config() function accepts an optional options object that lets you customise the encrypted file path, provide the passphrase inline, and control whether existing process.env values are overwritten. This page covers every available option, how to supply your passphrase securely across different environments, and patterns for managing multiple encrypted files per deployment stage.
config() options reference
All options are optional. When you omit an option, config() applies the default listed below.
Setting ENV_PASSPHRASE
encryptd reads the passphrase from the ENV_PASSPHRASE environment variable when you do not supply options.passphrase explicitly. This approach keeps the passphrase out of your source code entirely.
In your local shell
ExportENV_PASSPHRASE in your current terminal session before running the CLI or starting your application:
In GitHub Actions
Store the passphrase as an encrypted repository secret and inject it into your workflow via theenv block. encryptd will read it from ENV_PASSPHRASE automatically:
.github/workflows/deploy.yml
Add
ENV_PASSPHRASE under Settings → Secrets and variables → Actions in your GitHub repository. The value is masked in workflow logs and never exposed in plain text.Using multiple env files per environment
When you manage distinct configurations for staging, production, or other deployment targets, encrypt each.env file separately and commit all the resulting .enc files:
Select the correct file at runtime with NODE_ENV
Use a NODE_ENV-based lookup in your application’s entry point to load the right file automatically:
src/index.ts
.gitignore best practices
Commit your encrypted .env.enc files and exclude all plaintext .env files. Add the following block to your .gitignore:
.gitignore
.env,.env.staging,.env.prod, and any other plaintext variants are never staged accidentally..env.enc,.env.staging.enc,.env.prod.enc, and similar encrypted files remain tracked in version control so your team and CI pipeline can decrypt them with the shared passphrase.
.png?fit=max&auto=format&n=Fjc5BJwQaMa3_uyF&q=85&s=4368c06aabf42347a7a04b5f52aafc0d)