> ## Documentation Index
> Fetch the complete documentation index at: https://encryptd.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# encryptd: AES-256-GCM Encryption for .env Files

> encryptd encrypts your .env files with AES-256-GCM via a Rust native addon. Use it as a CLI tool or drop it into your Node.js app as a library.

encryptd protects your application secrets by encrypting `.env` files with AES-256-GCM, powered by a Rust native addon for maximum performance and correctness. Commit the encrypted `.env.enc` file to version control and let encryptd decrypt it at runtime — your secrets never touch the repository in plaintext, and your app reads `process.env` exactly as before.

<CardGroup cols={2}>
  <Card title="Introduction" icon="shield-halved" href="/introduction">
    Learn how encryptd uses AES-256-GCM and PBKDF2 to keep your secrets safe.
  </Card>

  <Card title="Installation" icon="box-open" href="/installation">
    Configure GitHub Packages and add encryptd to your Node.js project.
  </Card>

  <Card title="Quickstart" icon="rocket" href="/quickstart">
    Encrypt your first `.env` file and load secrets in under five minutes.
  </Card>

  <Card title="API Reference" icon="code" href="/reference/api">
    Full reference for `config()`, `encryptEnv()`, and `decryptEnv()`.
  </Card>
</CardGroup>

## How it works

<Steps>
  <Step title="Install encryptd">
    Add `@vernonthedev/encryptd` to your project. Prebuilt Rust native binaries for macOS, Linux, and Windows are bundled automatically — no Rust toolchain required.
  </Step>

  <Step title="Encrypt your .env file">
    Run `npx secure-env encrypt` from your project root. encryptd derives a 256-bit key from your passphrase using PBKDF2-HMAC-SHA256 with 100,000 iterations and a fresh random salt, then encrypts the file with AES-256-GCM. The result is a `.env.enc` JSON file that is safe to commit.
  </Step>

  <Step title="Load secrets in your application">
    Call `config()` from `@vernonthedev/encryptd` at the top of your entry file. It decrypts `.env.enc` on the fly and populates `process.env` — no plaintext file needed at runtime.
  </Step>
</Steps>

<Note>
  encryptd is published to **GitHub Packages**, not the public npm registry. Before installing, add a `.npmrc` file that points the `@vernonthedev` scope at the GitHub Packages registry and includes a valid GitHub personal access token with `read:packages` permission. See the [Installation guide](/installation) for step-by-step instructions.
</Note>
