> ## Documentation Index
> Fetch the complete documentation index at: https://encryptd.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Protect Your Node.js Secrets with encryptd AES-256-GCM

> encryptd encrypts your .env files into a safe-to-commit .env.enc using AES-256-GCM backed by a Rust native addon usable as a CLI or Node.js library.

Committing plaintext `.env` files to version control is one of the most common ways secrets database passwords, API keys, and tokens end up exposed. **encryptd** solves this by encrypting your `.env` file into a `.env.enc` file that is safe to store in your repository. Your secrets stay protected behind a passphrase, decrypted only at runtime, so the plaintext file never needs to touch version control at all.

## How it works

encryptd uses **AES-256-GCM**, one of the strongest symmetric encryption algorithms available, to encrypt and decrypt your `.env` files. When you encrypt, encryptd derives a 32-byte key from your passphrase using PBKDF2-HMAC-SHA256 with 100,000 iterations and a random salt. It then encrypts the file contents with a random 96-bit nonce and writes the result as a self-contained JSON blob containing the encrypted salt, IV, ciphertext, and authentication tag. Because a fresh nonce and salt are generated on every run, encrypting the same file twice always produces different output preventing ciphertext-comparison attacks.

At runtime, you supply your passphrase via the `ENV_PASSPHRASE` environment variable or directly in code, and encryptd decrypts `.env.enc` back into your environment variables automatically.

## Two ways to use encryptd

Use encryptd in whichever way fits your workflow best:

* **CLI**: run `secure-env encrypt` and `secure-env decrypt` directly from your terminal or CI pipeline, without writing any application code.
* **Node.js library**: call `config()` from `@vernonthedev/encryptd` in your application's entry point to decrypt and load variables into `process.env` at startup.

Both modes read the passphrase from the `ENV_PASSPHRASE` environment variable by default, making it straightforward to inject secrets through your platform's secret manager without hardcoding anything in your source code.

## Rust-powered performance and security

The cryptographic core of encryptd is written in **Rust** using the `aes-gcm` crate and exposed to Node.js through a native addon. Encryption and decryption run at native speed rather than inside the JavaScript runtime. Prebuilt binaries are bundled for all supported platforms, so you do not need the Rust toolchain or any C compiler installed on your machine or in your CI environment.

## Next steps

<CardGroup cols={2}>
  <Card title="Installation" icon="arrow-down-to-bracket" href="/installation">
    Configure GitHub Packages and add encryptd to your project.
  </Card>

  <Card title="Quickstart" icon="bolt" href="/quickstart">
    Encrypt your first `.env` file and load it in your app in five minutes.
  </Card>
</CardGroup>
