Dotenvx
Docs Radar

A secure dotenv – from the creator of dotenv

Plaintext .env files have been a major attack vector, but they've also been undeniably useful – even AWS uses them.1 What if you could encrypt them? Now you can with dotenvx. Dotenvx encrypts your .env files – limiting their attack vector while retaining their benefits. It's free, open-source, and built and maintained by the creator of the original dotenv. – Scott (Mot) Motte

Quickstart → Documentation 
# 🔐 Encrypted with dotenvx
DOTENV_PUBLIC_KEY="026d4945b6513baec60f68b207f203ba534fb54d2b0c9952557d240815e42a7d83"

# 🗄️ Database
DB_HOST="encrypted:BMO83g2fEtr66gcFvUs2+/ZuccCQuBbZwSW3JfCLvoUiACmusxCbTfG2dvc2LxenPhUtgWapO8f9BCcBVAcTnMcrd3kndvk+acWytRjIWRUvsSezdD340/OT5EQgbqJtwXfuRz0i2t8PVA=="
DB_PORT="encrypted:BGcRf5bK/mChGEqT1MZ8hUbMm3hhtuW9NVGkHtl7KRwqbSKnVcGIDs9T61u77DlyNlYcF1BlLCw9HPmbRQ0nFvLOCZc6r42iRE4OyJw9mu61OjlWQfEl5Z1NrjZw5g0d1tp8New="
DB_USER="encrypted:BBrXv55qxgA19sEqqNnZzS/C0WguVk6ROQmfxnGhBhafLoc0XwpKprk/J3hJCVq7s45WyBSXGUz9U9rHxCBeVkl27WFzzgZkDewX0gBLt+Cc37K0EVU2hZ1GPbax5mzpI5Jwwi65be6+"
DB_PASSWORD="encrypted:BC8aRBQ/Q2YMPjJayggqVN8skqTtxtXFgYA0e8/Ud/Jcez2Daukr6edBmEWQdz/Lu91casaW6CkkCvLSQkPvNpmgYqFB4BKHTUDowX/KEDvVI6CU5Vt478VF5dqHbvPIoKKtBe+4FNXlk5O96A=="
DB_NAME="encrypted:BL0icNnZh6InVmymJBCX6MuL6cwgVc4v1ua1g1XONlV7nkzzHHHpnZN3khx7+ld15bd88EtV4DfqUV2eJ/HJwu0/5F1MH+PAisYSRxBQo8I9AHly2sRsonBm3Bji+DslcC4D7b7wLTBlfCw="

# 🔑 API
API_KEY="encrypted:BCrnJ2sAZH2qwRlPvUqqWyEsd+cVeMQiOV5H/xZ7vjFfcMXHMunmAv/7+jUI356fkVtHfrXu+vBJLjXJiirgB2gky5vvy7h5jevgMS6BgPL5KwjC0tYPlYbe4Bfrf1funYqqrFYaPjsEO+77vCtVaBPz"
STRIPE_API_KEY="encrypted:BOD5Fg+qI9dqhkh+gjCLrTFyhxEAhNDtLgwjkMZOr9l9CsvvhprwCrgsZbIRIFa1Vf6ATnWZ3/bacYnlBXlZ1Hc6YMZHog+ZuVW4AjwxCkB8I0AkcOeOsYzQx2fdtI4kFii01UIhN53jfmUjzLSPYw=="

# ✉️ Email
EMAIL_HOST="encrypted:BMVEIPBGe9xkELFb48KQJPxxnTkUGhsonAU4ug5ca9E5eD/MZimkoQrf/3cb9nhazwfTbScLgeGGr/Jhj4DV7Xpz45XEEFWrPXy1Yi93zWLaJ4XYBHwCke3b4XCbh7jV4uL3WWFjI757yTIS6ilD"
EMAIL_USER="encrypted:BB15pCJmnrb1Jvy5nnyB5F7tYNYiGsqvY6ZORRz4iSw69WJBHk5S9F2ILpI+vqrlFjr3+ZzWI9sc1vIB8t1RvYUHzEdlNCbn5Bhzf9f9+SlTQt6yVUshTZVTA56f7HN3x4+AvVrzpxNoci80r2lwRkltfYM="
EMAIL_PASSWORD="encrypted:BIgpV7btyiGYyySYnG3+NJVGUzNzB4zWjIZbM/VgtnPuiuSsK/KBkirtqkDBI8U/04BRKtupOTNSJTVu6GO39XPSpPvlxA4fNRyeK85W+rFGARp4mrgqfEz/O/eZvqJSqS5kNraAhbkKpXq81rEOBg=="

# 🪵 Logging
LOG_LEVEL="encrypted:BKzfW56VHobMDtfq+iU+MsjVlPDdiKYoJmKLMlUKzsds5dHWjY+GcKbUx7V54jX21kVa6kuBcINNmP/DwXZA2VSb6q8zhMU/Go59aQWqmoqip6jB8DTxc8GjxUF4lWO3PLWJqk8="

It's like a swiss army knife for your .env files.

