Skip to main content
Committing plaintext .env files to version control is one of the most common ways secrets database passwords, API keys, and tokens end up exposed. encryptd solves this by encrypting your .env file into a .env.enc file that is safe to store in your repository. Your secrets stay protected behind a passphrase, decrypted only at runtime, so the plaintext file never needs to touch version control at all.

How it works

encryptd uses AES-256-GCM, one of the strongest symmetric encryption algorithms available, to encrypt and decrypt your .env files. When you encrypt, encryptd derives a 32-byte key from your passphrase using PBKDF2-HMAC-SHA256 with 100,000 iterations and a random salt. It then encrypts the file contents with a random 96-bit nonce and writes the result as a self-contained JSON blob containing the encrypted salt, IV, ciphertext, and authentication tag. Because a fresh nonce and salt are generated on every run, encrypting the same file twice always produces different output preventing ciphertext-comparison attacks. At runtime, you supply your passphrase via the ENV_PASSPHRASE environment variable or directly in code, and encryptd decrypts .env.enc back into your environment variables automatically.

Two ways to use encryptd

Use encryptd in whichever way fits your workflow best:
  • CLI: run secure-env encrypt and secure-env decrypt directly from your terminal or CI pipeline, without writing any application code.
  • Node.js library: call config() from @vernonthedev/encryptd in your application’s entry point to decrypt and load variables into process.env at startup.
Both modes read the passphrase from the ENV_PASSPHRASE environment variable by default, making it straightforward to inject secrets through your platform’s secret manager without hardcoding anything in your source code.

Rust-powered performance and security

The cryptographic core of encryptd is written in Rust using the aes-gcm crate and exposed to Node.js through a native addon. Encryption and decryption run at native speed rather than inside the JavaScript runtime. Prebuilt binaries are bundled for all supported platforms, so you do not need the Rust toolchain or any C compiler installed on your machine or in your CI environment.

Next steps

Installation

Configure GitHub Packages and add encryptd to your project.

Quickstart

Encrypt your first .env file and load it in your app in five minutes.