Use dotenvx with Bitwarden
Load dotenvx private keys from Bitwarden at runtime.
Store your DOTENV_PRIVATE_KEY* values in Bitwarden, then load them into the environment before running dotenvx.
Store a Private Key
Create a Bitwarden login item named after the dotenvx private-key environment variable.
Name: DOTENV_PRIVATE_KEY
Password: <your DOTENV_PRIVATE_KEY value>
For .env.production, name the item DOTENV_PRIVATE_KEY_PRODUCTION.
Name: DOTENV_PRIVATE_KEY_PRODUCTION
Password: <your DOTENV_PRIVATE_KEY_PRODUCTION value>
Read a Private Key
Use bw get password to read the Bitwarden item password into DOTENV_PRIVATE_KEY.
export BW_SESSION="$(bw unlock --raw)"
DOTENV_PRIVATE_KEY="$(bw get password DOTENV_PRIVATE_KEY)" dotenvx run -- npm start
dotenvx run sees DOTENV_PRIVATE_KEY, decrypts .env, and injects the decrypted values into your process.
Use Production
For .env.production, read the matching Bitwarden item into DOTENV_PRIVATE_KEY_PRODUCTION.
export BW_SESSION="$(bw unlock --raw)"
DOTENV_PRIVATE_KEY_PRODUCTION="$(bw get password DOTENV_PRIVATE_KEY_PRODUCTION)" dotenvx run -- npm start
The item name, environment variable name, and dotenvx private-key name match one-to-one.
Team Workflows
Bitwarden works well for developers who already use Bitwarden locally. For teams that want private keys stored off-device, shared by project, and available without each developer wiring local Bitwarden access, use Armor.