Here's something nobody talks about. .gitignore doesn't encrypt your secrets. It just hides them from git. They're still sitting on your laptop as plaintext. Every tool you install can read them. Every script that runs can read them. One accidental commit and your database password is public on GitHub forever. So I built dotlock — an encrypted .env vault with a terminal UI, written in Go. Before and after Before dotlock DATABASE_URL = postgres://localhost/myapp # plaintext, readable by anything STRIPE_KEY = sk_live_abc123 # one grep away from anyone Enter fullscreen mode Exit fullscreen mode After dotlock # .dotlock file on disk — looks like this: [ encrypted binary — unreadable without your private key] Enter fullscreen mode Exit fullscreen mode How it works under 10 seconds cd my-project dotlock set DATABASE_URL # prompts for value, input is masked dotloc # opens the terminal UI Enter fullscreen mode Exit fullscreen mode Secrets are encrypted with age — X25519 key agreement and ChaCha20-Poly1305…