@vernonthedev/encryptd exports three public functions. The high-level config() function covers the common case of loading an encrypted .env.enc file into your Node.js process. The lower-level encryptEnv() and decryptEnv() functions are thin TypeScript wrappers around the Rust native addon (napi-rs) and give you direct access to the AES-256-GCM primitives when you need programmatic control over encryption without involving the filesystem.
config(options?)
config() reads the encrypted env file at options.path, decrypts it using the supplied passphrase, writes all parsed key/value pairs into process.env, and returns them as a plain object.
Parsing follows standard .env conventions: blank lines and # comments are ignored, quoted values have their surrounding quotes stripped, and keys that already exist in process.env are left untouched unless you set override: true.
Parameters
Configuration object. All fields are optional sensible defaults apply when omitted.
Path to the encrypted env file, resolved relative to
process.cwd(). Accepts both relative and absolute paths.Passphrase used for PBKDF2 key derivation and AES-256-GCM decryption. Falls back to
process.env.ENV_PASSPHRASE when omitted. An error is thrown if neither source provides a value.When
false, keys that already exist in process.env are preserved. Set to true to overwrite existing values with those from the encrypted file.Return value
A plain object containing every key/value pair parsed from the decrypted file. All values are strings. The same pairs are also written into
process.env.TypeScript example
encryptEnv(plainText, passphrase)
encryptEnv() is a low-level Rust bridge that encrypts an arbitrary string with AES-256-GCM. It generates a fresh random 16-byte PBKDF2 salt and a fresh random 96-bit nonce on every call, so the same input always produces different ciphertext.
Most users will not call this function directly. Prefer the
secure-env encrypt CLI command to produce .env.enc files, or call config() in application code. encryptEnv() is useful when you need to encrypt programmatically for example, in a key-rotation script.Parameters
The plaintext string to encrypt. For
.env use-cases this is the raw contents of your .env file, but the function accepts any UTF-8 string.Passphrase passed to PBKDF2-HMAC-SHA256 (100,000 iterations) to derive the 256-bit AES key.
Return value
An
EnvPayload object containing the hex-encoded salt, IV, ciphertext, and authentication tag. See the EnvPayload reference for the full field listing.decryptEnv(payload, passphrase)
decryptEnv() is a low-level Rust bridge that decrypts an EnvPayload produced by encryptEnv() or by the secure-env encrypt CLI. The GCM authentication tag is verified automatically; if the tag does not match meaning either the wrong passphrase was supplied or the file was tampered with the function throws.
Parameters
The
EnvPayload object to decrypt. All four required fields (salt, iv, content, tag) must be present and hex-encoded.The passphrase that was used when the payload was originally encrypted. Must match exactly.
Return value
The decrypted UTF-8 string the original content that was passed to
encryptEnv().Errors
All errors thrown by@vernonthedev/encryptd are standard JavaScript Error objects. The message always starts with a source prefix [SrcIndex] for TypeScript-layer errors and [RustLib] for errors originating in the Rust native addon to make stack traces easier to read.
.png?fit=max&auto=format&n=Fjc5BJwQaMa3_uyF&q=85&s=4368c06aabf42347a7a04b5f52aafc0d)