From dfe51c6ca9c90efb2fbfc85c12dcaa778e19e641 Mon Sep 17 00:00:00 2001
From: Scott Motte <mot@mot.la>
Date: Fri, 26 May 2023 09:45:46 -0700
Subject: [PATCH] Update README

---
 README.md | 64 ++++++++++++++++++++++++++++---------------------------
 1 file changed, 33 insertions(+), 31 deletions(-)

diff --git a/README.md b/README.md
index f7984baa..2cc51df6 100644
--- a/README.md
+++ b/README.md
@@ -61,13 +61,6 @@ Dotenv is a zero-dependency module that loads environment variables from a `.env
 
 ## 🌱 Install
 
-<a href="https://www.youtube.com/watch?v=YtkZR0NFd1g">
-<div align="right">
-<img src="https://img.youtube.com/vi/YtkZR0NFd1g/hqdefault.jpg" alt="how to use dotenv video tutorial" align="right" width="330" />
-<img src="https://simpleicons.vercel.app/youtube/ff0000" alt="youtube/@dotenvorg" align="right" width="24" />
-</div>
-</a>
-
 ```bash
 # install locally (recommended)
 npm install dotenv --save
@@ -77,6 +70,13 @@ Or installing with yarn? `yarn add dotenv`
 
 ## 🏗️ Usage
 
+<a href="https://www.youtube.com/watch?v=YtkZR0NFd1g">
+<div align="right">
+<img src="https://img.youtube.com/vi/YtkZR0NFd1g/hqdefault.jpg" alt="how to use dotenv video tutorial" align="right" width="330" />
+<img src="https://simpleicons.vercel.app/youtube/ff0000" alt="youtube/@dotenvorg" align="right" width="24" />
+</div>
+</a>
+
 Create a `.env` file in the root of your project:
 
 ```dosini
@@ -193,49 +193,51 @@ You need to deploy your secrets in a cloud-agnostic manner? Use a `.env.vault` f
 </div>
 </a>
 
-**Note: Currently released as RC Candidate [dotenv@16.1.0-rc2](https://www.npmjs.com/package/dotenv/v/16.1.0-rc2)**
+**Note: Currently RC Candidate [dotenv@16.1.0-rc2](https://www.npmjs.com/package/dotenv/v/16.1.0-rc2)**
 
-Install dotenv-vault.
+Install [dotenv-vault](https://github.com/dotenv-org/dotenv-vault#-install).
 
-```shell
-$ brew install dotenv-vault 
+```bash
+$ brew install dotenv-org/brew/dotenv-vault
 ```
-(see [dotenv.org/install](https://www.dotenv.org/install) for other install options)
 
-Build your encrypted `.env.vault` file from your local .env file.
+Encrypt your `.env.vault` file.
 
-```shell
-$ dotenv-vault local build
+```bash
+$ dotenv-vault build
 ```
 
-This creates two files:
+Fetch your production `DOTENV_KEY`.
 
-* `.env.vault` - containing an encrypted version of your .env file
-* `.env.keys` - containing the decryption key
+```bash
+$ dotenv-vault keys production
+```
 
-Boot your application using the encrypted `.env.vault` file instead of your `.env` file.
+Set `DOTENV_KEY` on your server.
 
-```
-$ DOTENV_KEY=<key string from .env.keys> npm start
+```bash
+# heroku example
+heroku config:set DOTENV_KEY=dotenv://:key_1234…@dotenv.org/vault/.env.vault?environment=production
 ```
 
-If it worked, you'll see the message:
+Commit your `.env.vault` file safely to code and deploy.
 
-```shell
-[dotenv@16.1.0][INFO] Loading env from encrypted .env.vault
+```bash
+$ git add .env.vault
+$ git commit -am "Update .env.vault"
+$ git push
+$ git push heroku main # heroku example
 ```
 
-(This [blog post](https://dotenv.org) goes into a full Hello World example.)
+That's it! On deploy, your `.env.vault` file will be decrypted and its secrets injected as environment variables – just in time.
 
-Great, now set the `DOTENV_KEY` on your server. For example in heroku:
+<p>See <a href="https://github.com/dotenv-org/dotenv-vault#dotenv-vault-"><img src="https://api.iconify.design/devicon/github.svg" alt="GitHub", width="14" /> dotenv-vault README</a> for more details.</p>
 
-```shell
-$ heroku config:set DOTENV_KEY=<key string from .env.keys>
-```
+---
 
-Commit your `.env.vault` file safely to code and deploy.
+ℹ️ **A note from Mot**: Until recently, we did not have an opinion on how and where to store your secrets in production. We now strongly recommend generating a `.env.vault` file. It's the best way to prevent your secrets from being scattered across multiple servers and cloud providers – protecting you from breaches like the [CircleCI breach](https://techcrunch.com/2023/01/05/circleci-breach/). Also it unlocks interoperability WITHOUT native third-party integrations. Third-party integrations are [increasingly risky](https://coderpad.io/blog/development/heroku-github-breach/) to our industry. They may be the 'du jour' of today, but we imagine a better future with `.env.vault` files.
 
-Your `.env.vault` fill be decrypted on boot, its environment variables injected, and your app work as expected. Congratulations, your secrets are now much safer than scattered across multiple servers and cloud providers!
+ℹ️  **🔐 Vault Managed vs 💻 Locally Managed**: The above example, for brevity's sake, used the 🔐 Vault Managed solution to generate your `.env.vault` file. You can instead use the 💻 Locally Managed solution. [Read more here](https://github.com/dotenv-org/dotenv-vault#how-do-i-use--locally-managed-dotenv-vault). Our vision is that other platforms and orchestration tools adopt the `.env.vault` standard as they did the `.env` standard. We don't expect to be the only ones providing tooling to manage and generate `.env.vault` files.
 
 ## 🌴 Manage Multiple Environments