Skip to main content
encryptd is designed to work with sensible defaults and minimal configuration. The config() function accepts an optional options object that lets you customise the encrypted file path, provide the passphrase inline, and control whether existing process.env values are overwritten. This page covers every available option, how to supply your passphrase securely across different environments, and patterns for managing multiple encrypted files per deployment stage.

config() options reference

All options are optional. When you omit an option, config() applies the default listed below.

Setting ENV_PASSPHRASE

encryptd reads the passphrase from the ENV_PASSPHRASE environment variable when you do not supply options.passphrase explicitly. This approach keeps the passphrase out of your source code entirely.

In your local shell

Export ENV_PASSPHRASE in your current terminal session before running the CLI or starting your application:
Add the export line to your shell profile (.zshrc, .bashrc, etc.) or use a tool like direnv to load it automatically whenever you enter the project directory. Never commit the value to version control.

In GitHub Actions

Store the passphrase as an encrypted repository secret and inject it into your workflow via the env block. encryptd will read it from ENV_PASSPHRASE automatically:
.github/workflows/deploy.yml
Add ENV_PASSPHRASE under Settings → Secrets and variables → Actions in your GitHub repository. The value is masked in workflow logs and never exposed in plain text.

Using multiple env files per environment

When you manage distinct configurations for staging, production, or other deployment targets, encrypt each .env file separately and commit all the resulting .enc files:

Select the correct file at runtime with NODE_ENV

Use a NODE_ENV-based lookup in your application’s entry point to load the right file automatically:
src/index.ts
You can use any environment variable not just NODE_ENV to drive the file selection. A dedicated APP_ENV variable is often clearer than overloading NODE_ENV.

.gitignore best practices

Commit your encrypted .env.enc files and exclude all plaintext .env files. Add the following block to your .gitignore:
.gitignore
This pattern ensures that:
  • .env, .env.staging, .env.prod, and any other plaintext variants are never staged accidentally.
  • .env.enc, .env.staging.enc, .env.prod.enc, and similar encrypted files remain tracked in version control so your team and CI pipeline can decrypt them with the shared passphrase.
Run git status after updating .gitignore to confirm that no plaintext .env files are currently tracked. If a file was committed before the rule was added, use git rm --cached .env to stop tracking it without deleting it from disk, then commit the removal.