> ## Documentation Index
> Fetch the complete documentation index at: https://encryptd.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# encryptd Changelog: Release History and Version Notes

> Release notes for @vernonthedev/encryptd. Covers version history, features shipped, and breaking changes from the initial beta release onward.

This page records every public release of `@vernonthedev/encryptd`, including features shipped, bugs fixed, and any breaking changes. Releases follow [Semantic Versioning](https://semver.org/). Beta releases are published to GitHub Packages with the `beta` dist-tag.

***

## v0.0.1-beta.0 : 2026-07-14

Initial beta release of `@vernonthedev/encryptd`. This version establishes the complete encryption pipeline from Rust native crypto to the TypeScript loader and CLI and ships prebuilt platform binaries for four major targets.

### Features

**AES-256-GCM encryption via Rust native addon.** Encryption and decryption are implemented in Rust using the `aes-gcm` crate, compiled to a Node.js native addon with [napi-rs](https://napi.rs/). The Rust layer is exposed to TypeScript through two functions: `encryptEnv()` and `decryptEnv()`. No JavaScript code sits in the cryptographic path.

**PBKDF2-HMAC-SHA256 key derivation.** Keys are never used directly as AES keys. Every passphrase is stretched through PBKDF2-HMAC-SHA256 at **100,000 iterations**, producing a 256-bit key. The high iteration count makes brute-force attacks against the passphrase significantly more expensive.

**Random 16-byte salt per encryption.** A fresh cryptographically random 16-byte salt is generated on every call to `encryptEnv()` via `OsRng`. The salt is stored in the [`EnvPayload`](/reference/env-payload) alongside the ciphertext, so decryption can always reproduce the same derived key without storing any key material on disk. Because the salt changes on every call, two encryptions of the same plaintext with the same passphrase produce different ciphertexts.

**Random 96-bit nonce per encryption.** In addition to the salt, a fresh 96-bit (12-byte) AES-GCM nonce is generated per encryption. 96 bits is the NIST-recommended nonce length for GCM and is enforced by the underlying `aes-gcm` Rust crate.

**GCM authentication tag for tamper detection.** AES-GCM produces a 16-byte authentication tag that covers the ciphertext. The tag is stored in the `EnvPayload`. During decryption, the tag is verified before any plaintext is returned a mismatch (wrong passphrase or modified file) causes an immediate error: `[RustLib] Decryption failed. Wrong key or tampered file.`

**`secure-env encrypt` CLI command.** Encrypts a plaintext `.env` file and writes the [`EnvPayload`](/reference/env-payload) JSON to an output file. Defaults: input `.env`, output `.env.enc`. Requires `ENV_PASSPHRASE` to be set. See the [CLI reference](/reference/cli-reference) for full argument documentation.

**`secure-env decrypt` CLI command.** Decrypts a `.env.enc` file and prints the plaintext to stdout. Useful for verifying the contents of an encrypted file or recovering the original in an emergency. Requires `ENV_PASSPHRASE` to be set.

**`config()` library function.** The high-level TypeScript entry point. Reads `.env.enc`, decrypts it, parses the `KEY=VALUE` lines, and populates `process.env`. Returns a `Record<string, string>` of all loaded variables. Accepts `ConfigOptions` for customizing the file path, passphrase source, and override behavior. See the [API reference](/reference/api) for full documentation.

**Cross-platform prebuilt binaries.** Native `.node` binaries are prebuilt and published as optional platform packages, so no Rust toolchain is required at install time. The following targets ship with this release:

| Platform | Architecture          | Package                                 |
| -------- | --------------------- | --------------------------------------- |
| macOS    | ARM64 (Apple Silicon) | `@vernonthedev/encryptd-darwin-arm64`   |
| macOS    | x64 (Intel)           | `@vernonthedev/encryptd-darwin-x64`     |
| Linux    | x64 (glibc)           | `@vernonthedev/encryptd-linux-x64-gnu`  |
| Windows  | x64                   | `@vernonthedev/encryptd-win32-x64-msvc` |

**Published to GitHub Packages.** The package is available at `@vernonthedev/encryptd` on GitHub Packages. Installation requires an `.npmrc` entry pointing the `@vernonthedev` scope at the GitHub registry:

```sh .npmrc theme={null}
@vernonthedev:registry=https://npm.pkg.github.com
```

```sh Install theme={null}
pnpm add @vernonthedev/encryptd
```

<Note>
  This is a beta release. The public API (`config()`, `encryptEnv()`, `decryptEnv()`) and the [`EnvPayload`](/reference/env-payload) file format are considered stable for the beta period, but may change before a `1.0.0` release. The `version` field in every `EnvPayload` ensures that files encrypted today will remain decryptable after any future format migration encryptd will use the version number to apply the correct decryption logic automatically.
</Note>
