Skip to content

[DotEnv][Secrets] Failing to decrypt-to-local in the correct file #62742

New issue
New issue
Open
Open
[DotEnv][Secrets] Failing to decrypt-to-local in the correct file#62742
Labels
BugDotenvStatus: Needs Review
@flohw

Description

@flohw
flohw
opened on Dec 11, 2025

Symfony version(s) affected

7.4

Description

We just upgraded to SF7.4 and as the title suggests, we use secrets and dotfiles to manage... Our secrets.
We come from SF 6.4 and we have some vaults. We used to APP_RUNTIME_ENV=common secrets:decrypt-to-local -e staging to decrypt the common vault for the staging environment into the .env.staging.local file.
Now, runnging APP_RUNTIME_ENV=common secrets:decrypt-to-local -e staging decrypts the common vault in the .env.common.local file.

The documentation provides the default configuration as local_dotenv_file: '%kernel.project_dir%/.env.%kernel.environment%.local'. But dump:config framewrok shows local_dotenv_file: '%kernel.project_dir%/.env.%env(default:kernel.environment:APP_RUNTIME_ENV)%.local (which is %kernel.project_dir%/.env.%kernel.runtime_environment%.local)
As kernel.environment is a parameter and not an env, I don't really understand how it could work but would be interested in that question.

As composer dump-env staging only reads the corresponding environment, the .env.common.local is never read, the correct value is not used if it override a previous or default value.

How to reproduce

Not tested with a clean symfony installation but my current installation has nothing fancy regarding the secrets (no custom loader e.g.).

APP_RUNTIME_ENV=common bin/console secrets:set SOME_ENV_VAR -e dev
# Everything should be ok
APP_RUNTIME_ENV=common bin/console secrets:decrypt-to-local -e staging
# A .env.staging.local should be created or updated with the new SOME_ENV_VAR set
# but a .env.common.local is created or updated with the new SOME_ENV_VAR set

Possible Solution

As an end user, the solution I found is to set the configuration framework.secrets.local_dotenv_file: '%kernel.project_dir%/.env.%kernel.environment%.local manually. I tried to set a env(kernel.environment): '%kernel.environment%' value in the parameters of the services.yaml with no luck.

From a symfony maintainer point of view, I am afraid that I cannot help a lot but will be happy to answer questions if any. I saw the #62078 which may have introduced the bug while resolving another...

Additional Context

Thank you 🙂

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugDotenvStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions