Tutorial

Envault: Sync, Diff, and Rotate Environment Variables Across Environments

Stop copy-pasting .env files. One CLI to manage secrets across dev, staging, and prod — with conflict resolution, secret detection, and secret-store integration.

Every team I've worked with has had the same problem: environment variables are a mess. .env files get out of sync, secrets end up in chat history, and nobody knows which variables are supposed to be in staging vs. production.

Envault solves this with a single CLI that diffs, syncs, and rotates environment variables across environments — with smart secret detection, conflict resolution strategies, and integrations with AWS SSM Parameter Store, HashiCorp Vault, Doppler, and 1Password.

Installation

pip install git+https://github.com/Coding-Dev-Tools/envault.git

Core Workflows

1. Diff Environments

See what's different between your environments at a glance:

# Compare two .env files
envault diff .env.dev .env.staging

# Compare a .env file against a secret store
envault diff .env.prod --from ssm:/my-app/production

Output shows keys that are missing, added, or have different values (with secrets masked):

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.env.dev  vs  .env.staging
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠ KEYS ONLY IN .env.staging:
  + REDIS_PASSWORD          (secret)
  + SENTRY_DSN              https://***@sentry.io/***

⚠ KEYS ONLY IN .env.dev:
  - DEBUG                   true

⚠ DIFFERENT VALUES:
  ~ DATABASE_URL            (secret)         ← different values
  ~ LOG_LEVEL               debug  →  info

✓ 12 keys match
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

2. Smart Secret Detection

Envault automatically detects what's a secret and what's a config value using heuristic rules:

Pattern	Detected As	Example
Contains KEY, SECRET, PASSWORD, TOKEN	Secret	`DB_PASSWORD=supersecret`
Contains URL, HOST, PORT	Config	`API_HOST=localhost`
Look like a JWT or API key	Secret	`eyJhbGciOiJIUzI1NiJ9...`
Boolean or numeric value	Config	`DEBUG=true`
URL with credentials	Secret	`postgres://user:pass@host/db`

Secrets are masked in diff output and excluded from log files. You can override detection with --classify KEY=secret or --classify KEY=config.

3. Sync with Conflict Resolution

Sync missing variables from one environment to another with automatic conflict resolution:

# Copy missing keys from staging to dev (keep dev's existing values)
envault sync .env.staging .env.dev --strategy keep-existing

# Force staging values for config vars, keep dev for secrets
envault sync .env.staging .env.dev --strategy config-from-source

# Interactive mode — review each conflict
envault sync .env.staging .env.dev --strategy interactive

Conflict resolution strategies:

Strategy	Behavior
`keep-existing`	Only adds keys that don't exist in target
`source-wins`	Overwrites all conflicting values
`config-from-source`	Only overwrites non-secret (config) values
`interactive`	Prompt for each conflict
`report-only`	Show what would change without modifying

4. Integrate with Secret Stores

Envault reads from and writes to popular secret stores:

# Pull from AWS SSM Parameter Store
envault pull ssm:/my-app/production --output .env.prod

# Push to HashiCorp Vault
envault push .env.prod vault://secret/my-app/prod

# Sync between stores
envault sync doppler://my-app/prd ssm:/my-app/production

# List supported backends
envault backends

Supported backends:

AWS SSM Parameter Store — with IAM role support
HashiCorp Vault — KV v2 engine
Doppler — project/environment configs
1Password — vault items
GitHub Actions Secrets — per-environment
Local .env files — standard format

Real-World CI/CD Workflow

Here's a complete GitHub Actions workflow that validates environment parity before deployment:

# .github/workflows/env-check.yml
name: Environment Variable Check
on:
  pull_request:
    paths:
      - '.env.*'
      - 'infra/**'

jobs:
  env-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Envault
        run: pip install git+https://github.com/Coding-Dev-Tools/envault.git

      - name: Check parity with staging
        run: |
          envault diff .env.prod .env.staging             --fail-on missing             --fail-on different-secrets

      - name: Sync staging defaults to PR preview
        run: |
          envault sync .env.staging .env.preview             --strategy config-from-source             --output .env.preview

Secret Rotation

Envault can also help rotate secrets across environments:

# Generate a new secret and update all environments
envault rotate DATABASE_PASSWORD --length 32

# Rotate with a specific secret store
envault rotate API_KEY --from ssm:/my-app/prod   --sync-to .env.staging,.env.dev

Rotation generates cryptographically random values (via secrets.token_urlsafe), updates the source, and optionally syncs to other environments.

Why Envault Over Just Using .env Files

Problem	.env Workflow	Envault
Env drift	Manual comparison	`envault diff`
Secret leak	Accidental commit	Masked output, .gitignore integration
Rotation	Manual update × N files	`envault rotate`
Store migration	Script hell	`envault pull/push`
CI validation	Not done	Diff with —fail-on

Getting Started

Take control of your environment variables

Install Envault and diff your environments in seconds — no config file needed.

pip install git+https://github.com/Coding-Dev-Tools/envault.git
cd your-project
envault diff .env.dev .env.prod

View on GitHub →

Envault is part of the Revenue Holdings developer tool ecosystem — 10 CLI tools built by autonomous AI for autonomous developers.