DEV.co
Open-Source Security · dotenvx

dotenvx

dotenvx is a CLI and Node.js library for managing environment variables with end-to-end encryption, built by the creator of dotenv. It works across platforms and languages, supporting multi-environment configurations and encrypted .env files that can be safely committed to version control.

Source: GitHub — github.com/dotenvx/dotenvx
5.6k
GitHub stars
146
Forks
JavaScript
Primary language
BSD-3-Clause
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorydotenvx/dotenvx
Ownerdotenvx
Primary languageJavaScript
LicenseBSD-3-Clause — OSI-approved
Stars5.6k
Forks146
Open issues28
Latest releasev2.2.0 (2026-07-08)
Last updated2026-07-08
Sourcehttps://github.com/dotenvx/dotenvx

What dotenvx is

A JavaScript-based tool that extends dotenv with XChaCha20-Poly1305 encryption for environment secrets, available as both an npm module and cross-platform CLI binary. It injects decrypted variables at runtime via a keypair-based system and integrates with major frameworks (Next.js, Rails, Django) and languages (Python, Go, Rust, PHP, etc.).

Quickstart

Get the dotenvx source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/dotenvx/dotenvx.gitcd dotenvx# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Secure multi-environment deployments

Encrypt separate .env files per environment (.env.production, .env.staging) and store them in version control. Deploy with DOTENV_PRIVATE_KEY only in production, avoiding secrets sprawl across deployment pipelines.

Polyglot development teams

Use dotenvx run -- to inject secrets for any language/framework without language-specific bindings. A single .env file works with Node, Python, Go, PHP, Ruby, Rust, and Bash projects uniformly.

CI/CD and containerized workflows

Embed encrypted .env files in Docker images or Git repos; only inject DOTENV_PRIVATE_KEY as a CI secret. Simplifies secrets management in GitHub Actions, GitLab CI, and Kubernetes deployments.

Implementation considerations

  • Private key management: DOTENV_PRIVATE_KEY must be injected securely at runtime; storing it in version control defeats encryption. Choose your CI/CD secret store carefully.
  • Encryption ceremony: Run `dotenvx encrypt` locally to generate keypairs and create encrypted .env files; this is a one-time setup per environment but requires discipline in team workflows.
  • Compatibility: Verify language/framework support (e.g., TypeScript + Next.js via @dotenvx/next-env override; Python via CLI only, not npm module).
  • Startup overhead: CLI invocation adds a small latency to each run; measure impact in resource-constrained environments (e.g., AWS Lambda cold starts).
  • File structure: Encrypted .env format is dotenvx-specific; switching tools later requires decryption and re-encryption with a new system.

When to avoid it — and what to weigh

  • Existing dedicated secrets manager in place — If you already use HashiCorp Vault, AWS Secrets Manager, or similar, dotenvx adds another secrets layer. Consider whether replacing or alongside your existing system is justified.
  • High-security compliance requirements — For regulated industries (finance, healthcare), verify dotenvx's encryption (XChaCha20-Poly1305) and key management meet your audit standards. Unknown review status for SOC2, HIPAA, or PCI-DSS alignment.
  • Deno runtime dependency — README warns Deno has incomplete cipher support; using the npm module directly with Deno fails with 'Unknown cipher'. Deno users must use the CLI binary, not the library.
  • Secrets rotation or revocation at scale — dotenvx does not address key rotation, revocation, or audit logging. If you need to revoke a keypair across 50 deployments, manual re-encryption and redeployment is required.

License & commercial use

BSD-3-Clause (permissive OSI license). Allows commercial use, modification, and redistribution with attribution and clause retention. No patent or trademark grants; see LICENSE file for exact terms.

BSD-3-Clause is a permissive OSI-approved license that explicitly permits commercial use, including in proprietary products and SaaS offerings. No license fee or additional agreement required. Verify the LICENSE file for exact clause requirements; no integration agreement or support SLA is implied by the license.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Encryption uses XChaCha20-Poly1305, a modern AEAD cipher; see whitepaper for cryptographic details. Threat model: protects .env files stored in Git/CI systems against unauthorized access to individual encrypted files. Assumptions: DOTENV_PRIVATE_KEY is kept secret in CI/CD, CLI and npm packages are not compromised, and users generate strong keypairs. No built-in key rotation, revocation, or audit logs. Private keys are read fresh on each invocation (no caching leaks). Deno encryption support is incomplete (documented limitation). Consider threat model scope (Git-at-rest protection vs. runtime secret injection) before adopting for highly sensitive workloads.

Alternatives to consider

HashiCorp Vault

Enterprise-grade secrets management with dynamic secret generation, audit logging, key rotation, and multi-cloud support. Steeper operational overhead; better for large orgs with compliance mandates.

AWS Secrets Manager / Azure Key Vault

Cloud-native secrets storage with IAM integration, automatic rotation, and compliance certifications (SOC2, HIPAA, PCI-DSS). Lock-in to cloud vendor; higher cost for small teams.

1Password Secrets Automation / Bitwarden Secrets Manager

Team-friendly password managers with CLI support and CI/CD integration. Less technical than Vault; better for smaller teams. 1Password has higher cost.

Software development agency

Build on dotenvx with DEV.co software developers

Ready to encrypt and manage secrets across environments? Review the BSD-3-Clause license, test with a single encrypted .env file, and assess private key injection in your CI/CD. Contact us to discuss integration with your deployment architecture.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

dotenvx FAQ

Can I commit encrypted .env files to Git safely?
Yes, that is the intended design. Encrypted .env files are safe to commit because XChaCha20-Poly1305 AEAD encryption protects content. Only the DOTENV_PRIVATE_KEY must remain secret (stored in CI/CD). Decryption happens at runtime.
What happens if DOTENV_PRIVATE_KEY is leaked?
All committed encrypted .env files become decryptable. Rotate immediately: generate a new keypair via `dotenvx keypair`, re-encrypt all .env files, update DOTENV_PRIVATE_KEY in CI/CD, and revert the leaked key. Full key rotation workflow is manual.
Does dotenvx work with Deno?
Partially. The CLI binary (installed via curl, brew) works with Deno via `dotenvx run -- deno run ...`. The npm module does not work directly with Deno due to incomplete cipher support (documented in README).
Can I use dotenvx with existing secrets managers (Vault, AWS Secrets Manager)?
dotenvx replaces local .env file management but can coexist: use dotenvx for development and local CI, and inject secrets from Vault/AWS in production. No built-in integration shown; requires manual wiring in deployment scripts.

Software development & web development with DEV.co

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If dotenvx is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.

Evaluate dotenvx for your team

Ready to encrypt and manage secrets across environments? Review the BSD-3-Clause license, test with a single encrypted .env file, and assess private key injection in your CI/CD. Contact us to discuss integration with your deployment architecture.