.env files with AES-256-GCM, powered by a Rust native addon for maximum performance and correctness. Commit the encrypted .env.enc file to version control and let encryptd decrypt it at runtime — your secrets never touch the repository in plaintext, and your app reads process.env exactly as before.
Introduction
Learn how encryptd uses AES-256-GCM and PBKDF2 to keep your secrets safe.
Installation
Configure GitHub Packages and add encryptd to your Node.js project.
Quickstart
Encrypt your first
.env file and load secrets in under five minutes.API Reference
Full reference for
config(), encryptEnv(), and decryptEnv().How it works
1
Install encryptd
Add
@vernonthedev/encryptd to your project. Prebuilt Rust native binaries for macOS, Linux, and Windows are bundled automatically — no Rust toolchain required.2
Encrypt your .env file
Run
npx secure-env encrypt from your project root. encryptd derives a 256-bit key from your passphrase using PBKDF2-HMAC-SHA256 with 100,000 iterations and a fresh random salt, then encrypts the file with AES-256-GCM. The result is a .env.enc JSON file that is safe to commit.3
Load secrets in your application
Call
config() from @vernonthedev/encryptd at the top of your entry file. It decrypts .env.enc on the fly and populates process.env — no plaintext file needed at runtime.encryptd is published to GitHub Packages, not the public npm registry. Before installing, add a
.npmrc file that points the @vernonthedev scope at the GitHub Packages registry and includes a valid GitHub personal access token with read:packages permission. See the Installation guide for step-by-step instructions..png?fit=max&auto=format&n=Fjc5BJwQaMa3_uyF&q=85&s=4368c06aabf42347a7a04b5f52aafc0d)