Comparison

envsec vs dotenv vs 1Password CLI

Three approaches to managing secrets. One stores them in plaintext files, one locks them in the cloud, and one keeps them in your OS.

At a glance

Capabilityenvsecdotenv1Password

Secrets encrypted at rest

No plaintext files on disk

OS-level access control

Works offline

No account or subscription

Built-in secret rotation audit

Context-based organization

GPG-encrypted sharing

Interactive TUI

Saved command templates

Team management & RBAC

Zero config to start*

Works with existing .env files

Framework agnostic

Open source

* macOS and Windows only. Linux requires libsecret-tools and an active D-Bus session.

= partial support or requires additional setup.

envsec requires Node.js ≥ 22. dotenv supports Node.js ≥ 12. 1Password CLI is a standalone binary.

Migrate from dotenv in 60 seconds

Already using .env files? envsec imports them directly.

terminal

# Import your existing .env file

$ envsec -c myapp.dev load

✔ Done: 12 added, 0 overwritten, 0 skipped

# Keys are converted from UPPER_SNAKE_CASE to dotted.lowercase

# and stored in your OS credential store.

# The original .env file can be deleted.

# To generate a .env file at any time:

$ envsec -c myapp.dev env-file

Run your app with secrets injected

terminal

# Start a shell with all secrets as env vars

$ envsec -c myapp.dev shell

● envsec shell — context: myapp.dev (12 secrets loaded)

$ npm run dev

Or use the SDK — no .env file, no shell wrapper

@envsec/sdk

import { loadSecrets } from "@envsec/sdk";

await loadSecrets({

context: "myapp.dev",

inject: true

});

dotenv

import dotenv from "dotenv";

dotenv.config();

// reads plaintext .env

op CLI

# inject via secret refs

op run -- node app.js

# or read a single secret

op read op://vault/item/key

Feature by feature

Secret storage

envsecOS native credential store (Keychain, GNOME Keyring, Credential Manager)

dotenvPlaintext .env files on disk (dotenvx adds per-file encryption)

1Password CLI1Password cloud vault (AES-256 encrypted)

Encryption at rest

envsecHandled by OS — battle-tested, hardware-backed on macOS

dotenvNone (dotenv) / ECIES per-file (dotenvx)

1Password CLIAES-256 in 1Password cloud, dual-key derivation

Secrets on disk

envsecNever — values go straight to OS credential store

dotenv.env files are plaintext by default

1Password CLINever locally — fetched at runtime from cloud

Git leak risk

envsecZero — secrets never exist as files

dotenvHigh — requires .gitignore discipline

1Password CLIZero — secrets live in cloud vault

Offline access

envsecFull — secrets are local in OS store

dotenvFull — files are local

1Password CLIRequires network (cached items available offline in app)

Account / subscription

envsecNone — free, open source, no signup

dotenvFree and open source

1Password CLIPaid — from ~$3/mo individual, ~$8/user/mo business

Multi-environment

envsecBuilt-in contexts (myapp.dev, myapp.prod, …)

dotenvManual file management (.env.dev, .env.prod, …)

1Password CLIVaults and items, 1Password Environments (beta)

Secret search

envsecGlob search across all contexts and keys

dotenvgrep through files

1Password CLIop item list with --tags / --category filtering

Expiry & audit

envsecSet TTL on secrets, audit for expired credentials and tracked .env files

dotenvNot supported

1Password CLIWatchtower (in app, not CLI)

Team sharing

envsecGPG-encrypted export/import

dotenvGit-based sharing with encrypted .env (dotenvx)

1Password CLIBuilt-in vault sharing, RBAC, team provisioning, audit logs

Shell integration

envseceval $(envsec env) — supports bash, zsh, fish, PowerShell

dotenvsource .env or framework-specific loaders

1Password CLIop run --env-file, shell plugins with biometric auth

Command runner

envsec{key} placeholders + --inject env vars — secrets never in ps output or history

dotenvdotenvx run -- cmd injects from encrypted .env

1Password CLIop run -- cmd injects via secret references (op://Vault/Item/field)

Interactive shell session

envsecenvsec shell — scoped subshell with auto-cleanup

dotenvNot built-in

1Password CLINot built-in

Saved commands

envsecenvsec cmd — save, list, search, run, delete

dotenvNot built-in

1Password CLINot built-in

Move / copy / rename

envsecmove, copy, rename between contexts with metadata preserved

dotenvManual file editing

1Password CLIop item move between vaults, op item edit

Interactive TUI

envsecenvsec tui — full-screen terminal UI for all operations

dotenvNot built-in

1Password CLINot built-in (desktop app is GUI)

Health diagnostics

envsecenvsec doctor — checks platform, keychain, DB integrity

dotenvNot built-in

1Password CLINot built-in

Shell completions

envsecDynamic — contexts, keys, commands for bash, zsh, fish

dotenvNot built-in

1Password CLIStatic completions for bash, zsh, fish, PowerShell

SDK / programmatic access

envsec@envsec/sdk for Node.js / Bun

dotenvrequire('dotenv').config() — core use case

1Password CLI1Password SDKs for Node.js, Python, Go, and more

Cross-platform

envsecmacOS, Linux, Windows — auto-detected backend

dotenvFile-based, works everywhere but no OS integration

1Password CLImacOS, Linux, Windows

.env compatibility

envsecImport from and export to .env files on demand

dotenvNative format — .env files are the source of truth

1Password CLIop inject --out-file for config file templating

Biometric auth

envsecInherits OS biometrics (e.g. macOS Keychain unlock)

dotenvNone

1Password CLIFingerprint / Touch ID via app integration and shell plugins

Three tools, three trade-offs

dotenv is the simplest approach — files on disk, zero setup. 1Password CLI is the most feature-rich for teams with cloud sync, RBAC, and audit logs — but requires a paid subscription. envsec sits in between: OS-native encryption with zero accounts, zero cloud dependencies, and a developer-focused workflow that goes beyond what .env files can do. It imports your existing .env files and can generate them on demand, so you keep full compatibility while gaining encryption, audit trails, and team sharing.