L5 .env contains app key but .env is in .gitignore how do I use the same key on different machines?

The application key is not meant to be shared. In an ideal world, no developer should ever see the production environment's key. Simply make a file and place it in every environment, without including it version control.

Yup .env is ignored because it contains sensitive information about your app such as database password etc.

You should deploy/distribute the .env file manually.

If you feel the information is safe to share for your particular application, then go ahead and remove the entry from .gitignore, or provide an example .env.example that can be easily renamed.

The .env file is a workaround intended primarily for use only in development (when changing actual environment variables can be tedious.

In a production environment, you would set these variables within your Apache or nginx configuration using the relevant directives, using the .env file as a last resort only if you can't do the proper way (and if you can't, find better hosting).

Furthermore, the .env file will usually be environment-specific (i.e. Database credentials should be different in prod compres to dev) and this kind of information should never be committed to version control, lest it winds up being farmed for malicious activity.

ah ok so on forge I should just enter this info into the environment vars section then?

Yes, that's what they're there for :)

Am I correct in saying that there should be no need to share the key? Its only used for things like session encryption and csrf tokens? Hashed passwords etc don't use it so you won't break anything with a new key?