Skip to main content
Below you will find answers to the questions most commonly asked about encryptd. If your question is not covered here, check the Troubleshooting page or open an issue in the project repository.
Yes. The .env.enc file is encrypted with AES-256-GCM, a widely trusted authenticated encryption algorithm. Without the correct passphrase, the ciphertext is computationally unreadable.Follow these rules to keep your secrets safe:
  • Commit .env.enc — this is the intended workflow.
  • Never commit the original .env file or your passphrase.
  • Add .env to your .gitignore to prevent accidental commits.
.gitignore
The security guarantee only holds as long as your passphrase remains secret. Rotate the passphrase immediately if you suspect it has been exposed.
The resulting ciphertext will be different each time, even if the input file and passphrase are identical. encryptd generates a fresh random salt and nonce (IV) on every encryption run, so no two .env.enc files will ever be the same.Both files will decrypt to the same plaintext content when the correct passphrase is provided. This is expected and correct behaviour.
Yes. Specify custom input and output file paths when encrypting:
Encrypt environment-specific files
Then load the appropriate file at runtime using the path option:
Load by environment
Use a NODE_ENV check or a dedicated environment variable to select the correct .enc file automatically in your application bootstrap code.
No — by default, config() will not overwrite a key that already exists in process.env. This preserves values injected by your shell, Docker, or deployment environment, which typically take precedence over file-based configuration.If you need the values in the encrypted file to take precedence, set the override option to true:
config() with override
No. encryptd ships prebuilt native binaries for all supported platforms. When you run npm install, the correct binary for your operating system and architecture is downloaded automatically — no Rust toolchain required.
Node.js 18 or higher is recommended. Older versions may work but are not officially tested or supported.
Always use an actively maintained Node.js LTS release in production. Check the Node.js release schedule for current LTS versions.
encryptd currently provides prebuilt binaries for the following platforms:If your platform is not listed — for example, Alpine Linux (musl), Linux ARM64, or 32-bit systems — encryptd is not currently supported there. Running inside a Docker container based on a glibc Linux distribution (such as Debian or Ubuntu) is the recommended workaround for most CI and server environments.Watch the project repository for updates if support for your platform is important to you.
Rotating the passphrase is a two-step process: decrypt with the old passphrase, then re-encrypt with the new one.
Rotate passphrase
After rotation, update ENV_PASSPHRASE in every environment that uses the file — local developer machines, deployment secrets, and server environment variables — before deploying the new .env.enc.
Delete or securely shred the intermediate plaintext .env file after re-encryption to avoid leaving secrets on disk.