Export or delete a vault¶
Take your secrets out¶
notenv export prints a namespace as a .env file to standard output, the
inverse of import:
notenv export > backup.env # one namespace
notenv export --all > all.env # every namespace in the vault
It asks for the vault's primary passphrase even when your session is cached, because this is plaintext leaving the vault on purpose, and it refuses without a terminal (a machine cannot export). notenv never writes the file itself; you redirect it.
The output is for notenv import, not for source: values are written literally,
so one containing $(...) or backticks is data to notenv but a shell would
execute it. Round-trip a namespace with notenv export | notenv import.
Moving to another tool
notenv export --json emits a structured object instead of .env, if the
tool you are moving to wants JSON.
Move a vault to different storage¶
To copy a vault to another storage (local to cloud, say) and keep using notenv,
use notenv vault copy: it is the same vault afterward, nothing re-encrypted. See
Cloud remotes.
Delete a vault¶
To destroy a vault you no longer want:
This permanently removes the vault's encrypted objects, this machine's trust state for it, and its entry in your config. It asks for the vault's primary passphrase and makes you type the vault's name to confirm, so you only ever destroy a vault you can prove you own.
It deletes the live vault, not every copy
A versioned remote's history and any backups you made are the provider's to
purge. If you have lost the passphrase, delete the storage yourself (a local
vault is its directory; a remote's objects are yours to remove) and run
notenv key forget to clear this machine's trust state.
Under the hood: revoking a person's access (rather than deleting the vault) is Share a vault with your team; what export exposes and what deletion does not reach is in the threat model.