Documentation
Quickstart Encryption
⚡️

Encryption

Add encryption to your `.env` files with a single command. Pass the `--encrypt` flag.

dotenvx set --encrypt

$ touch .env
$ echo "console.log('Hello ' + process.env.HELLO)" > index.js

$ dotenvx set HELLO World --encrypt

Your .env file will now look something like this.

.env

#/-------------------[DOTENV_PUBLIC_KEY]--------------------/
#/            public-key encryption for .env files          /
#/       [how it works](https://dotenvx.com/encryption)     /
#/----------------------------------------------------------/
DOTENV_PUBLIC_KEY="037cfbfc90234cfdab7eb54050566293789efaa1a35dc420749662db400dc9c4b2"

# .env
HELLO="encrypted:BAZb6wDPFaFeFzq8Ut48oiNFSPtYvJmv4AwVDFVcNKiIcGxrxuRIFGWxZ3xVjxOgOo6w65bWFTpAfbatSz52+VvwDYZ3nFUO828nzovH5ZhsIoxPuPb7K0ZphmNynR7Hxci4a+fB"

The public encryption key DOTENV_PUBLIC_KEY is placed at the top of your .env file. This allows anyone on your team to encrypt secrets.

The private decryption key DOTENV_PRIVATE_KEY is placed in your .env.keys file. Only those holding this key can decrypt secrets.

DOTENV_PRIVATE_KEY

Locate your DOTENV_PRIVATE_KEY in .env.keys

cat .env.keys

$ cat .env.keys

.env.keys

#/------------------!DOTENV_PRIVATE_KEYS!-------------------/
#/ private decryption keys. DO NOT commit to source control /
#/     [how it works](https://dotenvx.com/encryption)       /
#/----------------------------------------------------------/

# .env
DOTENV_PRIVATE_KEY="81dac4d2c42e67a2c6542d3b943a4674a05c4be5e7e5a40a689be7a3bd49a07e"

Run

In development the dotenvx run command reads from your .env.keys file to decrypt and inject your secrets at runtime.

development

$ dotenvx run -- node index.js
[[email protected]] injecting env (2) from .env
Hello World

In production, do NOT include your .env.keys file. Instead, set your DOTENV_PRIVATE_KEY ahead of your dotenvx run command and it will smartly run the associated .env file - decrypting and injecting your secrets at runtime.

production

$ dotenvx set HELLO production --encrypt -f .env.production
$ DOTENV_PRIVATE_KEY_PRODUCTION="4a650a4159790e2341a388ebcd7526036fd33cc6240667c7cd940cde7b11cfaf" dotenvx run -- node index.js
[[email protected]] injecting env (2) from .env.production
Hello production
> :-D

No more scattering your secrets across multiple third-parties platforms where they could leak!