You still use .env—now it's time to protect it.

Plaintext .env files have been a massive attack vector. But .env files are also too useful to do without. Even AWS uses them internally.¹

What if you could encrypt them? With Dotenvx you can. Dotenvx encrypts your .env files–limiting their attack vector while retaining their benefits.

No vault. No vendor lock-in. Just smarter .env files, encrypted by default, and built and maintained by the creator of the original dotenv ★ 19.9k.

Dotenvx is 100% free and open-source and made for teams who know .env isn't going anywhere—and want a smarter way to work with it.

Read the whitepaper, explore the docs, and try Dotenvx for yourself. I've put a lot of thought into its design. It's dotenv. better.

Scott Motte, [email protected]

Creator Dotenv, Founder @Dotenvx

This is Dotenvx.

Encrypt .env Files

Run dotenvx encrypt to encrypt your .env files.

Your .env files are protected at-rest and in-transit. That's a massive win for security.

When you're working with AI editors and agents, encrypted .env files are a must — they keep secrets from leaking into prompts or model context.

# 🔐 Encrypted with dotenvx
DOTENV_PUBLIC_KEY="026d4945b6513baec60f68b207f203ba534fb54d2b0c9952557d240815e42a7d83"

# 🗄️ Database
DB_HOST="encrypted:BMO83g2fEtr66gcFvUs2+/ZuccCQuBbZwSW3JfCLvoUiACmusxCbTfG2dvc2LxenPhUtgWapO8f9BCcBVAcTnMcrd3kndvk+acWytRjIWRUvsSezdD340/OT5EQgbqJtwXfuRz0i2t8PVA=="
DB_PORT="encrypted:BGcRf5bK/mChGEqT1MZ8hUbMm3hhtuW9NVGkHtl7KRwqbSKnVcGIDs9T61u77DlyNlYcF1BlLCw9HPmbRQ0nFvLOCZc6r42iRE4OyJw9mu61OjlWQfEl5Z1NrjZw5g0d1tp8New="
DB_USER="encrypted:BBrXv55qxgA19sEqqNnZzS/C0WguVk6ROQmfxnGhBhafLoc0XwpKprk/J3hJCVq7s45WyBSXGUz9U9rHxCBeVkl27WFzzgZkDewX0gBLt+Cc37K0EVU2hZ1GPbax5mzpI5Jwwi65be6+"
DB_PASSWORD="encrypted:BC8aRBQ/Q2YMPjJayggqVN8skqTtxtXFgYA0e8/Ud/Jcez2Daukr6edBmEWQdz/Lu91casaW6CkkCvLSQkPvNpmgYqFB4BKHTUDowX/KEDvVI6CU5Vt478VF5dqHbvPIoKKtBe+4FNXlk5O96A=="
DB_NAME="encrypted:BL0icNnZh6InVmymJBCX6MuL6cwgVc4v1ua1g1XONlV7nkzzHHHpnZN3khx7+ld15bd88EtV4DfqUV2eJ/HJwu0/5F1MH+PAisYSRxBQo8I9AHly2sRsonBm3Bji+DslcC4D7b7wLTBlfCw="

# 🔑 API
API_KEY="encrypted:BCrnJ2sAZH2qwRlPvUqqWyEsd+cVeMQiOV5H/xZ7vjFfcMXHMunmAv/7+jUI356fkVtHfrXu+vBJLjXJiirgB2gky5vvy7h5jevgMS6BgPL5KwjC0tYPlYbe4Bfrf1funYqqrFYaPjsEO+77vCtVaBPz"
STRIPE_API_KEY="encrypted:BOD5Fg+qI9dqhkh+gjCLrTFyhxEAhNDtLgwjkMZOr9l9CsvvhprwCrgsZbIRIFa1Vf6ATnWZ3/bacYnlBXlZ1Hc6YMZHog+ZuVW4AjwxCkB8I0AkcOeOsYzQx2fdtI4kFii01UIhN53jfmUjzLSPYw=="

# ✉️ Email
EMAIL_HOST="encrypted:BMVEIPBGe9xkELFb48KQJPxxnTkUGhsonAU4ug5ca9E5eD/MZimkoQrf/3cb9nhazwfTbScLgeGGr/Jhj4DV7Xpz45XEEFWrPXy1Yi93zWLaJ4XYBHwCke3b4XCbh7jV4uL3WWFjI757yTIS6ilD"
EMAIL_USER="encrypted:BB15pCJmnrb1Jvy5nnyB5F7tYNYiGsqvY6ZORRz4iSw69WJBHk5S9F2ILpI+vqrlFjr3+ZzWI9sc1vIB8t1RvYUHzEdlNCbn5Bhzf9f9+SlTQt6yVUshTZVTA56f7HN3x4+AvVrzpxNoci80r2lwRkltfYM="
EMAIL_PASSWORD="encrypted:BIgpV7btyiGYyySYnG3+NJVGUzNzB4zWjIZbM/VgtnPuiuSsK/KBkirtqkDBI8U/04BRKtupOTNSJTVu6GO39XPSpPvlxA4fNRyeK85W+rFGARp4mrgqfEz/O/eZvqJSqS5kNraAhbkKpXq81rEOBg=="

# 🪵 Logging
LOG_LEVEL="encrypted:BKzfW56VHobMDtfq+iU+MsjVlPDdiKYoJmKLMlUKzsds5dHWjY+GcKbUx7V54jX21kVa6kuBcINNmP/DwXZA2VSb6q8zhMU/Go59aQWqmoqip6jB8DTxc8GjxUF4lWO3PLWJqk8="

"Our company was exposed to the CircleCI breach. Encryption would have protected us. We're using it now everywhere so that we're protected from the next breach – likely an AI service.

