The Complete Guide to Backing Up Developer Secrets and Environment Variables

You can back up your code on GitHub. You can back up your databases. You can back up your Docker images. But what about your .env files — the files that hold the API keys, database passwords, OAuth secrets, and webhook tokens that make everything actually work?

If your laptop crashes tomorrow, those .env files are gone. And unlike code, you cannot just git clone them back. GitHub will not save you here because those files are in your .gitignore — as they should be.

This guide is specifically written for solo developers who maintain hundreds of projects on public GitHub repositories and use AI coding agents to scaffold projects rapidly. You generate .env files constantly. You have Cloudflare API keys, Stripe keys, database URLs, Firebase tokens, OpenAI API keys, Spaceship domain credentials, and dozens of other secrets scattered across your local machine. If you lose that machine, you lose hours — maybe days — recreating everything from scratch.

We will compare 10+ tools and approaches for solving this problem, with exact pricing breakdowns for managing 100+ projects as a single user.

---

Why This Problem Is Harder Than It Sounds

Before diving into solutions, let us understand why backing up environment variables is uniquely difficult compared to backing up code.

Your Repositories Are Public

Most active developers — especially those building portfolios, open-source tools, or side projects — keep repositories public on GitHub. This is great for visibility, contributions, and portfolio building. But it means you absolutely cannot commit a .env file. Not even an encrypted one (unless the encryption is bulletproof). A single slip-up exposes every API key in that repository to the entire internet.

GitHub's secret scanning can catch known patterns (like AWS keys or Stripe tokens), but by the time it alerts you, bots have already scraped your key and are using it to mine cryptocurrency on your AWS account.

You Have Hundreds of Projects

If you are a prolific developer who builds tools, experiments, client projects, and side businesses, you might have 50 to 300+ repositories. Each one has a unique .env file. Some have 3 variables. Some have 30. Manually tracking all of these is impossible without a system.

AI Coding Agents Make This Worse

Modern AI coding agents like Cursor, Cline, Windsurf, and GitHub Copilot generate entire projects in minutes. They scaffold .env files, populate them with placeholders, and you fill in the real values. The generation speed means you create new .env files far faster than you can back them up manually. Without automation, your secret debt grows with every new project.

The "I'll Remember It" Fallacy

You will not remember where you got that Cloudflare API key. You will not remember which Firebase project that FIREBASE_SERVICE_ACCOUNT_KEY belongs to. You will not remember the webhook signing secret for your Stripe integration. These are not things humans should be expected to memorize or manually track across hundreds of projects.

---

The 10 Solutions Compared

We evaluated every major approach to solving this problem. For each solution, we cover what it is, how it works, the exact cost for a solo developer with 100+ projects, the setup effort per project, and the critical trade-offs.

---

1. dotenvx — Encrypted .env Files Committed to Git

What it is: dotenvx is a free, open-source CLI tool (BSD-3 license) created by the original author of the dotenv npm package. It encrypts your .env file values in place using AES-256 encryption with Elliptic Curve keys (secp256k1). The encrypted .env file becomes safe to commit to Git — even to a public repository. The decryption key lives in a separate .env.keys file that you never commit.

How it works:

# Install globally
npm install -g @dotenvx/dotenvx

# Navigate to your project
cd my-project

# Encrypt the .env file
dotenvx encrypt

# Your .env now looks like this:
# DOTENV_PUBLIC_KEY="03a11b..."
# DATABASE_URL="encrypted:BDqK90r..."
# STRIPE_KEY="encrypted:AqZ19p..."

# A .env.keys file is generated with the private key
# Add .env.keys to .gitignore
echo ".env.keys" >> .gitignore

# Run your app (decrypts on the fly in memory)
dotenvx run -- npm run dev

Cost for 100 projects: $0/month. The tool is 100% free and open source. There is no cloud service, no account, no server. Everything is local and Git-based.

Setup effort per project: Very low. Run dotenvx encrypt once per project. Add .env.keys to .gitignore. Done.

Backup strategy: You need to safely store your .env.keys files (one per project). The simplest approach is to copy all private keys into a single encrypted note in your password manager (Bitwarden, 1Password, KeePassXC, or even Apple Notes with encryption).

