.env files to version control is one of the most common ways secrets database passwords, API keys, and tokens end up exposed. encryptd solves this by encrypting your .env file into a .env.enc file that is safe to store in your repository. Your secrets stay protected behind a passphrase, decrypted only at runtime, so the plaintext file never needs to touch version control at all.
How it works
encryptd uses AES-256-GCM, one of the strongest symmetric encryption algorithms available, to encrypt and decrypt your.env files. When you encrypt, encryptd derives a 32-byte key from your passphrase using PBKDF2-HMAC-SHA256 with 100,000 iterations and a random salt. It then encrypts the file contents with a random 96-bit nonce and writes the result as a self-contained JSON blob containing the encrypted salt, IV, ciphertext, and authentication tag. Because a fresh nonce and salt are generated on every run, encrypting the same file twice always produces different output preventing ciphertext-comparison attacks.
At runtime, you supply your passphrase via the ENV_PASSPHRASE environment variable or directly in code, and encryptd decrypts .env.enc back into your environment variables automatically.
Two ways to use encryptd
Use encryptd in whichever way fits your workflow best:- CLI: run
secure-env encryptandsecure-env decryptdirectly from your terminal or CI pipeline, without writing any application code. - Node.js library: call
config()from@vernonthedev/encryptdin your application’s entry point to decrypt and load variables intoprocess.envat startup.
ENV_PASSPHRASE environment variable by default, making it straightforward to inject secrets through your platform’s secret manager without hardcoding anything in your source code.
Rust-powered performance and security
The cryptographic core of encryptd is written in Rust using theaes-gcm crate and exposed to Node.js through a native addon. Encryption and decryption run at native speed rather than inside the JavaScript runtime. Prebuilt binaries are bundled for all supported platforms, so you do not need the Rust toolchain or any C compiler installed on your machine or in your CI environment.
Next steps
Installation
Configure GitHub Packages and add encryptd to your project.
Quickstart
Encrypt your first
.env file and load it in your app in five minutes..png?fit=max&auto=format&n=Fjc5BJwQaMa3_uyF&q=85&s=4368c06aabf42347a7a04b5f52aafc0d)