Storage Backends

Available Backends

How It Works

Regardless of backend, ev always stores release metadata (timestamps, authors, history) in its own Postgres database. Only secret values are stored in the external backend.

ev push
  → encrypt locally (if ev backend)
  → send to backend
  → record release metadata in ev Postgres

ev pull
  → fetch from backend
  → decrypt locally (if ev backend)
  → write .env

When using an external backend like AWS Secrets Manager, values are stored as plaintext in that system — the same as your existing setup. ev adds team sync, diff, history, promotion, and rollback on top.

Choosing a Backend

Use the ev backend when:

• You want full end-to-end encryption
• You do not need your existing infra tools (Terraform, ECS, Lambda) to read secrets natively
• You are starting a new project

Use AWS Secrets Manager when:

• Your existing Terraform, ECS task definitions, or Lambda functions already read from AWS SM
• You want ev to add team workflow on top of your existing secret storage
• E2E encryption is less important than infrastructure compatibility

Configuration Example

# ev.yaml — use AWS SM for all environments
backend:
  type: aws-secrets-manager
  region: us-east-1
  prefix: /myapp/
 
# Keep dev on ev's encrypted storage
environments:
  dev:
    backend:
      type: ev

Limitations

Related

• AWS Secrets Manager
• HashiCorp Vault
• GCP Secret Manager
• 1Password
• ev backend command
• ev import command