.env file and loading the decrypted variables into a Node.js application at runtime. By the end you will have a workflow where only .env.enc lives in your repository and your secrets never touch version control in plaintext.
1
Install encryptd
If you have not installed encryptd yet, follow the Installation guide to configure GitHub Packages and add the package to your project. Then come back here.
2
Set your passphrase
Export your passphrase as an environment variable in your current shell session. Use a long, random string this is the secret that protects your encrypted file.encryptd reads
ENV_PASSPHRASE automatically in both the CLI and the library, so you do not need to hardcode it anywhere in your application code.3
Encrypt your .env file
Run the To encrypt a different file or write to a custom output path, pass the source and destination paths explicitly:After the command succeeds, you will find a
encrypt command from your project root. By default, encryptd reads .env and writes the encrypted output to .env.enc:.env.enc file in your project root containing a JSON blob with the encrypted salt, IV, ciphertext, and authentication tag.4
Commit .env.enc and update .gitignore
Add Your teammates and your CI pipeline can now decrypt
.env.enc to version control and make sure the original .env is excluded:.env.enc using the shared passphrase without the plaintext file ever entering the repository.5
Load encrypted variables in your application
Call
config() early in your application’s entry point, before any code that reads from process.env. It decrypts .env.enc, parses the key-value pairs, and writes them into process.env.config() also accepts an options object when you need to customise the behaviour:config() returns a Record<string, string> containing every decrypted variable, so you can use the return value directly instead of reading from process.env if you prefer.Decrypt from the CLI
You can also decrypt an encrypted file back to plaintext using thedecrypt subcommand. This is useful for inspecting the file, rotating secrets, or applying it to an environment that cannot run Node.js code.
inputFile is omitted, secure-env decrypt reads from .env.enc in the current directory.
Low-level library API
For advanced use cases such as encrypting or decrypting strings programmatically without touching the filesystem encryptd exportsencryptEnv and decryptEnv directly.
encryptEnv(plainText, passphrase)
Encrypts a plaintext string and returns an EnvPayload object containing all fields needed to decrypt it later.
decryptEnv(payload, passphrase)
Decrypts an EnvPayload produced by encryptEnv and returns the original plaintext string.
.png?fit=max&auto=format&n=Fjc5BJwQaMa3_uyF&q=85&s=4368c06aabf42347a7a04b5f52aafc0d)