secure-env binary ships with @vernonthedev/encryptd and exposes two subcommands: encrypt converts a plaintext .env file into an encrypted .env.enc JSON file, and decrypt reverses that process and prints the recovered plaintext to stdout. Both commands require the ENV_PASSPHRASE environment variable to be set before they run the CLI throws immediately if it is missing.
secure-env encrypt
The encrypt command reads the plaintext input file, encrypts it with AES-256-GCM using a key derived from ENV_PASSPHRASE via PBKDF2-HMAC-SHA256, and writes the resulting EnvPayload JSON to the output file. A success message is printed to stdout on completion.
Syntax
Arguments
Environment variables
Examples
secure-env decrypt
The decrypt command reads the encrypted JSON file produced by secure-env encrypt, decrypts it using ENV_PASSPHRASE, and prints the recovered plaintext to stdout. Nothing is written to disk and process.env is not mutated.
The
decrypt command is a read-only operation. It prints decrypted content to stdout only it does not write a file to disk or load variables into process.env. To load decrypted variables into a running Node.js process, use the config() library function instead.Syntax
Arguments
Environment variables
Examples
Exit behavior
The CLI exits with a non-zero status code (thrownError) in the following situations:
Usage without npx
If you install @vernonthedev/encryptd as a local dev dependency, the secure-env binary is available inside node_modules/.bin/. You can invoke it directly or register it as an npm script to avoid typing the full path every time.
- pnpm exec
- Direct binary path
- npm scripts
.png?fit=max&auto=format&n=Fjc5BJwQaMa3_uyF&q=85&s=4368c06aabf42347a7a04b5f52aafc0d)