Trade-offs:

• You must manage private keys separately. If you lose both your laptop and your private key backup, you lose access to your secrets.
• No web dashboard. No team sync. No audit logs.
• Perfect for solo developers. Less ideal for teams.

Verdict: This is the single best option for solo developers with hundreds of public repositories. Zero cost, minimal setup, and your encrypted secrets live right alongside your code in Git. When you clone a project on a new machine, the encrypted .env is already there — you just need the private key.

---

2. GitHub Repository Secrets (Built into GitHub Actions)

What it is: GitHub provides an encrypted secrets store built into every repository. You can store up to 500 secrets per repository and 100 secrets per environment. These secrets are automatically injected into GitHub Actions workflows.

How it works: You navigate to your repository → Settings → Secrets and Variables → Actions → New Repository Secret. You add your key-value pairs manually through the web UI or via the GitHub CLI:

# Using GitHub CLI
gh secret set DATABASE_URL --body "postgres://user:pass@host/db"
gh secret set STRIPE_KEY --body "sk_live_xxxx"

Cost for 100 projects: $0/month. GitHub Secrets are completely free for all repositories — public and private — on all GitHub plans including Free.

Setup effort per project: Medium. You must manually add each secret through the web UI or CLI. There is no "import from .env" button. For 100 projects with 10 secrets each, that is 1,000 individual secret entries.

Backup strategy: GitHub Secrets are write-only. Once stored, you cannot read them back. GitHub explicitly warns: "Secret values are not exportable." This means GitHub Secrets are not a backup solution by themselves — they are a deployment injection mechanism. You still need the original values stored somewhere else.

Trade-offs:

• Secrets cannot be exported or viewed after creation. This is a security feature, but it means you cannot "restore" from GitHub Secrets alone.
• Only useful for CI/CD workflows (GitHub Actions). You cannot pull these secrets into your local development environment.
• Excellent as a secondary storage mechanism, but terrible as your primary backup.

Verdict: Use GitHub Secrets for your CI/CD pipelines, but do not treat them as your primary backup. You still need a separate source of truth.

---

3. Doppler — Managed SaaS Secrets Platform

What it is: Doppler is a proprietary, fully-managed SaaS platform designed to be the "single source of truth" for all your application secrets. It provides a beautiful web dashboard, a CLI tool, and native integrations with almost every hosting platform.

How it works:

# Install CLI (Windows)
scoop install doppler

# Login
doppler login

# Set up a project
doppler setup

# Run your app with injected secrets
doppler run -- npm run dev

Cost for 100 projects:

• Free (Developer) Plan: Limited to 10 projects, 4 environments per project, 3 users, 3-day activity log retention. If you have 100 projects, you cannot use the free plan.
• Team Plan: $21/user/month. Supports up to 250 projects. For a single user: **$21/month ($252/year)**.
• Enterprise Plan: Custom pricing. Up to 1,000+ projects.

For a solo developer with 100+ projects, Doppler costs $252/year minimum.

Setup effort per project: Very low once configured. The CLI automates everything. But initial migration (importing secrets from local .env files into Doppler's dashboard) requires manual entry or scripting.

Backup strategy: Doppler IS the backup. Your secrets live in Doppler's cloud infrastructure. If you lose your laptop, you log into Doppler from your new machine and everything is there.

Trade-offs:

• Costs money at scale. $252/year is not terrible, but it is not free.
• Your secrets are stored on someone else's servers. You must trust Doppler's security.
• Excellent developer UX and integrations.
• Vendor lock-in risk.

Verdict: Doppler is the gold standard for developer experience. If you can afford $21/month and trust a SaaS provider with your secrets, it is hard to beat. But for a cost-conscious solo developer, it is expensive compared to free alternatives.

---

4. Infisical Cloud — Open-Source-Backed SaaS Platform

What it is: Infisical is an open-source (MIT licensed) secrets management platform. They offer both a managed cloud service and a self-hosted option.

How it works:

# Install CLI
scoop install infisical

# Login
infisical login

# Initialize project
infisical init

# Run with injected secrets
infisical run -- npm run dev

Cost for 100 projects (Cloud):

• Free Plan: Limited to 3 projects and 5 identities. Completely inadequate for 100+ projects.
• Pro Plan: $18/identity/month. For a single user with machine identities for CI/CD, expect at least **$18-36/month ($216-432/year)**.

