Once your project hierarchy exists, the day-to-day workflow is pushing secrets up to dotEnv Cloud and pulling them back down where you need them. This guide covers both directions and the most useful flags.
Push secrets from a file
The push command uploads a local .env file to a level in your hierarchy. Secrets are stored as one encrypted blob per level, the inverse of how pull merges them back.
To populate several levels at once, point the per-level flags at separate files:
By default a backup version is recorded for every push so you can roll back later. Add --no-backup to skip it, or --force to overwrite existing secrets without a prompt.
Pull secrets back
The pull command retrieves secrets for a level. Because the hierarchy is inheritance-aware, pulling an environment merges in everything defined at the parent target and project levels.
To inspect only what is defined at a single level, without inheritance, pass --level-only:
Choose an output format
Both pull and export can render secrets in several formats. The supported values are env (default), json, yaml, shell, and dockerfile.
Resolve variable references
If your secrets reference one another with ${VAR} syntax, pass --resolve to expand them during the pull. See Variable Templating for the full syntax.
Clear a level
To remove the secrets stored at a level, use secret delete. A backup version is recorded first unless you pass --no-backup:
With push and pull mastered, explore the parent-and-child mechanics in Environment Inheritance.