Dotenvx Armor ⛨
Pricing
Private keys. Off device. Under guard.
Pro
50 Armored Keys
Armored Off Device ⛨
- CLI / UI / API
- Run Anywhere
- Multi-Environment
- Encrypted .env Files
- Fully Managed
- Armored Private Keys ⛨
- Rotations
- Personal Security
- Personal Access
Team
100 Armored Keys
Armored Off Device ⛨
- CLI / UI / API
- Run Anywhere
- Multi-Environment
- Encrypted .env Files
- Fully Managed
- Armored Private Keys ⛨
- Rotations
- Team Security
- Access Approvals
- Access Controls
- Access Logs
- Access Alerts
Business
1,000 Armored Keys
Armored Off Device ⛨
- CLI / UI / API
- Run Anywhere
- Multi-Environment
- Encrypted .env Files
- Fully Managed
- Armored Private Keys ⛨
- Rotations
- Team Security
- Access Approvals
- Access Controls
- Access Logs
- Access Alerts
Enterprise
Specific needs
Armored Off Device ⛨
- CLI / UI / API
- Run Anywhere
- Multi-Environment
- Encrypted .env Files
- Fully Managed
- Armored Private Keys ⛨
- Rotations
- Team Security
- Access Approvals
- Access Controls
- Access Logs
- Access Alerts
Why Armor?
Armor keeps your private decryption keys armored off device. Your encrypted environment files stay in code. Your private keys stay under guard.
Encrypted .env file
Commit ciphertext safely with your application.
Armored private key ⛨
Stored off device, managed by policy, separate from code.
Both required to decrypt
Secrets resolve only when encrypted values meet the authorized key.
Compare capabilities across plans.
Access & Identity
| Feature | Pro | Team | Business | Enterprise |
|---|---|---|---|---|
| Login with GitHub | ||||
| Automation Tokens | — | |||
| Rotations Daily Limit | 10 | Unlimited | Unlimited | Unlimited |
| Team Members | 1 | 3 | 10 | Flexible |
| Log Retention | 30 days | 30 days | 30 days | Flexible |
Customer Support
| Feature | Pro | Team | Business | Enterprise |
|---|---|---|---|---|
| Billing Method | Annual | Monthly | Monthly | Flexible |
| Payment Method | Card | Card | Card | Flexible |
| Ticket Support | ||||
| Slack Support | — | — | ||
| .env Expertise | — | — | ||
| Urgent Response SLA | — | — | — | |
| Priority Security Updates | — | — | — | |
| In-App Documentation |
FAQ
-
Dotenvx uses Elliptic Curve Integrated Encryption Scheme (ECIES) to encrypt each secret with a unique ephemeral key, while ensuring it can be decrypted using a long-term private key.
When you initialize encryption, a DOTENV_PUBLIC_KEY (encryption key) and DOTENV_PRIVATE_KEY (decryption key) are generated. The DOTENV_PUBLIC_KEY is used to encrypt secrets, and the DOTENV_PRIVATE_KEY is securely stored in your cloud secrets manager or .env.keys file.
Your encrypted .env file is then safely committed to code. Even if the file is exposed, secrets remain protected since decryption requires the separate DOTENV_PRIVATE_KEY, which is never stored alongside it. Read the whitepaper for more details. -
Yes. Dotenvx uses ECIES public-key encryption, combining ephemeral key agreement with AES-256 secret encryption so that even if the encrypted .env file is exposed, its contents remain secure. The encryption keys themselves are protected using Secp256k1 elliptic curve cryptography, which is widely used for secure key exchange in technologies like Bitcoin.
This means that every secret in the .env file is encrypted with a unique AES-256 key, and that key is further encrypted using a public key (Secp256k1). Even if an attacker obtains the encrypted .env file, they would still need the corresponding private key—stored separately—to decrypt anything.
Breaking this encryption would require brute-forcing both AES-256 and elliptic curve cryptography, which is computationally infeasible with current technology. Read the whitepaper for more details. -
In the Vercel incident scenario, if an attacker accesses environment variables, they still cannot decrypt your encrypted .env secrets without the separate private decryption key. To steal your secrets, an attacker needs both the private key and the encrypted .env files.
