Skip to main content
The secure-env binary ships with @vernonthedev/encryptd and exposes two subcommands: encrypt converts a plaintext .env file into an encrypted .env.enc JSON file, and decrypt reverses that process and prints the recovered plaintext to stdout. Both commands require the ENV_PASSPHRASE environment variable to be set before they run the CLI throws immediately if it is missing.

secure-env encrypt

The encrypt command reads the plaintext input file, encrypts it with AES-256-GCM using a key derived from ENV_PASSPHRASE via PBKDF2-HMAC-SHA256, and writes the resulting EnvPayload JSON to the output file. A success message is printed to stdout on completion.

Syntax

Arguments

Environment variables

Examples


secure-env decrypt

The decrypt command reads the encrypted JSON file produced by secure-env encrypt, decrypts it using ENV_PASSPHRASE, and prints the recovered plaintext to stdout. Nothing is written to disk and process.env is not mutated.
The decrypt command is a read-only operation. It prints decrypted content to stdout only it does not write a file to disk or load variables into process.env. To load decrypted variables into a running Node.js process, use the config() library function instead.

Syntax

Arguments

Environment variables

Examples


Exit behavior

The CLI exits with a non-zero status code (thrown Error) in the following situations:
If you receive [RustLib] Decryption failed, verify that ENV_PASSPHRASE is set to exactly the same value that was used when the file was encrypted including case and any special characters. The error is intentionally non-specific: the CLI cannot distinguish between a wrong passphrase and a tampered file.

Usage without npx

If you install @vernonthedev/encryptd as a local dev dependency, the secure-env binary is available inside node_modules/.bin/. You can invoke it directly or register it as an npm script to avoid typing the full path every time.