secure-env binary ships with @vernonthedev/encryptd and provides two subcommands: encrypt converts a plaintext .env file into an encrypted .env.enc JSON file, and decrypt reverses that process, printing the plaintext to stdout. Both commands require the passphrase to be available in the ENV_PASSPHRASE environment variable before they run.
secure-env encrypt
The encrypt subcommand reads the plaintext input file, encrypts it with AES-256-GCM using the key derived from ENV_PASSPHRASE, and writes the resulting EnvPayload JSON to the output file. A success message is printed to stdout on completion.
Syntax
Arguments
Path to the plaintext
.env file to encrypt. Resolved relative to the current working directory. The file must exist or the command exits with an error.Path where the encrypted JSON file will be written. The file is created or overwritten. Resolved relative to the current working directory.
Environment variables
Examples
secure-env decrypt
The decrypt subcommand reads the encrypted JSON file produced by secure-env encrypt, decrypts it using ENV_PASSPHRASE, and prints the recovered plaintext to stdout. Nothing is written to disk.
Syntax
Arguments
Path to the encrypted
.env.enc file to decrypt. Must be valid JSON matching the EnvPayload schema.Environment variables
Examples
The
decrypt command prints decrypted content to stdout only it does not write a file or mutate process.env. If you need the env vars loaded into a running Node.js process, use the config() library function instead.Exit behavior
The CLI exits with a non-zero status code in the following situations:Usage without npx
If you install @vernonthedev/encryptd as a local dev dependency, the secure-env binary is available inside node_modules/.bin/. You can invoke it directly or through your package manager’s exec command.
encrypt and decrypt up as npm scripts to avoid typing the full binary path every time:
package.json
.png?fit=max&auto=format&n=Fjc5BJwQaMa3_uyF&q=85&s=4368c06aabf42347a7a04b5f52aafc0d)