Will syncing expose my secrets?

By default, sync adds keys with empty values — safe. If you switch to “Keys + values” and the target is .env.example, .env.sample, or .env.template, Dotvault throws up a warning reminding you that those files are usually committed, and real values probably shouldn’t be.