Scattered .env files? There's a better way.
There are plenty of ways to handle secrets. Some are complex, others insecure or painfully manual. You've probably tried them. Yet, here you are.
Unfortunately, most secrets-management solutions are overwhelming, overcomplicated, overpriced, or just plain frustrating when it comes to .env files.
Not Dotenvx. Dotenvx is refreshingly simple, secure, and designed specifically around .env files—built by the creator of the original dotenv ★ 19.9k.
Dotenvx is open-source, telemetry-free, and self-contained. It's tailored specifically for lean teams who depend on .env workflows—not proprietary enterprise tools that make you work around them.
So I invite you to read the whitepaper, explore the docs, and try Dotenvx for yourself. I've put a lot of thought into its design. It's dotenv. better.
Scott Motte, [email protected]
Creator Dotenv, Founder @Dotenvx
This is Dotenvx.
Encrypt .env Files
Run dotenvx encrypt to encrypt your .env files.
Just like that, your .env files are protected at-rest and in-transit. That's a massive win for security.
And you've unlocked secrets-as-code – a git-ops workflow win.
#/ public-key encryption for .env files /
#/ [how it works](https://dotenvx.com/encryption) /
#/------------------------------------------------------/
DOTENV_PUBLIC_KEY="026d4945b6513baec60f68b207f203ba534fb54d2b0c9952557d240815e42a7d83"
# Database configuration
DB_HOST="encrypted:BMO83g2fEtr66gcFvUs2+/ZuccCQuBbZwSW3JfCLvoUiACmusxCbTfG2dvc2LxenPhUtgWapO8f9BCcBVAcTnMcrd3kndvk+acWytRjIWRUvsSezdD340/OT5EQgbqJtwXfuRz0i2t8PVA=="
DB_PORT="encrypted:BGcRf5bK/mChGEqT1MZ8hUbMm3hhtuW9NVGkHtl7KRwqbSKnVcGIDs9T61u77DlyNlYcF1BlLCw9HPmbRQ0nFvLOCZc6r42iRE4OyJw9mu61OjlWQfEl5Z1NrjZw5g0d1tp8New="
DB_USER="encrypted:BBrXv55qxgA19sEqqNnZzS/C0WguVk6ROQmfxnGhBhafLoc0XwpKprk/J3hJCVq7s45WyBSXGUz9U9rHxCBeVkl27WFzzgZkDewX0gBLt+Cc37K0EVU2hZ1GPbax5mzpI5Jwwi65be6+"
DB_PASSWORD="encrypted:BC8aRBQ/Q2YMPjJayggqVN8skqTtxtXFgYA0e8/Ud/Jcez2Daukr6edBmEWQdz/Lu91casaW6CkkCvLSQkPvNpmgYqFB4BKHTUDowX/KEDvVI6CU5Vt478VF5dqHbvPIoKKtBe+4FNXlk5O96A=="
DB_NAME="encrypted:BL0icNnZh6InVmymJBCX6MuL6cwgVc4v1ua1g1XONlV7nkzzHHHpnZN3khx7+ld15bd88EtV4DfqUV2eJ/HJwu0/5F1MH+PAisYSRxBQo8I9AHly2sRsonBm3Bji+DslcC4D7b7wLTBlfCw="
# API Keys
API_KEY="encrypted:BCrnJ2sAZH2qwRlPvUqqWyEsd+cVeMQiOV5H/xZ7vjFfcMXHMunmAv/7+jUI356fkVtHfrXu+vBJLjXJiirgB2gky5vvy7h5jevgMS6BgPL5KwjC0tYPlYbe4Bfrf1funYqqrFYaPjsEO+77vCtVaBPz"
STRIPE_API_KEY="encrypted:BOD5Fg+qI9dqhkh+gjCLrTFyhxEAhNDtLgwjkMZOr9l9CsvvhprwCrgsZbIRIFa1Vf6ATnWZ3/bacYnlBXlZ1Hc6YMZHog+ZuVW4AjwxCkB8I0AkcOeOsYzQx2fdtI4kFii01UIhN53jfmUjzLSPYw=="
# Email Configuration
EMAIL_HOST="encrypted:BMVEIPBGe9xkELFb48KQJPxxnTkUGhsonAU4ug5ca9E5eD/MZimkoQrf/3cb9nhazwfTbScLgeGGr/Jhj4DV7Xpz45XEEFWrPXy1Yi93zWLaJ4XYBHwCke3b4XCbh7jV4uL3WWFjI757yTIS6ilD"
EMAIL_USER="encrypted:BB15pCJmnrb1Jvy5nnyB5F7tYNYiGsqvY6ZORRz4iSw69WJBHk5S9F2ILpI+vqrlFjr3+ZzWI9sc1vIB8t1RvYUHzEdlNCbn5Bhzf9f9+SlTQt6yVUshTZVTA56f7HN3x4+AvVrzpxNoci80r2lwRkltfYM="
EMAIL_PASSWORD="encrypted:BIgpV7btyiGYyySYnG3+NJVGUzNzB4zWjIZbM/VgtnPuiuSsK/KBkirtqkDBI8U/04BRKtupOTNSJTVu6GO39XPSpPvlxA4fNRyeK85W+rFGARp4mrgqfEz/O/eZvqJSqS5kNraAhbkKpXq81rEOBg=="
# Logging
LOG_LEVEL="encrypted:BKzfW56VHobMDtfq+iU+MsjVlPDdiKYoJmKLMlUKzsds5dHWjY+GcKbUx7V54jX21kVa6kuBcINNmP/DwXZA2VSb6q8zhMU/Go59aQWqmoqip6jB8DTxc8GjxUF4lWO3PLWJqk8="

