@vernonthedev/encryptd exports three public functions you can use directly in your Node.js application code. The high-level config() function covers the common case of loading an encrypted .env.enc file into process.env at startup. The lower-level encryptEnv() and decryptEnv() functions are thin TypeScript wrappers around the Rust native addon and give you direct access to the AES-256-GCM primitives when you need programmatic control for example, in a key-rotation or secret-management script.
Importing the package
Start by importing the functions you need from@vernonthedev/encryptd:
config(options?)
Call config() early in your application’s entry point, before any code that reads from process.env. It reads the encrypted env file, decrypts it using the passphrase, parses the key-value pairs according to standard .env conventions, and writes them into process.env. It also returns all parsed pairs as a plain object so you can use values directly without reading from process.env.
Parsing follows standard .env conventions: blank lines and # comments are ignored, quoted values have their surrounding quotes stripped, and keys that already exist in process.env are left untouched unless you set override: true.
1
Call config() with defaults
With no arguments,
config() reads .env.enc from the current working directory and uses ENV_PASSPHRASE from the environment for decryption:src/index.ts
2
Call config() with all options
Pass an options object to customise the file path, supply the passphrase inline, or force-overwrite existing
process.env keys:src/index.ts
3
Use the return value
config() returns a Record<string, string> containing every key-value pair parsed from the decrypted file. All values are strings, mirroring the behaviour of process.env:Parameters
encryptEnv(plainText, passphrase)
encryptEnv() is a low-level Rust bridge that encrypts an arbitrary UTF-8 string with AES-256-GCM. It generates a fresh random 16-byte PBKDF2 salt and a fresh random 96-bit nonce on every call, so the same input always produces a different ciphertext. It returns an EnvPayload object containing the hex-encoded salt, IV, ciphertext, and GCM authentication tag.
Most application code does not need to call
encryptEnv() directly. Use the secure-env encrypt CLI command to produce .env.enc files as part of your workflow, and call config() at runtime to load them. Reserve encryptEnv() and decryptEnv() for programmatic use cases such as key-rotation scripts, secret-management tooling, or test fixtures that need to generate encrypted payloads on the fly.Parameters
decryptEnv(payload, passphrase)
decryptEnv() is the counterpart low-level Rust bridge that decrypts an EnvPayload produced by encryptEnv() or by the secure-env encrypt CLI. The GCM authentication tag is verified automatically, if the tag does not match, meaning the wrong passphrase was supplied or the ciphertext was tampered with, the function throws a [RustLib] Decryption failed error.
Parameters
Errors
All errors thrown by@vernonthedev/encryptd are standard JavaScript Error objects. The message always starts with a source prefix [SrcIndex] for errors originating in the TypeScript layer, or [RustLib] for errors originating in the Rust native addon to make stack traces easier to triage.
.png?fit=max&auto=format&n=Fjc5BJwQaMa3_uyF&q=85&s=4368c06aabf42347a7a04b5f52aafc0d)