Documentation

.env.keys

`.env.keys` holds your private decryption keys.

Format

.env.keys

#/------------------!DOTENV_PRIVATE_KEYS!-------------------/
#/ private decryption keys. DO NOT commit to source control /
#/     [how it works](https://dotenvx.com/encryption)       /
#/----------------------------------------------------------/

# .env
DOTENV_PRIVATE_KEY="ccc387ba193a315cbcd1ad7d8d007e6124763894554418e7c90b7dbcd7edca23"

# .env.production
DOTENV_PRIVATE_KEY_PRODUCTION="d4d2e22102c58f741cdddacaf69a1a64751fc014aafb90de0f1e7e6cb4d08330"

Some quick takeaways:

  1. It uses the .env format
  2. DOTENV_PRIVATE_KEY contains the decryption key for .env
  3. DOTENV_PRIVATE_KEY_PRODUCTION contains the decryption key for .env.production

Encryption

secp256k1 is the public-key encryption algorithm used to generate the public/private key pair.

Generating

It's auto-generated when running dotenvx set KEY value.

$ dotenvx set HELLO World
set HELLO with encryption (.env)

Do not commit .env.keys to source code. Keep them somewhere safe like 1Password.

History

The .env.keys file originally came out of development work on dotenv-vault in early 2023. It's current format came out about during an effort in May 2024 to support encryption without the ability to decrypt.