Blog Docs

dotenv. better.

a better dotenv–from the creator of GitHub dotenv ★ 19k

curl -fsS https://dotenvx.sh | sh
brew install dotenvx/brew/dotenvx
Docs
Hacker News 354 FEATURED # 1 ON
GitHub Trending FEATURED # 2 ON

Run Anywhere

dotenvx works the same across every language, framework, and platform – inject your env at runtime with dotenvx run -- your-cmd.

"I like how usage is consistent across multiple languages and frameworks. No more wrestling with different tools."
Max Syntax – Polyglot Programmer
$dotenvx run

Multiple Environments

Create a .env.production file and use dotenvx run -f .env.production to load it. It's straightforward, yet flexible.

"I've always liked the .env.environment pattern. Now it finally has first-class support."
Zara Function – Full-Stack/DevOps Engineer
--env-file

Encryption

Add encryption to your .env files with a single command. Run dotenvx encrypt.

#/-----------------[DOTENV_PUBLIC_KEY]------------------/
#/         public-key encryption for .env files         /
#/    [how it works](https://dotenvx.com/encryption)    /
#/------------------------------------------------------/
DOTENV_PUBLIC_KEY="03f8b376234c4f2f0445f392a12e80f3a84b4b0d1e0c3df85c494e45812653c22a"

# Database configuration
DB_HOST="encrypted:BNr24F4vW9CQ37LOXeRgOL6QlwtJfAoAVXtSdSfpicPDHtqo/Q2HekeCjAWrhxHy+VHAB3QTg4fk9VdIoncLIlu1NssFO6XQXN5fnIjXRmp5pAuw7xwqVXe/1lVukATjG0kXR4SHe45s4Tb6fEjs"
DB_PORT="encrypted:BOCHQLIOzrq42WE5zf431xIlLk4iRDn1/hjYBg5kkYLQnL9wV2zEsSyHKBfH3mQdv8w4+EhXiF4unXZi1nYqdjVp4/BbAr777ORjMzyE+3QN1ik1F2+W5DZHBF9Uwj69F4D7f8A="
DB_USER="encrypted:BP6jIRlnYo5LM6/n8GnOAeg4RJlPD6ZN/HkdMdWfgfbQBuZlo44idYzKApdy0znU3TSoF5rcppXIMkxFFuB6pS0U4HMG/jl46lPCswl3vLTQ7Gx5EMT6YwE6pfA88AM77/ebQZ6y0L5t"
DB_PASSWORD="encrypted:BMycwcycXFFJQHjbt1i1IBS7C31Fo73wFzPolFWwkla09SWGy3QU1rBvK0YwdQmbuJuztp9JhcNLuc0wUdlLZVHC4/E6q/K7oPULNPxC5K1LwW4YuX80Ngl6Oy13Twero864f2DXXTNb"
DB_NAME="encrypted:BGtVHZBbvHmX6J+J+xm+73SnUFpqd2AWOL6/mHe1SCqPgMAXqk8dbLgqmHiZSbw4D6VquaYtF9safGyucClAvGGMzgD7gdnXGB1YGGaPN7nTpJ4vE1nx8hi1bNtNCr5gEm7z+pdLq1IsH4vPSH4O7XBx"

# API Keys
API_KEY="encrypted:BD9paBaun2284WcqdFQZUlDKapPiuE/ruoLY7rINtQPXKWcfqI08vFAlCCmwBoJIvd2Nv3ACiSCA672wsKeJlFJTcRB6IRRJ+fPBuz2kvYlOiec7EzHTT8EVzSDydFun5R5ODfmN"
STRIPE_API_KEY="encrypted:BM6udWmFsPaBzlND0dFBv7R55JiaA+cZnbun8DaVNrEvO+8/k+lsXbZQ0bCPks8kUsdD2qrSp/tii0P8gVJ/gp+pdDuhdcJj91hxJ7nzSFf6h0ofRb38/2WHFhxg77XExxzui1s3w42Z"

# Email Configuration
EMAIL_HOST="encrypted:BOzlZJy9QQONa4h8jj0CSZg0JHbDp/T96bxC39ildVfc1rMgDHOfgqZCaWaTMYjTF69UxkgN3tSOGOp0N78QYDuIIJ4RZbHYdxmqXmuvcn3wvBIqn+ubL/bf1Vc3yURbVwdTNvM/JhL3YN0tdikO"
EMAIL_USER="encrypted:BCW0xkE7RfJYJk7Dcb3lRdwvEyzBSoZmDQxWr72JjOb1yBx1XS9gcDOFFIHlD78lBweUNDl4dfaqyuuFBGzI/gdQ8ua4y9w2tOIDDNztd+XpWUAtKeDVqcOTJiEqv7e241hi/F6EZcYC2oUlfYH+"
EMAIL_PASSWORD="encrypted:BA0Rnsy9DQi2y90GbFnqD7coqG4V5ob48gXVrYqZhy0vrki3su/t9JFNG+omBHCeUICjqyKB2XY059xxSs4xQW+G+/RI7ygpB8oxiq5mT52qYpXch36mMgRFppBIi4SoB2YQZ0ANHgWv"

# Logging
LOG_LEVEL="encrypted:BKmgv5E7/l1FnSaGWYWBPxxagdgN+KSEaB+va3PePjwEp7CqW6PlysrweZq49YTB5Fbc3UN/akLVn1RZ2AO4PyTVqgYYGBwerjpJiou9R2KluNV3T4j0bhsAkBochg3YpHcw3RX/"

"Our company was exposed to the CircleCI breach. Encryption would have protected us. We're using it now."
Remy Logic – CTO

10x. better.

Increased tooling and features to make dotenv 10x better.

Run anywhere

Cross-platform–works everywhere

Multi-environment

Switch environments easily

Encrypted envs

Encrypt your envs for deploy

Variable expansion

Add the value of another variable in your .env

Multiple .env files

Compose multiple .env files flexibly

Multi-line values

Add multi-line secrets like public keys

Debug

Debug server and local envs with built-in debugging

Contextual help

Built-in next steps when something goes wrong

Append .gitignore

Append to .gitignore in one command

Generate .env.example

Generate .env.example in one command

Prebuild

Prevent building .env files into docker images

Precommit

Prevent committing .env files to code

Personal envs

Set personal environment variables

Command substitution

Add the output of a command in your .env

Scan

Scan and protect for secrets

Get/Set

Conveniently get/set single variables

Monorepo

First-class monorepo support

Sharing
beta

Securely share envs across your team

From the creator of dotenv. Trusted by millions of developers worldwide.

curl -fsS https://dotenvx.sh | sh
brew install dotenvx/brew/dotenvx

Frequently asked questions

A DOTENV_PUBLIC_KEY (encryption key) and a DOTENV_PRIVATE_KEY (decryption key) are generated using the same public-key cryptography as Bitcoin. The DOTENV_PRIVATE_KEY is set on your server or cloud hosting provider and your encrypted .env file is committed safely to code.

Yes. Secp256k1 asymmetric encryption is used in many cryptographically secure technologies like Bitcoin. It would take on the order of billions of years to crack using current technology - similar to AES-256.

In the CircleCI breach the attacker accessed environment variables only. They could not access codebases. To steal your encrypted .env secrets, an attacker needs need both – the private decryption key AND the encrypted .env files.

Can't find the answer you're looking for? Send us an email at [email protected] team. We'd love to hear from you.

curl -fsS https://dotenvx.sh | sh
brew install dotenvx/brew/dotenvx