dotset secrets init
Initialize a new encrypted secrets store in the current directory. This is only necessary if you want to use Shield’s native encrypted storage. If you only use .env files or AWS Secrets Manager, you can skip this step.
Usage
What It Does
- Creates
.dotset/ directory
- Generates a random encryption key (
.dotset/key)
- Creates an encrypted manifest (
.dotset/manifest.enc)
- Adds
.dotset/key to .gitignore
Output
$ dotset secrets init
✓ Created .dotset/key
✓ Created .dotset/manifest.enc
✓ Added .dotset/key to .gitignore
Shield native storage initialized.
Never commit your .dotset/key file. If you lose this key, your encrypted secrets cannot be recovered.
Why use Native Storage?
While Shield supports .env and AWS, native storage provides:
- Cloud Sync: Securely sync secrets across team members.
- Local Encryption: Secrets are always encrypted at rest on your machine.
- Deterministic Deployments: Committing the encrypted manifest ensures your CI always has the correct secret versions.