For a solo developer with 100+ projects using Infisical Cloud, expect to pay $216-432/year.

Setup effort per project: Very low. Similar to Doppler.

Trade-offs:

• The cloud plan has severe free-tier limits (3 projects).
• Self-hosting is free (covered separately below).
• Beautiful dashboard and excellent CLI.

Verdict: Infisical Cloud is too expensive for a solo developer with 100+ projects unless you self-host (see Approach 5).

---

5. Self-Hosted Infisical — Your Own Secrets Server

What it is: Since Infisical is open-source (MIT), you can run the entire platform on your own server. Self-hosted Infisical has no artificial project limits, no user limits, and no identity limits. You get the same premium web dashboard and CLI experience as the cloud version, but you control the infrastructure.

How it works: You deploy Infisical via Docker Compose on a cheap VPS:

# docker-compose.yml (simplified)
services:
  db:
    image: postgres:16-alpine
    environment:
      POSTGRES_USER: infisical
      POSTGRES_PASSWORD: your_db_password
      POSTGRES_DB: infisical
    volumes:
      - pgdata:/var/lib/postgresql/data

  redis:
    image: redis:7-alpine

  infisical:
    image: infisical/infisical:latest
    environment:
      - DB_CONNECTION_URI=postgres://infisical:your_db_password@db/infisical
      - REDIS_URL=redis://redis:6379
      - ENCRYPTION_KEY=your_256_bit_hex_key
      - AUTH_SECRET=your_jwt_secret
      - SITE_URL=https://secrets.yourdomain.com
    ports:
      - "8080:8080"
    depends_on:
      - db
      - redis

volumes:
  pgdata:

Then point your CLI to your self-hosted instance:

infisical login --domain https://secrets.yourdomain.com

Cost for 100 projects:

• VPS: $3.50 to$5/month (Hetzner CX22, DigitalOcean Basic Droplet, or OVH VPS).
• Domain: You already own one (or use a subdomain).
• Software: $0. Open-source MIT license.
• Total: $42-60/year.

Setup effort per project: Medium initially (30 minutes to set up the VPS and Docker). Low ongoing (same CLI workflow as Infisical Cloud).

Backup strategy: Back up the PostgreSQL database. A simple cron job dumping the database to an encrypted file on cloud storage (S3, R2, or even Google Drive) is sufficient.

Trade-offs:

• You are responsible for server maintenance, updates, and backups.
• If your VPS goes down, you temporarily lose access to your secrets dashboard (but your apps still run because secrets are injected at build/deploy time).
• Incredible value for the price.

Verdict: The best cost-to-feature ratio for developers who want a premium dashboard experience. $42-60/year for unlimited projects with a Doppler-like interface.

---

6. SOPS + age — Encrypted Files in Git (Mozilla's Approach)

What it is: SOPS (Secrets OPerationS) was originally created by Mozilla. It encrypts the values in structured files (YAML, JSON, ENV, INI) while keeping the keys visible. Combined with age (a modern, simple encryption tool), it provides a completely free, Git-native secrets management workflow.

How it works:

# Install (Windows via scoop)
scoop install sops age

# Generate an age key
age-keygen -o age-key.txt
# Output: public key: age1xxxxxx

# Create .sops.yaml in your repo root
cat > .sops.yaml << EOF
creation_rules:
  - path_regex: \.env.*
    age: 'age1xxxxxx'
EOF

# Encrypt your .env file
sops --encrypt .env > .env.enc

# Decrypt at runtime
sops exec-env .env.enc 'npm run dev'

Cost for 100 projects: $0/month. Completely free and open source.

Setup effort per project: Medium-High. You need to create a .sops.yaml config, encrypt each file individually, and remember to decrypt before running. More ceremony than dotenvx.

Backup strategy: Same as dotenvx — store your age-key.txt (private key) in a password manager. The encrypted .env.enc files live in Git.

Trade-offs:

• More complex than dotenvx. Requires understanding of SOPS configuration.
• Powerful for structured files (YAML, JSON) but slightly awkward for flat .env files.
• Industry-proven (used by Mozilla, GitOps teams, Kubernetes operators).
• Can use cloud KMS (AWS, GCP, Azure) instead of age for key management.

