Great Post Shen. Nice breakdown of things. As to your thought here: Disclaimer: I am not sure how will dotenv and Docker work in a serverless environment (Vercel), maybe it'll retrieve it for every different server? Checkout the .env.vault file. It is not well documented yet, but it is the future here today. Rather than syncing your secrets and scattering them across multiple 3rd parties, you include an encrypted .env.vault with your deploy, and then set a single DOTENV_KEY on your server/serverless/etc. On boot, your .env.vault file is decrypted just in time and your app runs correctly. This new approach to security will prevent breaches like the CircleCI breach being effective. This is an essential difference between dotenv-vault and other SecretOps solutions. It's important to us.

Doppler is doing great work. Good to have more solutions solving this problem. BUT Doppler does write to your local machine as well. It writes to a central location on your machine - usually inside a hidden folder in your user root. We thought about this long and hard but opted to stay 'decentralized' with project-centric .env files. Makes it more difficult if an attacker gained access to your machine. They would have to do much more work to access your secrets - iterate through all your projects on your machine. With doppler, the attacker can access a single location to find all your secrets.