npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

devdotenv

v1.0.1

Published

A CLI tool for securely encrypting and decrypting .env files using AES-256-GCM

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

guinatguinat

Keywords

encryptionenvsecuritycliaesdotenvenvironmentvariables

Readme

DevDotEnv

A CLI tool for securely encrypting and decrypting .env files using AES-256-GCM encryption with optional custom obfuscation.

Security Features

  • AES-256-GCM encryption with randomly generated 12-byte IV
  • Authentication tags for data integrity verification
  • Custom obfuscation layer (XOR + byte shuffling) before AES encryption
  • 256-bit encryption keys stored as Base64 in local key files
  • Content integrity checks with SHA-256 checksums
  • Metadata tracking (timestamp, size, checksum) in encrypted files
  • Smart .gitignore management - automatically updates your .gitignore
  • Simple naming - always encrypts to voynich.encrypted

Important Security Notice

This tool is designed for development use only and should not be considered a replacement for a full secrets management system in production environments. While it uses strong encryption (AES-256-GCM), proper secrets management in production requires additional security measures, access controls, and infrastructure that this tool does not provide.

Installation

Using npx (Recommended - No Global Installation)

# No installation needed! Use directly with npx
npx devdotenv init
npx devdotenv encrypt .env
npx devdotenv decrypt

Local Installation

npm install devdotenv
npx devdotenv init

Development

git clone https://github.com/guinat/devdotenv-node.git
cd devdotenv-node
npm install
npm link  # Makes 'devdotenv' command available globally

Quick Start

  1. Initialize encryption key and setup .gitignore:

    npx devdotenv init

  2. Create a sample .env file:

    echo "API_KEY=secret123
DATABASE_URL=postgresql://user:pass@localhost/db
DEBUG=true" > .env

  3. Encrypt files (sequential numbering):

    npx devdotenv encrypt .env
# Creates voynich-0.encrypted

npx devdotenv encrypt .env.production
# Creates voynich-1.encrypted

npx devdotenv encrypt config.json
# Creates voynich-2.encrypted

  4. Decrypt files:

    npx devdotenv decrypt
# Auto-detects and decrypts to .env (if only one encrypted file)

npx devdotenv decrypt --list
# Lists all available encrypted files

npx devdotenv decrypt voynich-1.encrypted .env.production
# Decrypt specific file to specific output

CLI Commands

npx devdotenv init

Generate a new 256-bit encryption key and setup .gitignore.

npx devdotenv init [options]

Options:

  • -f, --force - Overwrite existing key file
  • -k, --key-path <path> - Path to key file (default: .devdotenv.key)

What it does:

  • Creates a new encryption key
  • Updates .gitignore to exclude key files and voynich-*.encrypted files
  • Shows you what was added to .gitignore

Examples:

npx devdotenv init                    # Create key with default settings
npx devdotenv init --force           # Overwrite existing key
npx devdotenv init -k ./keys/my.key  # Custom key location

npx devdotenv encrypt

Encrypt any file to next available voynich-X.encrypted.

npx devdotenv encrypt [input-file] [options]

Arguments:

  • input-file - File to encrypt (default: .env)

Options:

  • -k, --key-path <path> - Path to key file (default: .devdotenv.key)
  • --no-obfuscation - Disable custom obfuscation layer
  • -b, --backup - Create backup of original file

Examples:

npx devdotenv encrypt                    # Encrypt .env → voynich-0.encrypted
npx devdotenv encrypt .env.production    # Encrypt .env.production → voynich-1.encrypted
npx devdotenv encrypt config.json       # Encrypt config.json → voynich-2.encrypted
npx devdotenv encrypt -b                 # Create backup before encryption
npx devdotenv encrypt --no-obfuscation   # Skip obfuscation layer

npx devdotenv decrypt

Decrypt a specific voynich-X.encrypted file.

npx devdotenv decrypt [input-file] [output-file] [options]

Arguments:

  • input-file - Encrypted file to decrypt (auto-detected if only one exists)
  • output-file - Decrypted output file (default: .env)

Options:

