Can the .env.vault file be cracked?

I personally feel like the overall dotenv-vault experience feels a bit weird to me, as I have maintained both the webui and local vault.

This is a good point. We have a deep GitHub Integration coming mid-December (hopefully earlier!) that will make a large stride toward rectifying this.

I wouldn’t be willing to have our secrets sitting in a file where someone can effectively spend any amount of time and energy on various cracking methods against the encrypted contents

I empathize with this statement because I share it too from an optics and behavioral point of view. It just feels weird to have it 'out there. But AES’s brute-force timescale is like a billion years. [1] The US Government uses it to transmit top-secret information. [2] By the time this becomes a real risk we will have solved 1-click batch key-rotation - the true final solution to keep your secrets safe. This is our end goal for the developer and security community.

Our other long-term goal is interoperability WITHOUT native 3rd party integrations. Those have significant security risks. [3]. We’re taking a big bet with this new approach. It looks non-standard right now, but we’re convinced it will become the de facto standard - this encrypted .env.vault file. It will work everywhere in an understandable and open way. Give us time on the flow issues. We will solve them.

[1] AES 256 is virtually impenetrable using brute-force methods. While a 56-bit DES key can be cracked in less than a day, AES would take billions of years to break using current computing technology. Hackers would be foolish to even attempt this type of attack. [2] AES-256 is currently labeled as sufficient to use in the US government for the transmission of TOP SECRET/SCI information [3] Heroku-GitHub Breach Highlights Integration Risks

Thank you @bradrf. We are taking a look. This must be a regression.