npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

envcrypted

v1.2.0

Published

Secure your .env files with AES-256 encryption. Share safely with your team via local vault or GitHub. Zero account. Zero server. Just works.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

mohammad-shoeb-faizanmohammad-shoeb-faizan

Keywords

envdotenvencryptionsecuritycliaes256environmentsecretsdevtools

Readme

envcrypted 🔐

A dev-friendly CLI workflow for encrypting, auditing, and sharing your environment secrets. AES-256-GCM. Zero account. Zero server. Just works.

npm version license

The Problem

Every developer has faced this:

"Hey, can you send me the .env file?"
"Sure, sending it over..."

Your secrets travel over chat apps, emails, Slack messages. They get leaked, forgotten, or go out of sync between team members. envcrypted fixes this.

How It Works

.env  →  AES-256-GCM encryption  →  .env.vault
                                        ↓
                              store locally or push to GitHub
                                        ↓
                              team pulls and decrypts with master key
  • AES-256-GCM with PBKDF2 key derivation (100,000 iterations)
  • No cloud. No account. No server.
  • Works with any Git repo or just locally
  • Detects weak/exposed values with the built-in auditor
  • Auto-protects .gitignore on init
  • Git pre-commit hook to block accidental .env commits
  • Share master key safely via self-destructing one-time links
  • Run apps securely in-memory without .env files on disk

You can also run your app securely without exposing .env:

npx envcrypted run node app.js

Install

Install inside your project — works on Windows, macOS, and Linux without any PATH issues:

npm install envcrypted

Then run commands using npx:

npx envcrypted init
npx envcrypted audit
npx envcrypted push
npx envcrypted pull
npx envcrypted run node app.js

Or add to your package.json scripts for convenience:

"scripts": {
  "env:init":     "envcrypted init",
  "env:audit":    "envcrypted audit",
  "env:push":     "envcrypted push",
  "env:pull":     "envcrypted pull",
  "env:generate": "envcrypted generate",
  "env:status":   "envcrypted status",
  "env:doctor":   "envcrypted doctor"
}

Commands

envcrypted init

Initialize envcrypted in your project. Generates a master key, sets your storage preference (local or GitHub), and auto-updates .gitignore to protect your .env.

npx envcrypted init

envcrypted push

Encrypts your .env file and saves it as .env.vault. If you chose GitHub storage, it commits and pushes automatically.

npx envcrypted push
npx envcrypted push --message "feat: update API keys"

envcrypted pull

Pulls the vault (from GitHub if applicable) and decrypts it back to .env.

npx envcrypted pull

envcrypted run

Run your app with decrypted environment variables — without exposing .env on disk.

npx envcrypted run node app.js
npx envcrypted run npm start

• Decrypts .env.vault in memory • Injects variables into your app (process.env) • Never writes .env to disk

envcrypted audit

Scans your .env for critical issues and warnings — weak passwords, placeholder keys, exposed DB URIs, HTTP URLs, debug flags, and more.

npx envcrypted audit

Example output:

── Audit Report ──────────────────────────────────

✖  2 Critical Issue(s) Found:

   Line 3: Weak password (too short)
   → DB_PASSWORD=1234

   Line 7: MongoDB URI with credentials exposed
   → DATABASE_URL=mongodb+srv://admin:pass@cluster...

⚠  1 Warning(s):

   Line 5: Localhost value — not safe for production
   → API_URL=http://localhost:3000

✔  4 variable(s) look safe.

── Summary ───────────────────────────────────────
   Critical : 2
   Warnings : 1
   Safe     : 4

envcrypted generate

Generates a .env.example file from your .env — strips all values, keeps all keys. Safe to commit publicly.

npx envcrypted generate

Example output:

DB_PASSWORD=<your-value-here>
API_KEY=<your-value-here>
JWT_SECRET=<your-value-here>
DATABASE_URL=<your-value-here>

envcrypted status

Shows a quick snapshot of your project's encryption state — .env, vault, .gitignore, git hook, and .env.example.

npx envcrypted status

Example output:

── envcrypted Status ─────────────────────────────

✔  Initialized
     Storage  : local
     Version  : 1.2.0
     Created  : 18/03/2026

✔  .env found (6 variables, 0.3kb)
✔  .env.vault found (last updated: 18/03/2026)
✔  .env.example found
✔  .env is in .gitignore
✔  Git pre-commit hook installed

envcrypted hook install

Installs a git pre-commit hook that warns if .env is unencrypted and blocks any commit where .env is accidentally staged.

npx envcrypted hook install
npx envcrypted hook uninstall

envcrypted doctor

Runs 9 health checks on your setup and tells you exactly what's wrong and how to fix it.

npx envcrypted doctor

Example output:

── envcrypted Doctor ─────────────────────────────

✔  Node.js version: v20.0.0
✔  .env file found
✔  envcrypted initialized
✔  .env.vault exists
✔  .env is protected in .gitignore
✔  Git repository detected
⚠  Pre-commit hook not installed (optional)
⚠  .env.example missing (optional)

✔  Everything looks great! Your setup is healthy.

