Capy vs dotenvx
Service-mediated keys versus manual key distribution.
dotenvx implements a long-standing approach: encrypt the values in your .env to a public key, commit the encrypted file to git, hand the corresponding private key to anyone who needs to decrypt at runtime. There is no service in the path, no account to create, and no vendor whose breach you have to worry about. For a single developer or a stable two-person team, this is hard to beat, and Capy is not pretending otherwise.
The interesting question is what happens after the team grows. This comparison covers when Capy is the right dotenvx alternative and when it isn't.
At a glance
| Capy | dotenvx | |
|---|---|---|
| Where encryption happens | On the client | On the client |
| Vendor in the path | Mediating service holds ciphertext and the outer key wrap | None — keys live with you |
| Adding a teammate | capy invite — new member generates their own keypair, service issues a wrap | Manually distribute the existing private key |
| Removing a teammate | capy kick — cryptographic, no rotation needed | Rotate every secret the leaver had access to and redistribute new keys |
| Key distribution responsibility | Service mediates it | Whoever runs the team |
| What lands in git | .keep manifest of hash references | The encrypted .env file itself |
| Secret diffs in PR review | Hash references — keys visible, values not | Encrypted blobs |
| Git-branch alignment | Branches pin to your git branches | None built in |
| AI-agent blast radius | Only what capy run -- is currently injecting | Anything the local key can decrypt while the agent has access |
| Built for | Teams that grow or have turnover | Solo developer or a stable two-person team |
When you need a dotenvx alternative
A second engineer joins. You generate them a key, share it over Signal or 1Password, and confirm they can decrypt. A third engineer joins; same dance. By the fifth or sixth engineer, the answer to "who has which key" lives in a shared password manager, which has now become the actual security boundary. The file encryption is still happening, but the property the team is relying on is a vault someone else controls.
The first time an engineer leaves the team, the question is whether their key still works. It does. They had it. The careful response is to rotate every secret they had access to and redistribute new keys to everyone else. In practice, most teams skip the rotation, because it is tedious and nobody wants to spend the afternoon on it. This is the pattern engineering leads describe in interviews almost universally: nobody rotates their secrets. The tool didn't make them irresponsible; the operational steps did.
What changes under Capy
Capy preserves the property dotenvx is built around (values are ciphertext before they leave the engineer's machine) and replaces the manual key-distribution and revocation steps with cryptographic primitives the service mediates.
Adding a teammate is capy invite alice@example.com. The new member's machine generates its own keypair and the service hands them a wrap they can use to decrypt. No private key has to leave one developer's machine for another's. Removing a teammate is capy kick. The service-side outer wrap on their key is destroyed, their local key.enc becomes inert, and the rest of the team's keys keep working unchanged. There is no rotation event and no afternoon spent re-encrypting and shipping new private keys to the survivors.
The .keep manifest is the other piece dotenvx doesn't have. It lives in your git repo as a list of hash references (committable, value-free), so a code reviewer sees in a PR diff that someone added or changed STRIPE_SECRET_KEY, without seeing what the value is. dotenvx commits the encrypted file itself, which is workable but mixes the value-list and the value-storage in a way that makes review patterns more awkward.
Where dotenvx remains the right answer
If your situation is "one developer, one machine, one key, no team operations to perform," dotenvx is built for it and there is no reason to introduce a service to the path. The crossover is the moment the team is more than two people, or whenever turnover becomes plausible. Past that point, what dotenvx asks you to do manually (distribute keys, track who has which one, rotate everything when someone leaves) is what Capy is asking you to stop having to do at all.
Frequently asked questions
Is Capy a dotenvx alternative?+
Yes, for teams that have grown past a solo developer or a stable two-person team. Capy keeps the client-side encryption property dotenvx is built around and replaces manual key distribution and rotation with cryptographic primitives — capy invite for onboarding, capy kick for revocation.
Does Capy require me to give up the no-vendor property of dotenvx?+
Capy puts a mediating service in the path that holds ciphertext and the outer wrap of each member's key, but the service never holds the inner wrap and cannot decrypt. Compared to dotenvx, you trade vendor-free for cryptographic revocation and service-mediated onboarding.
How does Capy handle removing a teammate?+
capy kick destroys the service-side outer wrap on the kicked member's key, which makes their local key material inert. The rest of the team's keys keep working unchanged. Under dotenvx, the careful response is to rotate every secret the leaver had access to and redistribute new keys.
When should I stay on dotenvx?+
If you're one developer with one machine and one key, dotenvx is built for it and there's no reason to introduce a service to the path. The crossover is the moment the team is more than two people, or whenever turnover becomes plausible.
More comparisons
- Capy vs DopplerClient-side encryption, git-native diffs, and cryptographic revocation versus a server-side managed product.
- Capy vs InfisicalZero-trust by default and git-branch alignment versus a server-side OSS platform.
- Capy vs 1Password CLIA developer-first .env workflow built around git, versus op:// references and a unified credential vault.
- Capy vs AWS Secrets ManagerDeveloper ergonomics, git-native diffs, and zero-trust storage versus IAM-scoped runtime delivery.
- Capy vs SOPSManaged team sync and cryptographic revocation versus a file-encryption primitive you build the system around.
Install Capy in 30 seconds
brew install capysc/tap/capynpm i -g @capy/cli