Tene is a local-first, encrypted secret management CLI. It stores your API keys, tokens, and credentials in an encrypted SQLite vault on your device. No server, no signup, no cloud dependency.

How does Claude Code auto-detection work?

When you run tene init, it generates a CLAUDE.md file in your project root. Claude Code reads this file automatically and learns how to use tene to retrieve secrets.

Yes, Tene is 100% free and open source under the MIT license. All local features — encryption, runtime injection, multi-environment, AI editor rules — are free forever with no limits.

Will there be team features?

Team sync and collaboration features are being designed. The goal is encrypted team sync without a central server. Join the waitlist at tene.sh to get notified when it launches.

How are my secrets encrypted?

Tene uses XChaCha20-Poly1305 encryption with 256-bit keys derived from your master password via Argon2id. Each secret gets a unique 192-bit nonce.

Does Tene work offline?

Tene is 100% offline. It makes zero network calls. Your secrets are encrypted and stored locally in a SQLite database.

My CI was using dotenv-vault — what now?

Replace `dotenv-vault pull` in your CI with `tene run --no-keychain --`. Set `TENE_MASTER_PASSWORD` as a CI secret. The `--no-keychain` flag tells tene to read the password from the env var instead of the OS keychain.

Can I keep the `.env.vault` file I committed to git?

No. tene's vault is a SQLite file at `.tene/vault.db` and is `.gitignore`d by default. If you need to sync secrets across machines, use `tene push` (Pro) or an encrypted backup via `tene export --encrypted`.

What about the DOTENV_KEY environment variable?

DOTENV_KEY is a dotenv-vault concept. tene replaces it with `TENE_MASTER_PASSWORD` (for non-interactive use) and the OS keychain (for interactive use). You don't need DOTENV_KEY anymore.

Does migration work for monorepo setups?

Yes. Run `tene init` once per project root. Each project gets its own `.tene/vault.db`. If you want shared team secrets across projects, use the Pro sync product.

Comparison

tene vs dotenv-vault

dotenv-vault's Pro tier shut down February 2026. tene is the drop-in local-first replacement — MIT, free, no signup.

Star on GitHub

In February 2026, dotenv-vault announced it was discontinuing its Pro tier. Free-tier users still get the CLI, but the team-sync and encrypted backup features many projects depended on are gone. If you were a Pro subscriber, you need a migration path now.

tene is that path: a local-first encrypted secret manager that imports `.env` files directly, generates AI-editor rule files automatically, and costs $0 forever. No signup, no cloud account, no migration fees.

What dotenv-vault's Pro shutdown actually means

dotenv-vault's Pro tier included encrypted team sync, environment separation, and an encrypted `.env.vault` file that was supposed to be committable. With Pro gone, teams that depended on it for sharing secrets across developers have no upgrade path. The Free tier's CLI still works, but the team collaboration story is no longer viable.

Many dotenv-vault users are discovering this the hard way — their CI pipeline fails, their deploy script errors out, their new hire can't spin up a dev environment.

Side-by-side

Feature-by-feature comparison. Every row is sourced from the official docs of each product — if you find something stale, open an issue.

Dimension	tene	dotenv-vault
Current status	Active, MIT licensed	Pro tier discontinued (Feb 2026); Free tier limited
Hosting	Local-first on your machine	Cloud-hosted (dotenv.org)
Signup	None required	Required to use CLI
Encryption	XChaCha20-Poly1305 + Argon2id KDF	AES (encrypted `.env.vault` file)
AI-editor integration	Yes (CLAUDE.md, .cursor/rules, .windsurfrules, GEMINI.md, AGENTS.md)	No
Team sync	Optional, E2E encrypted (Pro plan at app.tene.sh)	Was Pro-only; now discontinued
Recovery	12-word BIP-39 mnemonic	N/A (tied to dotenv.org account)
Export path	Portable SQLite vault + `tene export --encrypted`	`dotenv-vault pull` (while it still works)
Vendor risk	None — binary is self-contained	High — service is shutting down core features
Price	$0 (MIT)	Free tier only; previously paid tier gone

Why tene is a natural replacement

tene was designed from day one around the dotenv-vault use case with two twists: (1) the vault lives on your machine, not a third-party server, so nobody can deprecate it out from under you; (2) the vault is AI-agent aware, generating rule files for Claude Code, Cursor, Windsurf, Gemini, and Codex so your secrets stay out of LLM context windows.

For team sync, tene offers an optional Pro plan at app.tene.sh that uses client-side encryption — the server only sees ciphertext, so a future shutdown would still leave you with a working local vault.

If you were paying for dotenv-vault Pro

You were paying roughly $6–12 per developer for encrypted team sync. tene's CLI is free forever and includes the same end-user workflow (`tene import`, `tene run --`, multi-environment). If you need team sync, Pro at app.tene.sh is comparable pricing with stronger crypto (XChaCha20-Poly1305 + per-user X25519 key wrapping) and no lock-in.

Migrate from dotenv-vault to tene (urgent)

Pull your secrets out of dotenv-vault while the CLI still works, then import into tene. Takes less than a minute for a typical project.

1
Pull current secrets from dotenv-vault
```
$ dotenv-vault pull --no-cache
```
Writes to .env in your project root.

Install tene

$ curl -sSfL https://tene.sh/install.sh | sh

3
Initialize a local encrypted vault
```
$ tene init
```
4
Import the pulled .env
```
$ tene import .env
```
5
Delete plaintext files
```
$ rm .env .env.vault .env.me
```
6
Run your app through tene
```
$ tene run -- npm start
```

After migration: Don't delete your dotenv.org account immediately — keep it as a read-only backup for a month while you confirm every environment works. Then revoke tokens and deactivate.

FAQ

My CI was using dotenv-vault — what now?: Replace `dotenv-vault pull` in your CI with `tene run --no-keychain --`. Set `TENE_MASTER_PASSWORD` as a CI secret. The `--no-keychain` flag tells tene to read the password from the env var instead of the OS keychain.
Can I keep the `.env.vault` file I committed to git?: No. tene's vault is a SQLite file at `.tene/vault.db` and is `.gitignore`d by default. If you need to sync secrets across machines, use `tene push` (Pro) or an encrypted backup via `tene export --encrypted`.
What about the DOTENV_KEY environment variable?: DOTENV_KEY is a dotenv-vault concept. tene replaces it with `TENE_MASTER_PASSWORD` (for non-interactive use) and the OS keychain (for interactive use). You don't need DOTENV_KEY anymore.
Does migration work for monorepo setups?: Yes. Run `tene init` once per project root. Each project gets its own `.tene/vault.db`. If you want shared team secrets across projects, use the Pro sync product.

Other comparisons

See how tene compares against every other major secret manager.