Dotvault vs EnvKey
Team-oriented secrets platform versus solo local-first desktop tool
EnvKey has an interesting position in the secrets-management world. It’s designed for teams, it syncs encrypted config across machines, it has proper role-based access control and audit logs, and it’s open source on the server side — a sensible choice for small and mid-sized teams that want something more serious than passing .env files around in Slack. Dotvault is a very different sort of tool: a macOS desktop app for editing the .env files that already live on one developer’s machine. Worth working out which shape is closer to the problem you actually have.
Quick comparison
| Feature | Dotvault | EnvKey |
|---|---|---|
| What it is | macOS desktop app for editing .env files | Encrypted secrets manager with team sync |
| Primary audience | Individual developers | Small and mid-sized engineering teams |
| Pricing | £29 one-time | Free tier + paid plans for teams |
| Access control | None — single-user | Role-based permissions per app and environment |
| Audit logs | Per-file snapshot history on your Mac | Centralised audit trail across the team |
| Offline use | Fully offline | Cached locally; sync needs the network |
| Best for | Managing .env files on your own Mac | Keeping a team’s secrets in sync safely |
Team-oriented versus solo-first
EnvKey starts from a team assumption. The whole point is that you and your teammates need the same set of secrets across development, staging, and production, and you’d rather not email .env.production around or paste it into a deployment platform’s UI every time something changes. EnvKey gives you a central place where those values live, an encrypted sync mechanism that pushes them out to every machine that needs them, and access controls so people only see what they should.
Dotvault starts from a solo assumption. The point is that you — a single developer, sat at your own Mac — are working with .env files and want a better tool for doing that specific thing. There’s no account, no team, no sync. The file lives on your disk, Dotvault helps you read and edit it, and nothing else happens. That “nothing else happens” is a deliberate feature, not a missing one.
Neither tool is trying to do the other’s job. EnvKey would be a strange fit for someone managing their own side projects; Dotvault is a strange fit for a team of ten engineers who need shared production secrets.
Access control and audit
EnvKey has the thing you want when the audience is “a small engineering team” rather than “just me”. Roles per app and per environment, so the contractor working on the frontend doesn’t automatically see production database URLs. Audit logs showing who accessed what and when. End-to-end encryption so even EnvKey’s own servers can’t read your values. Those features aren’t just box-ticking — they matter the moment more than one person has legitimate access to the same secrets.
Dotvault doesn’t have any of that, because it doesn’t have any concept of “more than one person”. Every Dotvault install belongs to one macOS user, and the snapshot history is the local version of an audit trail — it tells you when this file changed, not who changed it, because there’s only one who. If the audience for your secrets is genuinely just you, that’s enough. If it isn’t, Dotvault is the wrong tool.
Simplicity and price
One of EnvKey’s selling points is that it’s simpler than operating a HashiCorp Vault cluster or wiring up a full enterprise secrets platform. That’s true, and fair. But “simpler than the enterprise option” is still a lot more than Dotvault asks of you. EnvKey needs you to create an organisation, invite teammates, install a CLI, sign in on each machine, and set up the sync integration for each environment. For a team, that’s time well spent. For a developer working on their own project, it’s a substantial setup for something they could handle with a text editor.
Dotvault is £29, installs like any Mac app, and opens the .env files you already have. That’s the whole onboarding. No org to create, no teammates to invite, no CLI to sign into. The simplicity is the point.
If you’re paying for EnvKey’s paid tiers for a team, £29 for a personal editing tool alongside it is small change. If you’re choosing between them as solo developer, the pricing is nowhere near the same conversation.
Who should use which
Use EnvKey if you have a team that needs to share secrets across environments, if access control and audit logs are actual requirements, and if you want a tool built specifically for that team sync problem without going all the way to enterprise platforms.
Use Dotvault if you’re managing your own .env files on your own Mac, and the friction you want to remove is “I keep breaking this file” rather than distributing values across a team. No account, no subscription, no server in the loop.
Some teams will run EnvKey for their shared secrets and individual developers on that team will still keep Dotvault for their own local .env.local overrides. That’s a reasonable split — each tool doing the thing it’s good at, neither stepping on the other.