Skip to main content
This page records every public release of @vernonthedev/encryptd, including features shipped, bugs fixed, and any breaking changes. Releases follow Semantic Versioning. Beta releases are published to GitHub Packages with the beta dist-tag.

v0.0.1-beta.0 : 2026-07-14

Initial beta release of @vernonthedev/encryptd. This version establishes the complete encryption pipeline from Rust native crypto to the TypeScript loader and CLI and ships prebuilt platform binaries for four major targets.

Features

AES-256-GCM encryption via Rust native addon. Encryption and decryption are implemented in Rust using the aes-gcm crate, compiled to a Node.js native addon with napi-rs. The Rust layer is exposed to TypeScript through two functions: encryptEnv() and decryptEnv(). No JavaScript code sits in the cryptographic path. PBKDF2-HMAC-SHA256 key derivation. Keys are never used directly as AES keys. Every passphrase is stretched through PBKDF2-HMAC-SHA256 at 100,000 iterations, producing a 256-bit key. The high iteration count makes brute-force attacks against the passphrase significantly more expensive. Random 16-byte salt per encryption. A fresh cryptographically random 16-byte salt is generated on every call to encryptEnv() via OsRng. The salt is stored in the EnvPayload alongside the ciphertext, so decryption can always reproduce the same derived key without storing any key material on disk. Because the salt changes on every call, two encryptions of the same plaintext with the same passphrase produce different ciphertexts. Random 96-bit nonce per encryption. In addition to the salt, a fresh 96-bit (12-byte) AES-GCM nonce is generated per encryption. 96 bits is the NIST-recommended nonce length for GCM and is enforced by the underlying aes-gcm Rust crate. GCM authentication tag for tamper detection. AES-GCM produces a 16-byte authentication tag that covers the ciphertext. The tag is stored in the EnvPayload. During decryption, the tag is verified before any plaintext is returned a mismatch (wrong passphrase or modified file) causes an immediate error: [RustLib] Decryption failed. Wrong key or tampered file. secure-env encrypt CLI command. Encrypts a plaintext .env file and writes the EnvPayload JSON to an output file. Defaults: input .env, output .env.enc. Requires ENV_PASSPHRASE to be set. See the CLI reference for full argument documentation. secure-env decrypt CLI command. Decrypts a .env.enc file and prints the plaintext to stdout. Useful for verifying the contents of an encrypted file or recovering the original in an emergency. Requires ENV_PASSPHRASE to be set. config() library function. The high-level TypeScript entry point. Reads .env.enc, decrypts it, parses the KEY=VALUE lines, and populates process.env. Returns a Record<string, string> of all loaded variables. Accepts ConfigOptions for customizing the file path, passphrase source, and override behavior. See the API reference for full documentation. Cross-platform prebuilt binaries. Native .node binaries are prebuilt and published as optional platform packages, so no Rust toolchain is required at install time. The following targets ship with this release: Published to GitHub Packages. The package is available at @vernonthedev/encryptd on GitHub Packages. Installation requires an .npmrc entry pointing the @vernonthedev scope at the GitHub registry:
.npmrc
Install
This is a beta release. The public API (config(), encryptEnv(), decryptEnv()) and the EnvPayload file format are considered stable for the beta period, but may change before a 1.0.0 release. The version field in every EnvPayload ensures that files encrypted today will remain decryptable after any future format migration encryptd will use the version number to apply the correct decryption logic automatically.