Run Anywhere
Dotenvx works the same across every language, framework, and platform – inject your env at runtime with dotenvx run -- your-cmd. Load both plaintext and encrypted .env files this way.

Multiple Environments
Create a .env.production file and use dotenvx run -f .env.production to load it. It's straightforward, yet flexible.

It's like a swiss army knife for your .env files.
Look at all these features.
CloakZero
Hide private keys – sharing access, not the keys
PR Reviews
Review encrypted .env changes in GitHub PRs
With strong cryptography.
Read the Whitepaper
Dotenvx: Reducing Secrets Risk with Cryptographic Separation
Abstract. An ideal secrets solution would not only centralize secrets but also contain the fallout of a breach. While secrets managers offer centralized storage and distribution, their design creates a large blast radius, risking exposure of thousands or even millions of secrets. We propose a solution that reduces the blast radius by splitting secrets management into two distinct components: an encrypted secrets file and a separate decryption key.
Growing rapidly.
Dotenvx is installed more than half a million times weekly.
It's only one year old, and yet Paypal, NASA, Procore, Supabase, OpenNext, AWS, Socket, Daytona, Stacks, and Facebook have all adopted it. Even stereotypically slow moving government departments in Britain, France, Canada, and Finland, having evaluated it for its extra security benefits, adopted it.
It's being used inside AI tooling like Paypal's Agent-Toolkit and Daytona's SDK. It's trusted by security software like Socket's CLI and Registry. AWS recommends it with AWS Amplify, NASA uses it to help power Earthdata Search, and Supabase requires it to unlock their Branching feature. It's incredible, and it will be even more exciting to watch year two unfold.
And free to use.
Dotenvx is free to use with optional commercial extensions – Pro and Enterprise.
OSS | PRO | ENT | |
---|---|---|---|
Open Source | Small Business | Med-Large Business | |
Encryption | |||
Run Anywhere | |||
Multiple Environments | |||
Secrets-as-Code | |||
Variable expansion | |||
Command substitution | |||
Cloak-Zero | |||
Web UI | |||
Acess Controls | |||
PR Reviews | |||
Env-Radar | |||
Compliance Alerts | |||
Rotation | |||
Push/Pull | |||
Version History | |||
Audit Logs | |||
Support | None | ||
License | BSD-3 | Commercial | Commercial |
Pricing | Free |
$299/month
billed annually
|
$1299/month
billed annually
|
Get started ↗ Start↗ |
Install it today.
Frequently asked questions
-
Dotenvx uses Elliptic Curve Integrated Encryption Scheme (ECIES) to encrypt each secret with a unique ephemeral key, while ensuring it can be decrypted using a long-term private key.
When you initialize encryption, a DOTENV_PUBLIC_KEY (encryption key) and DOTENV_PRIVATE_KEY (decryption key) are generated. The DOTENV_PUBLIC_KEY is used to encrypt secrets, and the DOTENV_PRIVATE_KEY is securely stored in your cloud secrets manager or .env.keys file.
Your encrypted .env file is then safely committed to code. Even if the file is exposed, secrets remain protected since decryption requires the separate DOTENV_PRIVATE_KEY, which is never stored alongside it. Read the whitepaper for more details. -
Yes. Dotenvx encrypts secrets using AES-256 with ephemeral keys, ensuring that even if the encrypted .env file is exposed, its contents remain secure. The encryption keys themselves are protected using Secp256k1 elliptic curve cryptography, which is widely used for secure key exchange in technologies like Bitcoin.
This means that every secret in the .env file is encrypted with a unique AES-256 key, and that key is further encrypted using a public key (Secp256k1). Even if an attacker obtains the encrypted .env file, they would still need the corresponding private key—stored separately—to decrypt anything.
Breaking this encryption would require brute-forcing both AES-256 and elliptic curve cryptography, which is computationally infeasible with current technology. Read the whitepaper for more details. -
In the CircleCI breach the attacker accessed environment variables only. They could not access codebases. To steal your encrypted .env secrets, an attacker needs both – the private decryption key AND the encrypted .env files.
Can't find the answer you're looking for? Send us an email at [email protected] team. We'd love to hear from you.