  • -k, --key-path <path> - Path to key file (default: .devdotenv.key)
  • -b, --backup - Create backup of existing output file
  • --verify - Verify integrity without writing output
  • --list - List all available encrypted files

Examples:

npx devdotenv decrypt                           # Auto-detect if only one file
npx devdotenv decrypt --list                    # List all encrypted files
npx devdotenv decrypt voynich-0.encrypted      # Decrypt to .env
npx devdotenv decrypt voynich-1.encrypted .env.production  # Decrypt to specific file
npx devdotenv decrypt voynich-2.encrypted config.json      # Decrypt to config.json
npx devdotenv decrypt --verify                 # Verify without writing
npx devdotenv decrypt -b                       # Create backup of existing output

File Strategy

DevDotEnv uses sequential numbering for encrypted files:

Sequential Naming

  • Encrypted files: voynich-0.encrypted, voynich-1.encrypted, voynich-2.encrypted, etc.
  • Key file: Always .devdotenv.key

Why sequential numbering?

  • Simple: Easy to track multiple encrypted files
  • Predictable: Always finds the next available number
  • Git-friendly: Pattern voynich-*.encrypted covers all files
  • Historical: Named after the Voynich Manuscript, the most famous encrypted text in history

Workflow:

# Sequential encryption
.env                 → voynich-0.encrypted
.env.production      → voynich-1.encrypted
.env.staging         → voynich-2.encrypted
config.json          → voynich-3.encrypted

# Targeted decryption
voynich-0.encrypted  → .env
voynich-1.encrypted  → .env.production
voynich-2.encrypted  → .env.staging
voynich-3.encrypted  → config.json

.gitignore Management

DevDotEnv automatically manages your .gitignore to ensure security:

What gets added:

# DevDotEnv - never commit these files!
.devdotenv.key
.devdotenv.key.backup

Important: The encrypted files (voynich-*.encrypted) are NOT added to .gitignore because these are the files you want to commit to your repository. Only the encryption key and its backups are kept private.

Smart updates:

  • Creates .gitignore if it doesn't exist
  • Appends entries if .gitignore exists but entries are missing
  • Skips if entries already present
  • Non-destructive - never removes existing entries

Usage Examples

Basic Workflow

# 1. Setup (one time)
npx devdotenv init

# 2. Encrypt your secrets
npx devdotenv encrypt .env                    # → voynich-0.encrypted

# 3. Commit encrypted file (safe!)
git add voynich-0.encrypted .gitignore
git commit -m "Add encrypted environment variables"

# 4. Decrypt when needed
npx devdotenv decrypt                         # Auto-detects voynich-0.encrypted

Multiple Environments

# Encrypt different environment files
npx devdotenv encrypt .env.development        # → voynich-0.encrypted
git add voynich-0.encrypted && git commit -m "Add development secrets"

npx devdotenv encrypt .env.staging            # → voynich-1.encrypted
git add voynich-1.encrypted && git commit -m "Add staging secrets"

npx devdotenv encrypt .env.production         # → voynich-2.encrypted
git add voynich-2.encrypted && git commit -m "Add production secrets"

# List all encrypted files
npx devdotenv decrypt --list

# Decrypt specific environments
npx devdotenv decrypt voynich-0.encrypted .env.development
npx devdotenv decrypt voynich-1.encrypted .env.staging
npx devdotenv decrypt voynich-2.encrypted .env.production

Mixed File Types

# Encrypt different types of files
npx devdotenv encrypt .env                    # → voynich-0.encrypted
npx devdotenv encrypt database.config        # → voynich-1.encrypted
npx devdotenv encrypt api-keys.json          # → voynich-2.encrypted
npx devdotenv encrypt secrets.yaml           # → voynich-3.encrypted

# Decrypt to original formats
npx devdotenv decrypt voynich-0.encrypted .env
npx devdotenv decrypt voynich-1.encrypted database.config
npx devdotenv decrypt voynich-2.encrypted api-keys.json
npx devdotenv decrypt voynich-3.encrypted secrets.yaml

