CLI substitute the real values at runtime. That’s a clever solution for teams who’ve already standardised on 1Password for human credentials and want one less tool to manage.
Dotvault doesn’t try to be any of that. It is specifically a tool for opening the .env files that are already on your disk and making them easier to work with. It understands that a Laravel .env looks different from a Next.js one. It knows that a value you just deleted might be the one you wanted back ten minutes later. It lets you see every previous state of the file and restore any of them. It does all of that without asking you to move your secrets anywhere else.
The two products have different theories of the problem. 1Password’s theory: the .env file is the wrong primitive, you should be referencing secrets from a central vault. Dotvault’s theory: the .env file is the primitive you already have and will keep having, so let’s make working with it a much nicer experience.
Snapshots, history, and diffs
This is where the comparison starts to look strange, because 1Password doesn’t really do this for .env files. 1Password stores individual credential items with per-item edit history — good for tracking when a password was changed. Dotvault stores per-file snapshots of the whole .env, with side-by-side diffs between any two versions, restore-to-previous-state, and annotations that travel with the file.
If your workflow involves editing .env files often enough that you occasionally wish you could hit undo three hours back, Dotvault is the tool built for that. If your workflow involves looking up a single secret to paste into a running system, 1Password handles that better because it was designed for it.
Team use and sharing
1Password is a team product at its heart. It has shared vaults, granular permissions, audit logs, SCIM provisioning, and an entire enterprise security story. If you need to give contractors access to exactly three secrets and revoke that access in a month, 1Password is the right shape of tool.
Dotvault is a single-developer tool. There’s no account, no team plan, no sharing feature. Every developer has their own copy of their own .env files on their own machine. That’s the scope, deliberately — trying to add team sharing would compromise the “local, private, never synced” guarantee that makes the rest of it trustworthy.
If your team already runs on 1Password for credentials, there’s no reason to change that. Dotvault is complementary rather than competitive — it’s the tool for the developer sat at their laptop, editing the local .env that their app reads at startup. The secrets inside that file might well have come from a 1Password vault, fetched via the CLI. Dotvault’s job starts the moment those values are written into the file.
Who should use which
If your team has standardised on 1Password for credentials and you want a unified story for secrets across humans and machines, 1Password’s Secrets Automation is a strong option, and you probably already pay for it. It’s not going to give you a nice editor for your local .env, but it wasn’t trying to.
If what you need is specifically a better way to work with the .env files already sat in your project directories — snapshots, diffs, framework-aware parsing, encryption at rest, no cloud dependency — that’s Dotvault. A one-off purchase, no account, and it doesn’t try to replace the password manager you already use.
Plenty of developers will keep 1Password for passwords and use Dotvault for the day-to-day editing of .env files. The two don’t overlap much in practice. They just both happen to have the word “secrets” in their marketing.