Concepts¶
Before diving into the CLI commands, it helps to understand the core concepts behind envdrift.
Core Ideas¶
envdrift is built around three main ideas:
-
Schema-first validation — Define your expected environment variables in Pydantic, and envdrift validates your
.envfiles against that schema. -
Encryption at rest — Secrets should be encrypted in your repository. envdrift supports two encryption backends (dotenvx and SOPS) and integrates with cloud vaults for key management.
-
Drift detection — Compare environments to catch configuration drift before it causes production issues.
In This Section¶
- How It Works — Understand the mental model and workflows
- Encryption Backends — Compare dotenvx vs SOPS
- Vault Providers — Compare Azure, AWS, HashiCorp, and GCP
Quick Overview¶
┌─────────────────────────────────────────────────────────────────┐
│ Your Repository │
├─────────────────────────────────────────────────────────────────┤
│ │
│ config.py (Schema) .env.production (Encrypted) │
│ ┌────────────────────┐ ┌────────────────────────────┐ │
│ │ class Settings: │ │ DATABASE_URL="encrypted:..." │ │
│ │ DATABASE_URL: str│ ──── │ API_KEY="encrypted:..." │ │
│ │ API_KEY: str │ │ DEBUG=false │ │
│ │ DEBUG: bool │ └────────────────────────────┘ │
│ └────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌──────────────────────────────┐
│ envdrift validate │
│ envdrift diff │
│ envdrift encrypt │
└──────────────────────────────┘
│
▼
┌──────────────────────────────┐
│ Cloud Vault │
│ (Azure/AWS/HashiCorp/GCP) │
│ │
│ Stores encryption keys │
│ for team-wide access │
└──────────────────────────────┘