Skip to main content
The secure-env binary ships with @vernonthedev/encryptd and provides two subcommands: encrypt converts a plaintext .env file into an encrypted .env.enc JSON file, and decrypt reverses that process, printing the plaintext to stdout. Both commands require the passphrase to be available in the ENV_PASSPHRASE environment variable before they run.

secure-env encrypt

The encrypt subcommand reads the plaintext input file, encrypts it with AES-256-GCM using the key derived from ENV_PASSPHRASE, and writes the resulting EnvPayload JSON to the output file. A success message is printed to stdout on completion.

Syntax

Arguments

inputFile
string
default:".env"
Path to the plaintext .env file to encrypt. Resolved relative to the current working directory. The file must exist or the command exits with an error.
outputFile
string
default:".env.enc"
Path where the encrypted JSON file will be written. The file is created or overwritten. Resolved relative to the current working directory.

Environment variables

Examples


secure-env decrypt

The decrypt subcommand reads the encrypted JSON file produced by secure-env encrypt, decrypts it using ENV_PASSPHRASE, and prints the recovered plaintext to stdout. Nothing is written to disk.

Syntax

Arguments

inputFile
string
default:".env.enc"
Path to the encrypted .env.enc file to decrypt. Must be valid JSON matching the EnvPayload schema.

Environment variables

Examples

The decrypt command prints decrypted content to stdout only it does not write a file or mutate process.env. If you need the env vars loaded into a running Node.js process, use the config() library function instead.

Exit behavior

The CLI exits with a non-zero status code in the following situations:
If you receive [RustLib] Decryption failed, check that ENV_PASSPHRASE is set to exactly the same value that was used when the file was encrypted including case and any special characters. The error is intentionally non-specific: the CLI cannot distinguish between a wrong passphrase and a tampered file.

Usage without npx

If you install @vernonthedev/encryptd as a local dev dependency, the secure-env binary is available inside node_modules/.bin/. You can invoke it directly or through your package manager’s exec command.
You can also wire encrypt and decrypt up as npm scripts to avoid typing the full binary path every time:
package.json