Remy Logic – CTO

Run Anywhere

Dotenvx works the same across every language, framework, and platform – inject your env at runtime with dotenvx run -- your-cmd. Load both plaintext and encrypted .env files this way.

Compare dotenvx to others →

$dotenvx run

"I like how usage is consistent across multiple languages and frameworks. No more wrestling with different tools."

Max Syntax – Polyglot Programmer

Multiple Environments

Create a .env.production file and use dotenvx run -f .env.production to load it. It's straightforward, yet flexible.

-f .env.prod

"I've always liked the .env.environment pattern. Now it finally has first-class support."

Zara Function – Full-Stack/DevOps Engineer

It's like a swiss army knife for your .env files.

Look at all these features.

Run anywhere

Cross-platform–works everywhere

Multi-environment

Switch environments easily

Encrypted envs

Encrypt your envs at-rest

Monorepo

First-class monorepo support

Multiple .env files

Compose multiple .env files flexibly

Multi-line values

Add multi-line secrets like public keys

Variable expansion

Add the value of another variable in your .env

Command substitution

Add the output of a command in your .env

Get/Set

Conveniently get/set single variables

Contextual help

Built-in next steps when something goes wrong

Append .gitignore

Append to .gitignore in one command

Generate .env.example

Generate .env.example in one command

Prebuild

Prevent building .env files into docker images

Precommit

Prevent committing .env files to code

See all advanced features

With strong cryptography.

Read the Whitepaper

Dotenvx: Reducing Secrets Risk with Cryptographic Separation

Abstract. An ideal secrets solution would not only centralize secrets but also contain the fallout of a breach. While secrets managers offer centralized storage and distribution, their design creates a large blast radius, risking exposure of thousands or even millions of secrets. We propose a solution that reduces the blast radius by splitting secrets management into two distinct components: an encrypted secrets file and a separate decryption key.

Read the Whitepaper

Growing rapidly.

Dotenvx is installed more than half a million times weekly.

It's only one year old, and yet Paypal, NASA, Procore, Supabase, OpenNext, AWS, Socket, Daytona, Stacks, and Facebook have all adopted it. Even stereotypically slow moving government departments in Britain, France, Canada, and Finland, having evaluated it for its extra security benefits, adopted it.

It's being used inside AI tooling like Paypal's Agent-Toolkit and Daytona's SDK. It's trusted by security software like Socket's CLI and Registry. AWS recommends it with AWS Amplify, NASA uses it to help power Earthdata Search, and Supabase requires it to unlock their Branching feature. It's incredible, and it will be even more exciting to watch year two unfold.

Easy to switch.

Just replace:

// before

require('dotenv').config()

// after

require('@dotenvx/dotenvx').config()

And opt-in to all the benefits of dotenvx — without changing your current workflow.

And free to use.

Dotenvx is open source software with optional commercial extension – Radar.

	OSS	Radar
	Better dotenv	Env observability
	Open Source	Commercial
Encryption
Run Anywhere
Multiple Environments
Variable expansion
Command substitution
Backups
Versioning
Observability
Anomaly Detection
Attack Mitigation
Support	None	Email
License	BSD-3	Commercial
Pricing	Free	$19 Lifetime access · One-time payment
	Get started ↗ Start↗	Buy Lifetime Access › Buy› Learn more Learn

Install it today.

curl -fsS https://dotenvx.sh | sh

brew install dotenvx/brew/dotenvx

DocumentationDocs

Frequently asked questions

: Dotenvx uses Elliptic Curve Integrated Encryption Scheme (ECIES) to encrypt each secret with a unique ephemeral key, while ensuring it can be decrypted using a long-term private key.

When you initialize encryption, a DOTENV_PUBLIC_KEY (encryption key) and DOTENV_PRIVATE_KEY (decryption key) are generated. The DOTENV_PUBLIC_KEY is used to encrypt secrets, and the DOTENV_PRIVATE_KEY is securely stored in your cloud secrets manager or .env.keys file.

Your encrypted .env file is then safely committed to code. Even if the file is exposed, secrets remain protected since decryption requires the separate DOTENV_PRIVATE_KEY, which is never stored alongside it. Read the whitepaper for more details.
: Yes. Dotenvx encrypts secrets using AES-256 with ephemeral keys, ensuring that even if the encrypted .env file is exposed, its contents remain secure. The encryption keys themselves are protected using Secp256k1 elliptic curve cryptography, which is widely used for secure key exchange in technologies like Bitcoin.

This means that every secret in the .env file is encrypted with a unique AES-256 key, and that key is further encrypted using a public key (Secp256k1). Even if an attacker obtains the encrypted .env file, they would still need the corresponding private key—stored separately—to decrypt anything.

Breaking this encryption would require brute-forcing both AES-256 and elliptic curve cryptography, which is computationally infeasible with current technology. Read the whitepaper for more details.
: In the CircleCI breach the attacker accessed environment variables only. They could not access codebases. To steal your encrypted .env secrets, an attacker needs both – the private decryption key AND the encrypted .env files.
: A former AWS engineer mentioned to me (and others) that AWS used them on their production infrastructure. He has since left to start his own business so maybe this is no longer the case.

Can't find the answer you're looking for? Send me an email at [email protected]. Id'd enjoy hearing from you.