Private Keys

Understand private decryption keys and where they should live.

When dotenvx encrypt creates encrypted values, it also creates a private decryption key.

By default, the private key is written to .env.keys.

# .env.keys - DO NOT commit to source control
DOTENV_PRIVATE_KEY=dcd72b6a81ba7ec9af83d63720189c353b02bdef831fbe7a6712632204056a36

Source Control

Commit encrypted .env files. Do not commit .env.keys.

The encrypted file is designed to move through git. The private key is the sensitive material that decrypts it.

With Armor, the private key is stored remotely as an armored key instead of locally in .env.keys.

$ dotenvx-armor up

Use Armoring when you want private keys kept off device.