Run anywhere Multi-environment Encryption Multiple Files Variable Expansion Command Substitution Precommit Prebuild advanced usage →

With strong cryptography.

Dotenvx: Reducing Secrets Risk with Cryptographic Separation.

Abstract. An ideal secrets solution would not only centralize secrets but also contain the fallout of a breach. We propose a solution that reduces the blast radius by splitting secrets management into two distinct components: an encrypted secrets file and a separate decryption key.

Read the whitepaper →

Growing rapidly.

Dotenvx is installed more than half a million times weekly.

It's only one year old, and yet Paypal, NASA, Procore, Supabase, OpenNext, AWS, Socket, Daytona, Stacks, and Facebook have all adopted it. Even stereotypically slow moving government departments in Britain, France, Canada, and Finland, having evaluated it for its extra security benefits, adopted it.

It's being used inside AI tooling like Paypal's Agent-Toolkit and Daytona's SDK. It's trusted by security software like Socket's CLI and Registry. AWS recommends it with AWS Amplify, NASA uses it to help power Earthdata Search, and Supabase requires it to unlock their Branching feature. It's incredible, and it will be even more exciting to watch year two unfold.

Socket Amazon Web Services PayPal NASA Facebook Supabase

Easy to switch.

// before
require('dotenv').config()
// after
require('@dotenvx/dotenvx').config()

Just replace dotenv with @dotenvx/dotenvx and opt-in to all its benefits — without changing your current workflow.

See all install options →

And free to use.

Dotenvx is open source – with optional commercial extension Radar.

OSS Radar
Security. Observability.
Open Source Commercial
Encryption
Run Anywhere
Multiple Environments
Precommit
Prebuild
Variable expansion
Command substitution
Backups
Versioning
Observability
Support None Email
License BSD-3 Commercial
Pricing Free $19/year
Start
Buy Learn

Have questions?

Dotenvx uses Elliptic Curve Integrated Encryption Scheme (ECIES) to encrypt each secret with a unique ephemeral key, while ensuring it can be decrypted using a long-term private key.

When you initialize encryption, a DOTENV_PUBLIC_KEY (encryption key) and DOTENV_PRIVATE_KEY (decryption key) are generated. The DOTENV_PUBLIC_KEY is used to encrypt secrets, and the DOTENV_PRIVATE_KEY is securely stored in your cloud secrets manager or .env.keys file.

Your encrypted .env file is then safely committed to code. Even if the file is exposed, secrets remain protected since decryption requires the separate DOTENV_PRIVATE_KEY, which is never stored alongside it. Read the whitepaper for more details.

Yes. Dotenvx encrypts secrets using AES-256 with ephemeral keys, ensuring that even if the encrypted .env file is exposed, its contents remain secure. The encryption keys themselves are protected using Secp256k1 elliptic curve cryptography, which is widely used for secure key exchange in technologies like Bitcoin.

This means that every secret in the .env file is encrypted with a unique AES-256 key, and that key is further encrypted using a public key (Secp256k1). Even if an attacker obtains the encrypted .env file, they would still need the corresponding private key—stored separately—to decrypt anything.

Breaking this encryption would require brute-forcing both AES-256 and elliptic curve cryptography, which is computationally infeasible with current technology. Read the whitepaper for more details.

In the CircleCI breach the attacker accessed environment variables only. They could not access codebases. To steal your encrypted .env secrets, an attacker needs both – the private decryption key AND the encrypted .env files.

A former AWS engineer mentioned to me (and others) that AWS used them on their production infrastructure. He has since left to start his own business so maybe this is no longer the case.

Yes, at mot [at] dotenvx [dot] com. I particularly like to hear from large organizations using dotenvx. We have an SLA with enterprise assurances your compliance team will appreciate.

1.49.0 (2025-08-18)

Added

  • For precommit and prebuild, ignore .env.x file like we do with .env.vault file. (#666)

1.48.4 (2025-07-29)

Removed

  • Remove unnecessary use of eval in proKeypair helper (#654)

1.48.3

Changed

  • Include privateKeyName and privateKey on internal processedEnv object (#649)

1.48.2

Changed

  • Check radar status before sending (#646)
Full changelog →