Verdict: Excellent for DevOps-savvy developers. More powerful than dotenvx but with higher setup complexity. Great if you also need to encrypt Kubernetes manifests or Terraform variables.

---

7. git-crypt — Transparent Git Encryption

What it is: git-crypt enables transparent encryption and decryption of files in a Git repository. Once configured, files are automatically encrypted when pushed and decrypted when pulled. You work with plaintext locally but the remote repository only ever sees ciphertext.

How it works:

# Install
scoop install git-crypt

# Initialize in your repo
git-crypt init

# Define which files to encrypt via .gitattributes
echo ".env filter=git-crypt diff=git-crypt" >> .gitattributes

# Export the symmetric key (for backup)
git-crypt export-key ./git-crypt-key

# Now just use git normally
git add .env
git commit -m "add encrypted env"
git push

On a new machine, you unlock with:

git-crypt unlock ./git-crypt-key

Cost for 100 projects: $0/month. Completely free and open source (GPL-3.0).

Setup effort per project: Low-Medium. Run git-crypt init, add a .gitattributes entry, and export the key. But you need one symmetric key per repository (or use GPG keys to share across repos).

Backup strategy: Store the git-crypt-key file for each repository in your password manager. Alternatively, use a single GPG key across all repositories.

Trade-offs:

• Transparent workflow — you do not need to change how you run your application. No dotenvx run or sops exec-env wrapper needed.
• The .env file appears as encrypted binary garbage on GitHub, which is fine for private repos but looks odd on public ones.
• Uses GPG for key management, which has a notoriously poor UX.
• Does not work with GitHub's web editor or pull request diffs for encrypted files.

Verdict: Perfect for developers who want zero workflow changes. You just git add .env and push. But the GPG dependency and per-repo key management adds friction at scale.

---

8. Bitwarden Secrets Manager — Password Manager for Developers

What it is: Bitwarden, the popular open-source password manager, offers a dedicated "Secrets Manager" product designed for storing and injecting application secrets.

How it works: You create secrets in the Bitwarden web vault under the Secrets Manager section, then use the Bitwarden CLI or SDK to fetch them in your application or CI/CD pipeline.

# Install Bitwarden Secrets Manager CLI
npm install -g @bitwarden/cli

# Authenticate
bws login

# Retrieve a secret
bws secret get <secret-id>

# Or inject into a process (via wrapper script)

Cost for 100 projects:

• Free Plan: 2 users, 3 projects, 3 machine accounts, unlimited secrets. Not enough for 100 projects.
• Teams Plan: $6/user/month. Unlimited projects, 20 machine accounts. For a single user: **$6/month ($72/year)**.
• Enterprise Plan: $12/user/month.

For a solo developer with 100+ projects: $72/year on the Teams plan.

Setup effort per project: Medium. You need to create secrets in the web vault and reference them in your application. There is no "import .env file" feature — each secret is entered individually.

Trade-offs:

• Cheapest paid SaaS option ($72/year vs Doppler's$252/year).
• Open source (AGPL) — you can self-host via Vaultwarden for the password manager, but Secrets Manager is not included in Vaultwarden.
• Less polished developer experience compared to Doppler or Infisical.
• Good if you already use Bitwarden as your personal password manager.

Verdict: The most affordable paid SaaS option. Good value if you want a managed service without Doppler's price tag.

---

9. 1Password Developer Tools — Premium Password Manager CLI

What it is: 1Password offers a CLI (op) and SDK that allows you to reference secrets stored in your 1Password vault directly in configuration files and inject them at runtime.

How it works: You create an .env.tpl template file that references 1Password items:

# .env.tpl (committed to Git — contains no real secrets)
DATABASE_URL="op://Development/MyDB/url"
STRIPE_KEY="op://Development/Stripe/secret-key"
CLOUDFLARE_API="op://Development/Cloudflare/api-key"

Then inject at runtime:

op run --env-file=.env.tpl -- npm run dev

Cost for 100 projects:

• Individual Plan: $2.99/month ($35.88/year). Includes CLI, SSH agent, and secrets injection.
• Families Plan: $4.99/month.
• Business Plan: $7.99/user/month.

There are no project limits. Secrets are organized as vault items, and you can have unlimited items on any plan.

For a solo developer: $35.88/year.

