@asdsadw12312dwd2112xz/env-encrypt-cli
v1.0.0
Published
Encrypt and decrypt .env file values for secure storage in git
Maintainers
asdsadw12312dwd2112xzReadme
env-encrypt-cli
Encrypt and decrypt .env file values for secure storage in git.
Values are encrypted with AES-256-GCM while keys remain readable:
DB_HOST=enc:v1:base64data...
DB_PORT=enc:v1:base64data...Install
npm install -g env-encrypt-cliUsage
Encrypt
# Encrypt .env → .env.encrypted
env-encrypt-cli encrypt -k my-secret-key
# Custom input/output
env-encrypt-cli encrypt -i .env.production -o .env.production.encrypted -k my-secret-key
# Key from environment variable
export ENV_ENCRYPT_KEY="my-secret-key"
env-encrypt-cli encrypt
# Key from file
env-encrypt-cli encrypt --key-file ./secret.keyDecrypt
# Decrypt .env.encrypted → .env
env-encrypt-cli decrypt -k my-secret-key
# Custom input/output
env-encrypt-cli decrypt -i .env.production.encrypted -o .env.production -k my-secret-keyRotate Key
# Re-encrypt all values with a new key
env-encrypt-cli rotate -k old-key --new-key new-keyKey Resolution
Keys are resolved in this order:
--key-file <file>— read key from a file-k/--key <value>— if the value matches^[A-Z_][A-Z0-9_]*$, it is treated as an environment variable name; otherwise used as a literal keyENV_ENCRYPT_KEYenvironment variable
Encrypted Format
Each encrypted value uses the format:
enc:v1:<base64(salt + iv + authTag + ciphertext)>- Algorithm: AES-256-GCM
- Key derivation: scrypt (32-byte salt)
- IV: 16 bytes, random per value
- Auth tag: 16 bytes (GCM integrity)
Workflow
- Add
.envto.gitignore - Encrypt:
env-encrypt-cli encrypt -k $KEY - Commit
.env.encrypted - On deploy/checkout:
env-encrypt-cli decrypt -k $KEY
License
MIT