Documentation
.env.keys
`.env.keys` holds your private decryption keys.
Format
.env.keys
#/------------------!DOTENV_PRIVATE_KEYS!-------------------/
#/ private decryption keys. DO NOT commit to source control /
#/ [how it works](https://dotenvx.com/encryption) /
#/----------------------------------------------------------/
# .env
DOTENV_PRIVATE_KEY="ccc387ba193a315cbcd1ad7d8d007e6124763894554418e7c90b7dbcd7edca23"
# .env.production
DOTENV_PRIVATE_KEY_PRODUCTION="d4d2e22102c58f741cdddacaf69a1a64751fc014aafb90de0f1e7e6cb4d08330"
Some quick takeaways:
- It uses the
.envformat DOTENV_PRIVATE_KEYcontains the decryption key for.envDOTENV_PRIVATE_KEY_PRODUCTIONcontains the decryption key for.env.production
Encryption
secp256k1 is the public-key encryption algorithm used to generate the public/private key pair.
Generating
It's auto-generated when running dotenvx set KEY value --encrypt.
$ dotenvx set HELLO World --encrypt
set HELLO with encryption (.env)
Do not commit .env.keys to source code. Keep them somewhere safe like 1Password.
History
The .env.keys file originally came out of development work on dotenv-vault in early 2023. It's current format came out about during an effort in May 2024 to support encryption without the ability to decrypt.