Setup effort per project: Medium. You create a .env.tpl file referencing 1Password items. You need to organize your 1Password vault with entries for each project's secrets.

Backup strategy: 1Password IS the backup. Your secrets sync across all your devices automatically. If you lose your laptop, you log into 1Password on your new machine and everything is there.

Trade-offs:

• Requires a paid 1Password subscription.
• Excellent UX — 1Password is arguably the best password manager.
• The op:// reference syntax in template files is elegant and readable.
• No project limits at all — organize however you want inside vaults.
• Cross-platform (Windows, macOS, Linux, iOS, Android).

Verdict: If you already pay for 1Password (which many developers do), this is essentially free. The developer tooling is excellent and there are zero project limits. One of the best overall solutions.

---

10. KeePassXC + keeenv — Fully Offline, Fully Free

What it is: KeePassXC is a free, open-source, offline password manager. Combined with keeenv (a community wrapper), you can use your KeePass database as a local secrets store and inject environment variables at runtime.

How it works:

# Install keeenv
pip install keeenv

# Create a .keeenv config in your project
cat > .keeenv << EOF
database: ~/secrets.kdbx
mappings:
  DATABASE_URL: Development/MyProject/database-url
  STRIPE_KEY: Development/MyProject/stripe-key
EOF

# Run your app
keeenv run -- npm run dev

Cost for 100 projects: $0/month. Completely free and open source.

Setup effort per project: Medium. You need to create entries in your KeePass database and write a .keeenv mapping file per project.

Backup strategy: Back up your .kdbx database file. KeePassXC databases are encrypted with AES-256. You can safely store copies on Google Drive, OneDrive, Dropbox, or an external SSD.

Trade-offs:

• Fully offline — no cloud dependency whatsoever.
• Your KeePass database is your single source of truth.
• Cross-platform (Windows, macOS, Linux).
• No web dashboard or team sync.
• Requires discipline to keep the database organized.
• The keeenv tool is community-maintained, not as polished as Doppler or Infisical CLI.

Verdict: The ultimate privacy-first solution. No cloud, no accounts, no subscriptions. Your secrets live in an encrypted database on your own hardware (backed up to wherever you choose).

---

11. AWS Systems Manager Parameter Store — Cloud-Native Free Tier

What it is: AWS SSM Parameter Store provides free, serverless storage for configuration data and secrets. Standard parameters (up to 4KB) are completely free, with a limit of 10,000 parameters per AWS region.

How it works:

# Store a secret
aws ssm put-parameter \
  --name "/myproject/DATABASE_URL" \
  --value "postgres://user:pass@host/db" \
  --type SecureString

# Retrieve a secret
aws ssm get-parameter \
  --name "/myproject/DATABASE_URL" \
  --with-decryption \
  --query "Parameter.Value" \
  --output text

You can write a simple wrapper script to pull all parameters for a project namespace and inject them as environment variables:

# pull-env.sh
#!/bin/bash
eval $(aws ssm get-parameters-by-path \
  --path "/myproject/" \
  --with-decryption \
  --query "Parameters[*].[Name,Value]" \
  --output text | awk '{split($1,a,"/"); print a[length(a)]"="$2}')

exec "$@"

Cost for 100 projects:

• Standard Parameters: $0/month. Up to 10,000 parameters per region. If each project has 10 secrets, 100 projects = 1,000 parameters. Well within the free limit.
• KMS Encryption: Default AWS-managed KMS key is free. Customer-managed keys cost $1/month per key.
• Total: $0-1/month ($0-12/year).

Setup effort per project: Medium-High. Requires AWS account setup, IAM configuration, and CLI tooling. More complex than dotenvx or Doppler.

Trade-offs:

• Free and virtually unlimited at solo developer scale.
• Requires an AWS account (free tier available).
• More complex setup than developer-focused tools.
• Secrets are tied to AWS — vendor lock-in.
• No pretty dashboard for secrets management (use AWS Console).

Verdict: An excellent free option if you are already in the AWS ecosystem. Overkill if you do not use AWS for anything else.

---

12. Plain Password Manager + Manual Workflow

What it is: The simplest possible approach — store your .env file contents as secure notes or entries in any password manager you already use.

How it works: For each project, create a secure note titled "MyProject .env" and paste the entire .env file contents into it. When you set up a new machine, find the note, copy the contents, and paste them into a new .env file.

