dotenv. better.

a better dotenv–from the creator of GitHub dotenv ★ 18.2k

brew install dotenvx/brew/dotenvx
curl -fsS | sh

Run Anywhere

dotenvx works the same across every language, framework, and platform – inject your env at runtime with dotenvx run -- your-cmd.

"I like how usage is consistent across multiple languages and frameworks. No more wrestling with different framework defaults just to load my config."
Max Syntax – Polyglot Programmer
$dotenvx run

Multiple Environments

Run multiple environments. Create a .env.production file and load it with dotenvx run --env-file=.env.production -- your-cmd. It's straightforward, yet flexible.

"I've always liked the .env.environment pattern. Now it finally has first-class support."
Zara Function – Full-Stack/DevOps Engineer

Encrypt Secrets

Encrypt your secrets to a .env.vault file. Only you hold the decryption keys – protecting you from data breaches like the CircleCI breach.

"Our company was exposed to the CircleCI breach. This would have protected us. We're using it now."
Remy Logic – CTO
$dotenvx encrypt

10x. better.

Increased tooling and features to make dotenv 10x better.

Run anywhere

Cross-platform–works everywhere


Switch environments easily

Encrypted envs

Encrypt your envs for deploy

Variable expansion

Add the value of another variable in your .env

Multiple .env files

Compose multiple .env files flexibly

Multi-line values

Add multi-line secrets like public keys


Debug server and local envs with built-in debugging

Contextual help

Built-in next steps when something goes wrong

Append .gitignore

Append to .gitignore in one command

Generate .env.example

Generate .env.example in one command


Prevent building .env files into docker images


Prevent committing .env files to code

Personal envs

Set personal environment variables

Command substitution

Add the output of a command in your .env


Scan and protect for secrets


Conveniently get/set single variables


First-class monorepo support


Securely share envs across your team

From the creator of dotenv. Trusted by millions of developers worldwide.

brew install dotenvx/brew/dotenvx
curl -fsS | sh

Frequently asked questions

The .env.vault file is an encrypted version of your .env file. It is paired with a decryption key called the DOTENV_KEY. The DOTENV_KEY is set on your server or cloud hosting provider and the .env.vault file is committed to code.

Yes. AES-256 GCM encryption was developed for the needs of US Government agencies like the CIA. AES-256 takes billions of years to crack using current computing technology. Your secrets are much more likely to be leaked by a third-party. This is why we are so committed to this technology while everyone else is focused on syncing secrets to third-party integrations. We see a better way.

In the CircleCI breach the attacker accessed environment variables only. They could not access codebases. To steal your .env.vault secrets, an attacker needs need both – the decryption key AND the encrypted .env.vault file.

Not officially, but our goal is towards that. We're building things in a way that a cloud service is not necessary. As long as you can generate a .env.vault file you can use the technology. It is open to all.

The .env.vault file and its encryption algorithm is language-agnostic so it works with any language.

Can't find the answer you're looking for? Send us an email at [email protected] team. We'd love to hear from you.

brew install dotenvx/brew/dotenvx
curl -fsS | sh