Secrets for developers
Encrypt your .env files without changing your workflow.
Protect secrets in source code and AI prompts.
Same dotenv workflow, but encrypted.
Switch from plaintext .env files to encrypted .env files without changing how your app runs.
Install
Replace dotenv with @dotenvx/dotenvx.
Encrypt
Run dotenvx encrypt and protect your secrets.
Deploy + AI
Ship apps and AI prompts without plaintext secrets.
More capability. Zero plaintext secrets.
Protect secrets in source code and AI prompts with an upgrade that takes seconds.
dotenvx encrypt
Encryption
Commit ciphertext. Keep keys separate.
dotenvx run -- your-cmd
Cross Platform
Run anywhere. Works across languages.
git add .env
GitOps
Secrets, encrypted in Git. Decrypted only at runtime.
dotenvx run -f .env.production
Multiple Environments
Many contexts. Load only what you need.
Developers are talking about Dotenvx.
Installed almost 3 million times a week on npm.
Ben Holmes
@BHolmesDev
dotenvx is really smart concept.
Instead of plaintext .env’s, secrets are encrypted files. Agents can't read them, and they're shippable to cloud runners with a single key.
コムテ
@commte
Show translation
.env 共有は dotenvxが最強 .env を暗号化したまま Git にコミットできるツール 便利さそのまま+漏洩リスクほぼゼロ ・平文 .env を配らなくていい ・GitHub に上げても解読されない ・チーム開発で共有がラク
Kristian Freeman
@kristianfreeman
Dotenvx looks like an interesting upgrade to .env Automatic encrypting of each value, almost identical usage in CLI and API Rails does something similar - though the whole file is encrypted!
mizchi
@mizchi
Show translation
.env とAIの問題、dotenvx がもっと普及したらいいと思う
Zaid
@zaidmukaddam
you can deploy env files to prod now? creators of dotenv have been working on dotenvx which encrypts your env variables so llms can’t read them, basically it keeps secrets from leaking into prompts or model context
Kenn Ejima
@kenn
Show translation
今まで1passwordで.envを共有してたけど、dotenvxを使えば.env自体を暗号化してgit管理できるようになることを知ってこれに乗り換えることにした。 管理対象が秘密鍵1個だけになるのでメンバーの入れ替わりなどでAPI Keyを個別にローテーションする手間もなくなる。 時代は進化している!
FAQ
-
Dotenvx uses Elliptic Curve Integrated Encryption Scheme (ECIES) to encrypt each secret with a unique ephemeral key, while ensuring it can be decrypted using a long-term private key.
When you initialize encryption, a DOTENV_PUBLIC_KEY (encryption key) and DOTENV_PRIVATE_KEY (decryption key) are generated. The DOTENV_PUBLIC_KEY is used to encrypt secrets, and the DOTENV_PRIVATE_KEY is securely stored in your cloud secrets manager or .env.keys file.
Your encrypted .env file is then safely committed to code. Even if the file is exposed, secrets remain protected since decryption requires the separate DOTENV_PRIVATE_KEY, which is never stored alongside it. Read the whitepaper for more details. -
Yes. Dotenvx encrypts secrets using AES-256 with ephemeral keys, ensuring that even if the encrypted .env file is exposed, its contents remain secure. The encryption keys themselves are protected using Secp256k1 elliptic curve cryptography, which is widely used for secure key exchange in technologies like Bitcoin.
This means that every secret in the .env file is encrypted with a unique AES-256 key, and that key is further encrypted using a public key (Secp256k1). Even if an attacker obtains the encrypted .env file, they would still need the corresponding private key—stored separately—to decrypt anything.
Breaking this encryption would require brute-forcing both AES-256 and elliptic curve cryptography, which is computationally infeasible with current technology. Read the whitepaper for more details. -
In the CircleCI breach the attacker accessed environment variables only. They could not access codebases. To steal your encrypted .env secrets, an attacker needs both – the private decryption key AND the encrypted .env files.