EnvPayload is the TypeScript type that represents an encrypted .env.enc file. Every call to encryptEnv() returns an EnvPayload, every call to decryptEnv() accepts one as its first argument, and the secure-env encrypt and secure-env decrypt CLI commands read and write the same structure serialized as JSON on disk. All binary fields salt, IV, ciphertext, and authentication tag are stored as lowercase hexadecimal strings so the file is human-readable and safely embeds in version control workflows.
Fields
The table below summarizes all five fields in anEnvPayload.
Field reference
Schema version integer, currently always
1. encryptd checks this field when decrypting so it can apply the correct decryption logic if the format ever changes. Files encrypted today will remain decryptable after any future format migration.32-character lowercase hex string representing the 16 random bytes generated by
OsRng at encryption time. The salt is stored here so decryption can re-derive the exact same AES key via PBKDF2-HMAC-SHA256 (100,000 iterations) without storing any key material on disk.24-character lowercase hex string representing the 12-byte (96-bit) AES-GCM nonce generated by
OsRng at encryption time. Because a fresh nonce is generated on every encryption, two encryptions of the same plaintext with the same passphrase will always produce different iv and content values.Variable-length lowercase hex string containing the AES-256-GCM ciphertext. The byte length of the original plaintext and the byte length of the ciphertext are identical AES-GCM is a stream cipher mode and does not add padding.
32-character lowercase hex string representing the 16-byte GCM authentication tag. The tag is computed over the ciphertext during encryption and re-verified in a single atomic operation during decryption. If verification fails due to a wrong passphrase or any modification to the file decryption halts immediately with
[RustLib] Decryption failed. Wrong key or tampered file.JSON example
After runningsecure-env encrypt, your .env.enc file looks like this:
.env.enc
How EnvPayload flows through the library
EnvPayload is the central data type that connects every part of encryptd:
encryptEnv(plainText, passphrase)returns anEnvPayload. You can serialize it to disk withJSON.stringifyor pass it directly todecryptEnv().decryptEnv(payload, passphrase)accepts anEnvPayloadas its first argument. All four binary fields (salt,iv,content,tag) must be present and valid hexadecimal; malformed hex causes an immediate descriptive error.secure-env encryptwrites a JSON-serializedEnvPayloadto the output file.secure-env decryptreads a JSON-serializedEnvPayloadfrom the input file and deserializes it before passing it to the Rust decryption layer.config()reads and deserializes theEnvPayloadinternally; you never interact with it directly when using this high-level function.
All binary fields are hex-encoded strings, not raw bytes or Base64. This makes the
.env.enc file easy to inspect, diff, and store in version control without binary noise..png?fit=max&auto=format&n=Fjc5BJwQaMa3_uyF&q=85&s=4368c06aabf42347a7a04b5f52aafc0d)