Cost for 100 projects:

• Bitwarden (free plan): $0/month. Unlimited vault items.
• KeePassXC: $0/month. Completely offline.
• Apple Keychain / iCloud Keychain: $0/month (if you use Apple devices).
• Google Password Manager: $0/month.

Setup effort per project: Very low (copy-paste). But very high ongoing effort (manual sync, no automation, no runtime injection).

Backup strategy: The password manager IS the backup.

Trade-offs:

• Zero automation. Every time you update a secret, you must manually update the password manager entry.
• No runtime injection — you must manually create .env files on each machine.
• Error-prone at scale. You will forget to update entries.
• But it works. And it is free. And it is simple.

Verdict: The "good enough" solution for developers who do not want to learn any new tools. Better than nothing, but you will hate it at 50+ projects.

---

The Full Cost Comparison

Here is every solution ranked by annual cost for a solo developer managing 100+ projects:

Rank	Solution	Annual Cost	Project Limit	Setup Effort	Automation Level
1	dotenvx	$0	Unlimited	Very Low	High (CLI injection)
2	git-crypt	$0	Unlimited	Low-Medium	Very High (transparent)
3	SOPS + age	$0	Unlimited	Medium-High	High (CLI injection)
4	KeePassXC + keeenv	$0	Unlimited	Medium	Medium (CLI injection)
5	Password Manager (manual)	$0	Unlimited	Very Low	None (manual copy-paste)
6	GitHub Secrets	$0	500/repo	Medium	CI/CD only
7	AWS Parameter Store	$0-12	10,000/region	High	High (CLI/SDK)
8	1Password CLI	$36	Unlimited	Medium	High (op run)
9	Self-Hosted Infisical	$42-60	Unlimited	Medium (initial)	Very High (dashboard + CLI)
10	Bitwarden Secrets Mgr	$72	Unlimited (Teams)	Medium	Medium (CLI/SDK)
11	Doppler	$252	250 (Team)	Very Low	Very High (dashboard + CLI)
12	Infisical Cloud	$216-432	Unlimited (Pro)	Very Low	Very High (dashboard + CLI)

---

My Recommended Stack for Solo Developers

After evaluating all 12 approaches, here is the setup I recommend for a solo developer maintaining 100+ public GitHub repositories:

Primary: dotenvx (Free, Git-Native Encryption)

Use dotenvx as your primary tool. Here is why:

1. Zero cost. No subscriptions, no servers, no accounts.
2. Zero infrastructure. No Docker, no VPS, no cloud services.
3. Minimal per-project setup. One command: dotenvx encrypt.
4. Works with public repos. Encrypted values are safe to commit.
5. AI-agent compatible. AI coding agents can work with .env files normally. You just encrypt before committing.
6. Backup is trivial. Private keys can be stored in any password manager.

Secondary: Password Manager for Private Key Storage

Use Bitwarden (free), KeePassXC (free), or 1Password ($36/year) to store your dotenvx private keys. Create one entry per project with the DOTENV_PRIVATE_KEY value. This is your disaster recovery plan.

Tertiary: GitHub Secrets for CI/CD

Use GitHub Secrets to inject environment variables into your GitHub Actions workflows. This keeps your CI/CD pipeline working without exposing secrets in workflow files.

---

Migrating Hundreds of Projects Automatically

If you have 100+ existing projects with local .env files, here is a PowerShell script to migrate them all to dotenvx in one shot:

# migrate-to-dotenvx.ps1
# Run from your main development directory

$DevDir = "C:\Users\chira\OneDrive\GitHub"
$KeyBackup = "C:\Users\chira\OneDrive\dotenvx-keys-backup.txt"

# Clear or create the key backup file
"# dotenvx Private Key Backup - $(Get-Date)" |
  Out-File -FilePath $KeyBackup -Encoding utf8

Get-ChildItem -Path $DevDir -Directory | ForEach-Object {
    $RepoPath = $_.FullName
    $DotEnv = Join-Path $RepoPath ".env"
    $GitFolder = Join-Path $RepoPath ".git"

    if ((Test-Path $DotEnv) -and (Test-Path $GitFolder)) {
        Write-Host "`nMigrating: $($_.Name)" -ForegroundColor Cyan

