Add encryption to your `.env` files with a single command. Use `dotenvx encrypt`.

dotenvx encrypt

$ touch .env
$ echo "console.log('Hello ' + process.env.HELLO)" > index.js

$ dotenvx encrypt

Your .env file will now look something like this.


#/            public-key encryption for .env files          /
#/       [how it works](https://dotenvx.com/encryption)     /

# .env

The public encryption key DOTENV_PUBLIC_KEY is placed at the top of your .env file. This allows anyone on your team to encrypt secrets.

The private decryption key DOTENV_PRIVATE_KEY is placed in your .env.keys file. Only those holding this key can decrypt secrets.


Locate your DOTENV_PRIVATE_KEY in .env.keys

cat .env.keys

$ cat .env.keys


#/ private decryption keys. DO NOT commit to source control /
#/     [how it works](https://dotenvx.com/encryption)       /

# .env


In development the dotenvx run command reads from your .env.keys file to decrypt and inject your secrets at runtime.


$ dotenvx run -- node index.js
[[email protected]] injecting env (2) from .env
Hello World

In production, do NOT include your .env.keys file. Instead, set your DOTENV_PRIVATE_KEY ahead of your dotenvx run command and it will smartly run the associated .env file - decrypting and injecting your secrets at runtime.


$ dotenvx set HELLO production -f .env.production
$ DOTENV_PRIVATE_KEY_PRODUCTION="4a650a4159790e2341a388ebcd7526036fd33cc6240667c7cd940cde7b11cfaf" dotenvx run -- node index.js
[[email protected]] injecting env (2) from .env.production
Hello production
> :-D

No more scattering your secrets across multiple third-parties platforms where they could leak!