dotMage moves your secrets between every machine you code on — laptop, work PC, CI runner. Encrypted on-device before they leave. Your server only ever stores ciphertext.
Encryption and decryption happen entirely on your devices. The server is a dumb, untrusted relay — it stores opaque blobs and metadata, nothing it can read.
Bring your own box — a $5 VPS is plenty. dotMage is a single binary with no external dependencies.
One command pulls the Docker image and starts the server. A $5 VPS is plenty.
Point the CLI at your server's IP and port. You get a device token — no passwords, ever.
Version your .env from any device and pull it down everywhere else. Roll back anytime.
Every push is an immutable, numbered revision with the device and timestamp that made it.
Shipped a bad secret? Roll any environment back to a previous revision instantly.
Inject decrypted env into any process without ever writing it to disk.
Add a second device from anywhere — just the bootstrap secret and your master password. No first device needed. Revoke any machine instantly.
Every auth, push, pull, rollback and revoke is recorded — query it from CLI or the web admin.
One scoped token per app+env. Drop it into GitHub Actions or GitLab CI — secrets are pulled and decrypted in the runner, no auth step needed.
dotMage does one thing: sync .env files, end-to-end encrypted, on infrastructure you own.
| Self-hosted | E2E (zero-knowledge) | .env-native | No DevOps | |
|---|---|---|---|---|
| dotMage | yes | yes | yes | yes |
| HashiCorp Vault | yes | no | no | heavy |
| Doppler | SaaS | sees secrets | yes | yes |
| 1Password CLI | SaaS | yes | passwords | yes |
| git-crypt | in-repo | yes | git-bound | yes |
| sops | files | yes | yaml/json | KMS setup |
Install the CLI, deploy the server, stop pasting .env files into Slack.