        Push-Location $RepoPath

        try {
            # Encrypt the .env file
            npx @dotenvx/dotenvx encrypt 2>$null

            # Extract the private key
            $KeysFile = Join-Path $RepoPath ".env.keys"
            if (Test-Path $KeysFile) {
                $PrivateKey = Get-Content $KeysFile |
                  Where-Object { $_ -match "DOTENV_PRIVATE_KEY" }

                # Append to backup file
                "`n## $($_.Name)" |
                  Out-File -FilePath $KeyBackup -Append -Encoding utf8
                $PrivateKey |
                  Out-File -FilePath $KeyBackup -Append -Encoding utf8
            }

            # Ensure .env.keys is in .gitignore
            $GitIgnore = Join-Path $RepoPath ".gitignore"
            if (Test-Path $GitIgnore) {
                $content = Get-Content $GitIgnore -Raw
                if ($content -notmatch "\.env\.keys") {
                    "`n.env.keys" |
                      Out-File -FilePath $GitIgnore -Append -Encoding utf8
                }
            }

            # Stage and commit
            git add .env .gitignore 2>$null
            git commit -m "chore: encrypt env variables with dotenvx" 2>$null

            Write-Host "  Done!" -ForegroundColor Green
        }
        catch {
            Write-Host "  Failed: $_" -ForegroundColor Red
        }
        finally {
            Pop-Location
        }
    }
}

Write-Host "`nMigration complete!" -ForegroundColor Green
Write-Host "Key backup saved to: $KeyBackup" -ForegroundColor Yellow
Write-Host "IMPORTANT: Move this file to your password manager and delete it from disk!" -ForegroundColor Red

This script:

1. Finds every Git repository with a .env file.
2. Encrypts it with dotenvx.
3. Extracts the private key and appends it to a consolidated backup file.
4. Updates .gitignore to exclude .env.keys.
5. Commits the changes.

After running, move the backup file into your password manager and delete it from disk.

---

Frequently Asked Questions

"Can I just commit my .env to a private GitHub repo?"

No. Private repos can be leaked through compromised accounts, third-party integrations, forking, or accidental visibility changes. GitHub itself warns against storing secrets in private repos. Plus, GitHub employees technically have access to private repository contents.

"What about encrypted ZIP files on Google Drive?"

This works as a manual backup but has zero automation. You must manually re-zip and re-upload every time you change a secret. At 100+ projects, this becomes unmanageable within days.

"Is dotenvx safe for public repos?"

Yes. The encryption uses AES-256 with ECIES key exchange. Without the private key, the encrypted values are computationally infeasible to decrypt. The public key (visible in the .env file) cannot be used to derive the private key.

"What if I lose my dotenvx private key?"

Then the encrypted secrets in that repository are unrecoverable. This is why storing private keys in a password manager (which syncs to the cloud) is critical. Treat your private key backup with the same seriousness as your SSH keys.

"Which password manager should I use for key backup?"

• Bitwarden (free plan): Best free option. Cloud-synced, open source, unlimited vault items.
• KeePassXC (free): Best offline option. No cloud dependency.
• 1Password ($36/year): Best premium option. Incredible UX, developer CLI integration.

"Can AI coding agents work with dotenvx?"

Yes. AI agents like Cursor, Windsurf, and Cline read .env files normally during development. The encrypted file is decrypted in memory when you run dotenvx run -- [command]. The agents do not need to know about the encryption layer.

---

Conclusion

The problem of backing up developer secrets is one of those things that feels trivial until it isn't. You will not think about it until your SSD dies, your laptop is stolen, or Windows decides to factory-reset itself. And then you will spend days recreating API keys, regenerating tokens, and re-authenticating with every service.

The solution is straightforward:

1. Use dotenvx to encrypt your .env files and commit them safely to Git — even to public repositories.
2. Store your private keys in a free password manager like Bitwarden.
3. Use GitHub Secrets for CI/CD injection.

This setup costs $0/month, scales to hundreds of projects, requires minimal per-project setup, and gives you complete disaster recovery. If your laptop vanishes tomorrow, you clone your repos, pull your private keys from Bitwarden, and you are back to coding within minutes.

Your code is backed up. Your databases are backed up. Now your secrets should be too.