Sharing the Master Key

After encrypting your vault, you need to share the master key with your team. Don't send it over chat apps or email. Use a self-destructing one-time link instead.

The envcrypted docs include a built-in Share Key page powered by OneTimeSecret — open source, no account needed:

  1. Paste your master key
  2. Get a unique one-time link
  3. Send it over any channel — the link reveals nothing about the content
  4. Your teammate opens it once → key shown → link self-destructs permanently

🔗 Share your master key safely → (or via OneTimeSecret)

Workflow

Team Lead (Project Setup):

npm install envcrypted
npx envcrypted init         # generate master key, choose storage
npx envcrypted audit        # scan .env for issues first
npx envcrypted generate     # create .env.example for team
npx envcrypted hook install # block accidental .env commits
npx envcrypted push         # encrypt .env → .env.vault
# share master key using: https://mohammad-shoeb-faizan.github.io/envcrypted/

New Team Member:

npm install envcrypted      # install in project
npx envcrypted init         # initialize with same storage type
npx envcrypted pull         # enter master key → .env restored

Check Your Setup:

npx envcrypted status       # quick health snapshot
npx envcrypted doctor       # full diagnosis with fixes

Rotating Keys:

npx envcrypted push         # enter new master key
# share new key via one-time link

Security

| Feature | Detail | |--------|--------| | Algorithm | AES-256-GCM (authenticated encryption) | | Key derivation | PBKDF2 with SHA-512, 100,000 iterations | | Salt | 64 bytes random per encryption | | IV | 16 bytes random per encryption | | Auth tag | 16 bytes (tamper detection) | | Master key | Never stored anywhere. Only you hold it. | | Key sharing | One-time self-destructing links via OneTimeSecret |

The encrypted .env.vault is safe to commit to public or private repos. Without the master key, it is unreadable.

Add to .gitignore

envcrypted init does this automatically. But if you need to do it manually:

# Always ignore raw .env
.env
.env.*

# These are safe to commit
# .env.vault
# .env.example

Built By

Mohammad Shoeb Faizan — Full-Stack Developer & Automation Engineer
GitHub | LinkedIn | NPM

License

MIT — Free forever. Use it, share it, build on it.

Roadmap

These are planned improvements based on real developer feedback. Nothing is promised — but everything here is being actively thought about.

🔜 Coming Next

envcrypted setup
A single command that runs the full team lead flow interactively — init + audit + generate + hook install + push — in one guided session. Zero friction onboarding.

envcrypted push --share
Encrypts your .env and immediately opens OneTimeSecret with your secret key ready to share. One command. Vault encrypted. Key shared. Done.

Auto-detect .env
Remove the need to run init before other commands. If a .env exists in the current directory, envcrypted should just work.

Stronger audit patterns
Real regex detection for common secret formats — AWS access keys, Stripe live keys, GitHub tokens, Twilio, SendGrid, Firebase, and more. Not just weak password checks.

💡 Considering

envcrypted rotate
Re-encrypt the vault with a new secret key in one command. Automatically notifies team members that a new key is in use.

envcrypted diff
Compare two vaults or two .env files and show what changed — without revealing actual values. Useful for auditing key rotations.

envcrypted history
Local changelog of when the vault was last pushed, pulled, or audited. No cloud. No server. Just a local log file.

envcrypted verify
Let a teammate verify their .env matches the current vault — without sharing the actual values. Hash-based comparison.

Multiple vault support
Support for .env.staging, .env.production — each with its own vault and secret key.

VS Code extension
Warnings directly in the editor when a .env value looks weak or exposed. No terminal needed.

🚫 Out of Scope (by design)

These will never be added — they go against the zero-account, zero-server philosophy that makes envcrypted trustworthy:

  • Cloud storage of secret keys
  • Web dashboard or SaaS version
  • Telemetry or usage tracking
  • Paid tiers or paywalled features

Have an idea? Open a discussion on GitHub. The best features come from real problems.

Have an idea? Reach out on LinkedIn or open an issue on GitHub.