dotenv-vault is shutting down. Here's what to migrate to.

What happened

In February 2026 the dotenv team shut down the Pro tier of dotenv-vault. That tier covered encrypted team sync, the committable .env.vault file, and DOTENV_KEY-based decryption. The Free tier CLI still works for local use. But the part most teams adopted is gone.

If your CI runs dotenv-vault pull, or your app boots with DOTENV_KEY, you need a new path.

What to migrate to — honest comparison

Dimension	tene	Doppler	Infisical	HashiCorp Vault
Hosting	Local-first CLI	Cloud SaaS	Cloud or self-hosted	Self-hosted (HA cluster)
Pricing	Free (MIT)	$21/user/mo (Team)	Free + Pro $18/user/mo	Free OSS / $$$ Enterprise
AI-editor safety	Generates CLAUDE.md / .cursor/rules etc.	No	No	No
Team sync cost	$0 locally; Pro plan available	Included	Included	Self-run
Signup required	No	Yes	Yes for cloud	No for OSS
Complexity	Single Go binary	Cloud account + CLI	Server + DB or SaaS	HA cluster + unseal workflow
Best fit	Individual devs + small teams + AI workflows	Teams wanting dashboard + RBAC	Mid teams wanting self-host option	Enterprise server-side dynamic secrets

Were you paying dotenv-vault Pro for team sync? The closest match is Doppler or Infisical. Were you paying because .env felt unsafe? The closest match is tene.

One-command migration from dotenv-vault to tene

A 10-line .env with Stripe, OpenAI, Anthropic, AWS, Sentry, and Google client credentials being imported into a tene vault in one command. — A real 10-secret .env migrated to an encrypted vault with tene import.

This is the fastest path off dotenv-vault for solo developers.

# 1. Pull current secrets while Free-tier CLI still works
dotenv-vault pull --no-cache

# 2. Install tene
curl -sSfL https://tene.sh/install.sh | sh

# 3. Initialize a local encrypted vault
tene init

# 4. Import the pulled .env
tene import .env

# 5. Clean up plaintext
rm .env .env.vault .env.me 2>/dev/null

# 6. Run your app through tene
tene run -- npm start

What changes in your code

Almost nothing. Your app reads process.env.STRIPE_KEY before. It reads the same variable after.

What goes away:

require('dotenv-vault') or dotenv-vault/config imports
The DOTENV_KEY environment variable
The committed .env.vault file
The dotenv.org account (eventually)

CI migration

Before (with dotenv-vault):

env:
  DOTENV_KEY: ${{ secrets.DOTENV_KEY_PRODUCTION }}
steps:
  - run: npm ci
  - run: dotenv-vault pull --no-cache
  - run: npm test

After (with tene):

env:
  TENE_MASTER_PASSWORD: ${{ secrets.TENE_MASTER_PASSWORD }}
steps:
  - run: npm ci
  - run: tene run --no-keychain -- npm test

The --no-keychain flag tells tene to read the master password from the environment instead of prompting.

When Doppler is the right call instead

Pick Doppler if:

You want a web dashboard so PMs and support can read values.
You need audit logs for a compliance program.
You already pay Doppler for features beyond secret sync (k8s operator, dynamic env variants, approval flows).

Migration from dotenv-vault to Doppler is similar: dotenv-vault pull, then doppler secrets upload.

When Infisical is the right call instead

Pick Infisical if:

You want a dashboard plus RBAC like Doppler, but with a self-host option.
Your team already runs PostgreSQL and Docker.
You care about an MIT-licensed core (vs Doppler's closed SaaS).

When tene is the right call

Pick tene if:

You are a solo developer or a small team.
Your real pain is AI coding agents reading plaintext .env.
You do not want to pay $20+ per user per month.
You want zero infrastructure to run.

What about the `.env.vault` file I committed?

Delete it from your repo. tene's vault lives at .tene/vault.db and is .gitignored by default. tene init adds the entry. There is no committable equivalent of .env.vault because tene does not aim to share ciphertext through your code repo. If you need cross-machine sync, the Pro plan uses a dedicated end-to-end encrypted sync channel.

Summary

dotenv-vault Pro is gone as of Feb 2026. The Free CLI still works locally.
dotenv-vault pull then tene import is a one-command path.
Your application code does not change.
Pick Doppler or Infisical if you need a dashboard + RBAC.
Pick tene if you want zero infrastructure and AI-editor safety.

A longer take on the AI-editor angle lives in our other piece Your .env is not a secret.

FAQ

What exactly did dotenv-vault discontinue?

The Pro tier that enabled encrypted team sync and the .env.vault committable file was discontinued in February 2026. The Free tier CLI still works for local use, but the team-collaboration story is gone.

Can I stay on dotenv-vault Free?

Yes, if you only use it locally as an encrypted .env alternative for a single developer. But the main reason to use dotenv-vault was team sync, which is no longer offered.

Do I need to pay to migrate?

No. tene is MIT licensed and free forever. Doppler and Infisical have free tiers. HashiCorp Vault OSS is source-available. Migration itself requires no payment.

Will my .env.vault file still work during migration?

The Free-tier CLI can still 'dotenv-vault pull' a current .env. Do that first to extract your secrets, then import into the new tool.