Security Implementation

Encryption Process

  1. Metadata Addition: Timestamp, size, and SHA-256 checksum added to content
  2. Custom Obfuscation (if enabled):
    • XOR obfuscation with key-derived XOR key
    • Deterministic byte shuffling using Fisher-Yates algorithm
  3. AES-256-GCM Encryption:
    • Random 12-byte IV generated for each encryption
    • Authenticated encryption with 16-byte authentication tag
  4. File Format: Binary format with version, flags, IV, auth tag, and encrypted data
  5. Base64 Encoding: Final output encoded as Base64 string

Key Management

  • 256-bit keys generated using cryptographically secure random number generator
  • Keys stored as Base64 strings in local files
  • File permissions set to 600 (owner read/write only) on Unix systems
  • Keys are deterministically derived for obfuscation operations

Integrity Verification

  • SHA-256 checksums verify content integrity
  • AES-GCM authentication tags prevent tampering
  • Metadata tracking helps identify corruption or version mismatches

Project Structure

devdotenv/
├── bin/
│   └── cli.js              # CLI entry point
├── lib/
│   ├── index.js           # Main library exports
│   ├── key.js             # Key generation and management
│   ├── encrypt.js         # AES-256-GCM encryption
│   ├── decrypt.js         # AES-256-GCM decryption
│   ├── customAlgo.js      # Custom obfuscation algorithms
│   └── utils.js           # File and utility functions
├── test/
│   ├── key.test.js        # Key management tests
│   ├── encrypt-decrypt.test.js  # Encryption/decryption tests
│   └── customAlgo.test.js # Obfuscation algorithm tests
├── package.json
├── README.md
└── .gitignore

Testing

Run the test suite:

npm test                # Run all tests
npm run test:watch      # Run tests in watch mode

Best Practices

Development Workflow

  1. Initialize once: Run npx devdotenv init once per project
  2. Keep key secure: Never commit .devdotenv.key to version control
  3. Encrypt for storage: Use npx devdotenv encrypt before committing
  4. Decrypt for development: Use npx devdotenv decrypt when starting work
  5. One at a time: Only one encrypted file (voynich.encrypted) per commit

Team Collaboration

  1. Share keys securely: Distribute .devdotenv.key through secure channels
  2. Clear workflow: Use consistent encrypt → commit → decrypt cycle
  3. Verify integrity: Use npx devdotenv decrypt --verify to check files
  4. Backup important files: Use -b flag for backup creation

Security Considerations

  • Development only: Don't use for production secrets management
  • Key protection: Store keys in secure, backed-up locations
  • Access control: Limit access to key files and encrypted content
  • Audit trail: Keep records of key rotations and file changes

Troubleshooting

Common Issues

Error: No encrypted files found

# Make sure you've encrypted a file first
npx devdotenv encrypt .env
# Creates voynich-0.encrypted

# Or check what files exist
npx devdotenv decrypt --list

Error: Multiple encrypted files found, please specify which one

# List all available encrypted files
npx devdotenv decrypt --list

# Then decrypt the specific file you want
npx devdotenv decrypt voynich-1.encrypted .env.production

Error: Encrypted file not found: voynich-X.encrypted

# Check what encrypted files exist
npx devdotenv decrypt --list

# Use the correct filename
npx devdotenv decrypt voynich-0.encrypted

Error: Key file not found

npx devdotenv init  # Generate a new key

Error: Decryption failed: invalid key or corrupted data

  • Check if you're using the correct key file
  • Verify the encrypted file hasn't been corrupted
  • Ensure file was encrypted with the same key

License

MIT License - see LICENSE file for details.

Contributing

  1. Fork the repository
  2. Create a feature branch: git checkout -b feature-name
  3. Make changes and add tests
  4. Run tests: npm test
  5. Commit changes: git commit -am 'Add feature'
  6. Push to branch: git push origin feature-name
  7. Submit a pull request

Support

  • Issues: Report bugs and request features on GitHub Issues
  • Documentation: Check this README for usage information
  • Security: Report security issues responsibly through private channels

WARNING: This tool is for development use only. For production secrets management, use dedicated solutions like HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or similar enterprise-grade systems.