Is it safe to commit `.env.enc` to version control?
Is it safe to commit `.env.enc` to version control?
Yes. The
.env.enc file is encrypted with AES-256-GCM, a widely trusted authenticated encryption algorithm. Without the correct passphrase, the ciphertext is computationally unreadable.Follow these rules to keep your secrets safe:- Commit
.env.enc— this is the intended workflow. - Never commit the original
.envfile or your passphrase. - Add
.envto your.gitignoreto prevent accidental commits.
.gitignore
What happens if the same `.env` is encrypted twice?
What happens if the same `.env` is encrypted twice?
The resulting ciphertext will be different each time, even if the input file and passphrase are identical. encryptd generates a fresh random salt and nonce (IV) on every encryption run, so no two
.env.enc files will ever be the same.Both files will decrypt to the same plaintext content when the correct passphrase is provided. This is expected and correct behaviour.Can I use multiple encrypted files for different environments?
Can I use multiple encrypted files for different environments?
Yes. Specify custom input and output file paths when encrypting:Then load the appropriate file at runtime using the
Encrypt environment-specific files
path option:Load by environment
Does `config()` overwrite existing `process.env` variables?
Does `config()` overwrite existing `process.env` variables?
No — by default,
config() will not overwrite a key that already exists in process.env. This preserves values injected by your shell, Docker, or deployment environment, which typically take precedence over file-based configuration.If you need the values in the encrypted file to take precedence, set the override option to true:config() with override
Do I need Rust installed to use encryptd?
Do I need Rust installed to use encryptd?
No. encryptd ships prebuilt native binaries for all supported platforms. When you run
npm install, the correct binary for your operating system and architecture is downloaded automatically — no Rust toolchain required.What Node.js version is required?
What Node.js version is required?
Node.js 18 or higher is recommended. Older versions may work but are not officially tested or supported.
Always use an actively maintained Node.js LTS release in production. Check the Node.js release schedule for current LTS versions.
What if my platform isn't in the supported list?
What if my platform isn't in the supported list?
encryptd currently provides prebuilt binaries for the following platforms:
If your platform is not listed — for example, Alpine Linux (musl), Linux ARM64, or 32-bit systems — encryptd is not currently supported there. Running inside a Docker container based on a
glibc Linux distribution (such as Debian or Ubuntu) is the recommended workaround for most CI and server environments.Watch the project repository for updates if support for your platform is important to you.How do I rotate the passphrase?
How do I rotate the passphrase?
Rotating the passphrase is a two-step process: decrypt with the old passphrase, then re-encrypt with the new one.After rotation, update
Rotate passphrase
ENV_PASSPHRASE in every environment that uses the file — local developer machines, deployment secrets, and server environment variables — before deploying the new .env.enc..png?fit=max&auto=format&n=Fjc5BJwQaMa3_uyF&q=85&s=4368c06aabf42347a7a04b5f52aafc0d)