From the creator of GitHub DOTENV · 20K

Secrets for Agents

The secrets CLI for agents—and developers. Protect secrets across prompts, code, and runtime.

Get Started Documentation

Trusted by AI platforms and tools powering agentic software.

Google Supabase Daytona Tencent Amazon Web Services

Encrypted .env for agent stacks in one line.

Keep the .env interface agents already expect, but make it encrypted.

// before
require('dotenv').config()
// after
require('@dotenvx/dotenvx').config()
1

Install

Replace dotenv with @dotenvx/dotenvx.

2

Encrypt

Run dotenvx encrypt and protect your secrets.

3

Protect

Protect secrets across prompts, code, and runtime.

Built-in for agent architecture.

Encrypt, inject, scope, and audit secrets without changing how agents run.

01

Encrypt

dotenvx encrypt

Commit ciphertext in .env files. Keep private keys separate from code.









    


    
  


  

    

      
02

      

        
Inject

        
dotenvx run -- your-agent

      

      
Decrypt only at runtime for the command or agent process that needs it.

      

  
$ dotenvx run -- npm start
⟐ injecting env (14) from .env






    


    

      
03

      

        
Scope

        
dotenvx run -f .env.production

      

      
Load the right secret set per environment so agents only get what they should.

      

        

          .env
          .env.production
          .env.ci
        

      

    


    

      
04

      

        
Audit

        
git diff .env*

      

      
Track encrypted secret changes through Git history and PR review workflows.

      

        
+ DATABASE_URL="encrypted:..."

        
+ OPENAI_API_KEY="encrypted:..."

      

    


    

      
05

      

        
Rotate

        
dotenvx rotate

      

      
Rotate aging or compromised secrets without rewriting agent code.

      

        

          DOTENV_PRIVATE_KEY
          v3
          
          v4
        

      

    

  






  

    
Developers are talking about Dotenvx.

    
Installed 4 million times a week on npm.

  


  

    
      

        

          Ben Holmes
          

            

              Ben Holmes
              
                Warp
              
            

            
@BHolmesDev

          

        

      

      

        dotenvx is really smart concept.
        Instead of plaintext .env’s, secrets are encrypted files. Agents can't read them, and they're shippable to cloud runners with a single key.
      

      

      
11:58 AM · Mar 4, 2026 · 65.9K views

      

        

          
          21
        

        

          
          26
        

        

          
          426
        

        

          
          505
        

      

      

    

    
      

        

          コムテ
          

            
コムテ

            
@commte

          

        

      

      
Show translation

      

        .env 共有は dotenvxが最強
        .env を暗号化したまま Git にコミットできるツール
        便利さそのまま+漏洩リスクほぼゼロ
        ・平文 .env を配らなくていい
        ・GitHub に上げても解読されない
        ・チーム開発で共有がラク
      

      

      
1:08 AM · Dec 3, 2025 · 505.3K views

      

        

          
          3
        

        

          
          346
        

        

          
          2K
        

        

          
          1.9K
        

      

      

    

    
      

        

          Kristian Freeman
          

            

              Kristian Freeman
              
                Cloudflare
              
            

            
@kristianfreeman

          

        

      

      

        Dotenvx looks like an interesting upgrade to .env
        Automatic encrypting of each value, almost identical usage in CLI and API
        Rails does something similar - though the whole file is encrypted!
      

      

      
10:25 AM · Jul 3, 2024 · 652 views

      

        

          
          1
        

        

          
          3
        

        

          
          10
        

        

          
          3
        

      

      

    

    
      

        

          mizchi
          

            
mizchi

            
@mizchi

          

        

      

      
Show translation

      

        .env とAIの問題、dotenvx がもっと普及したらいいと思う
      

      

      
6:49 AM · Mar 3, 2026 · 43.8K views

      

        

          
          82
        

        

          
          640
        

        

          
          726
        

      

      

    
    
      

        

          Zaid
          

            
Zaid

            
@zaidmukaddam

          

        

      

      

        you can deploy env files to prod now?
        creators of dotenv have been working on dotenvx which encrypts your env variables so llms can’t read them, basically it keeps secrets from leaking into prompts or model context
      

      

      
10:53 AM · Jul 4, 2025 · 6,760 views

      

        

          
          9
        

        

          
          10
        

        

          
          154
        

        

          
          71
        

      

      

    

    
      

        

          Kenn Ejima
          

            
Kenn Ejima

            
@kenn

          

        

      

      
Show translation

      

        今まで1passwordで.envを共有してたけど、dotenvxを使えば.env自体を暗号化してgit管理できるようになることを知ってこれに乗り換えることにした。
        管理対象が秘密鍵1個だけになるのでメンバーの入れ替わりなどでAPI Keyを個別にローテーションする手間もなくなる。
        時代は進化している!
      

      

      
8:58 PM · Mar 29, 2025 · 250.5K views

      

        

          
          1
        

        

          
          154
        

        

          
          1.3K
        

        

          
          1.1K
        

      

      

    
  








  
FAQ

  

    

  

    
  

  

    

      Dotenvx uses Elliptic Curve Integrated Encryption Scheme (ECIES) to encrypt each secret with a unique ephemeral key, while ensuring it can be decrypted using a long-term private key.

When you initialize encryption, a DOTENV_PUBLIC_KEY (encryption key) and DOTENV_PRIVATE_KEY (decryption key) are generated. The DOTENV_PUBLIC_KEY is used to encrypt secrets, and the DOTENV_PRIVATE_KEY is securely stored in your cloud secrets manager or .env.keys file.

Your encrypted .env file is then safely committed to code. Even if the file is exposed, secrets remain protected since decryption requires the separate DOTENV_PRIVATE_KEY, which is never stored alongside it. Read the whitepaper for more details.
    

  




    

  

    
  

  

    

      Yes. Dotenvx encrypts secrets using AES-256 with ephemeral keys, ensuring that even if the encrypted .env file is exposed, its contents remain secure. The encryption keys themselves are protected using Secp256k1 elliptic curve cryptography, which is widely used for secure key exchange in technologies like Bitcoin.

This means that every secret in the .env file is encrypted with a unique AES-256 key, and that key is further encrypted using a public key (Secp256k1). Even if an attacker obtains the encrypted .env file, they would still need the corresponding private key—stored separately—to decrypt anything.

Breaking this encryption would require brute-forcing both AES-256 and elliptic curve cryptography, which is computationally infeasible with current technology. Read the whitepaper for more details.
    

  




    

  

    
  

  

    

      In the CircleCI breach the attacker accessed environment variables only. They could not access codebases. To steal your encrypted .env secrets, an attacker needs both – the private decryption key AND the encrypted .env files.
    

  




  






  

    The future of secrets.
Available today.
  

  

    
      Get Started
      
    
    
      Contact Us