Encrypt secrets in Cloudflare Workers

Learn how to encrypt your first .env file using Cloudflare Workers and the Dotenvx Node.js SDK.

Prerequisites

To get the most out of this guide, you'll need to:

Create your account (optional)

1. Install

Get the Dotenvx Node.js SDK.

$ npm install @dotenvx/dotenvx
# or
# bun add @dotenvx/dotenvx
# pnpm add @dotenvx/dotenvx
# yarn add @dotenvx/dotenvx

2. Encrypt

Encrypt your .env.txt file. Use .env.txt so it can be included in the worker artifact deploy.

$ npx dotenvx encrypt -f .env.txt
◈ encrypted (.env.txt) + local key (.env.keys)

3. Inject

Then inject your encrypted secrets at runtime.

src/index.js

import envSrc from '../.env.txt'
import dotenvx from '@dotenvx/dotenvx'

const config = dotenvx.config({ envs: [{ type: 'env', value: envSrc, privateKeyName: 'DOTENV_PRIVATE_KEY' }] })
const envx = config.parsed

export default {
  async fetch(request, env, ctx) {
    return new Response(`Hello ${envx.HELLO}`)
  }
}

"scripts": {
  "deploy": "wrangler deploy",
  "dev": "wrangler dev --var $(dotenvx keypair -f .env.txt --format=colon)",
  "start": "wrangler dev --var $(dotenvx keypair -f .env.txt --format=colon)",
  "test": "vitest"
},

Production

Set DOTENV_PRIVATE_KEY on Cloudflare and deploy.

cloudflare.com

wrangler deploy