dotenvx — Secure Environment Variable Management from the Creator of dotenv

Introduction

dotenvx is the next evolution of the original dotenv package, built by the same creator. It adds end-to-end encryption so you can safely commit .env files to version control, manage multiple environments (development, staging, production) from a single tool, and inject variables into any process regardless of language or framework.

What dotenvx Does

• Encrypts .env files with AES-256-GCM so they can be committed to git safely
• Supports multiple .env files per environment (.env.production, .env.staging, etc.)
• Injects environment variables into any command via a universal run wrapper
• Works across all languages and frameworks without per-ecosystem plugins
• Provides a decryption key management workflow for team collaboration

Architecture Overview

dotenvx is a standalone CLI binary (written in JavaScript, distributed via npm, curl, or Homebrew). It reads .env files, decrypts them using a DOTENV_PRIVATE_KEY, and injects the resulting key-value pairs into the child process environment. Encryption uses AES-256-GCM with per-file public/private key pairs. The encrypted .env file contains ciphertext that can only be decrypted with the corresponding private key, which is stored separately or in CI secrets.

Self-Hosting & Configuration

• Install via curl one-liner, npm, Homebrew, or Docker
• Run dotenvx encrypt to encrypt an existing .env file in place
• Store the private decryption key in your CI/CD secrets or a key management service
• Use dotenvx run -f .env.production -- command to load specific environments
• Supports .env.vault format for backward compatibility with dotenv-vault users

Key Features

• Encrypted .env files can be safely committed to version control alongside code
• Language-agnostic CLI wraps any command: Node, Python, Ruby, Go, Rust, or shell scripts
• Multiple environment files replace complex per-environment secret injection setups
• No SaaS dependency; everything runs locally with keys you control
• Drop-in replacement for the original dotenv workflow with zero migration pain

Comparison with Similar Tools

• dotenv — the original library; dotenvx adds encryption and multi-environment support
• Infisical — full secrets management platform with UI; dotenvx is a lightweight CLI
• SOPS — encrypts arbitrary files; dotenvx is purpose-built for .env with a simpler workflow
• HashiCorp Vault — enterprise secrets infrastructure; dotenvx targets developer workflow simplicity
• 1Password CLI — tied to 1Password; dotenvx uses standalone encryption with no external service

FAQ

Q: Can I commit encrypted .env files to a public repository? A: Yes. The files are encrypted with AES-256-GCM. Without the private key, the contents are unreadable.

Q: How do team members get the decryption key? A: Share the DOTENV_PRIVATE_KEY through a secure channel (password manager, encrypted message). In CI, store it as a secret environment variable.

Q: Does dotenvx work with my existing .env files? A: Yes. Run dotenvx encrypt on any standard .env file to encrypt it in place. The dotenvx run command handles decryption transparently.

Q: What happens if I lose the private key? A: The encrypted .env file cannot be decrypted without it. Keep a backup of your private keys in a secure location.

Sources

• https://github.com/dotenvx/dotenvx
• https://dotenvx.com/docs