dotenvx
dotenvx is a CLI and Node.js library for managing environment variables with end-to-end encryption, built by the creator of dotenv. It works across platforms and languages, supporting multi-environment configurations and encrypted .env files that can be safely committed to version control.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | dotenvx/dotenvx |
| Owner | dotenvx |
| Primary language | JavaScript |
| License | BSD-3-Clause — OSI-approved |
| Stars | 5.6k |
| Forks | 146 |
| Open issues | 28 |
| Latest release | v2.2.0 (2026-07-08) |
| Last updated | 2026-07-08 |
| Source | https://github.com/dotenvx/dotenvx |
What dotenvx is
A JavaScript-based tool that extends dotenv with XChaCha20-Poly1305 encryption for environment secrets, available as both an npm module and cross-platform CLI binary. It injects decrypted variables at runtime via a keypair-based system and integrates with major frameworks (Next.js, Rails, Django) and languages (Python, Go, Rust, PHP, etc.).
Get the dotenvx source
Clone the repository and explore it locally.
git clone https://github.com/dotenvx/dotenvx.gitcd dotenvx# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Private key management: DOTENV_PRIVATE_KEY must be injected securely at runtime; storing it in version control defeats encryption. Choose your CI/CD secret store carefully.
- Encryption ceremony: Run `dotenvx encrypt` locally to generate keypairs and create encrypted .env files; this is a one-time setup per environment but requires discipline in team workflows.
- Compatibility: Verify language/framework support (e.g., TypeScript + Next.js via @dotenvx/next-env override; Python via CLI only, not npm module).
- Startup overhead: CLI invocation adds a small latency to each run; measure impact in resource-constrained environments (e.g., AWS Lambda cold starts).
- File structure: Encrypted .env format is dotenvx-specific; switching tools later requires decryption and re-encryption with a new system.
When to avoid it — and what to weigh
- Existing dedicated secrets manager in place — If you already use HashiCorp Vault, AWS Secrets Manager, or similar, dotenvx adds another secrets layer. Consider whether replacing or alongside your existing system is justified.
- High-security compliance requirements — For regulated industries (finance, healthcare), verify dotenvx's encryption (XChaCha20-Poly1305) and key management meet your audit standards. Unknown review status for SOC2, HIPAA, or PCI-DSS alignment.
- Deno runtime dependency — README warns Deno has incomplete cipher support; using the npm module directly with Deno fails with 'Unknown cipher'. Deno users must use the CLI binary, not the library.
- Secrets rotation or revocation at scale — dotenvx does not address key rotation, revocation, or audit logging. If you need to revoke a keypair across 50 deployments, manual re-encryption and redeployment is required.
License & commercial use
BSD-3-Clause (permissive OSI license). Allows commercial use, modification, and redistribution with attribution and clause retention. No patent or trademark grants; see LICENSE file for exact terms.
BSD-3-Clause is a permissive OSI-approved license that explicitly permits commercial use, including in proprietary products and SaaS offerings. No license fee or additional agreement required. Verify the LICENSE file for exact clause requirements; no integration agreement or support SLA is implied by the license.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Encryption uses XChaCha20-Poly1305, a modern AEAD cipher; see whitepaper for cryptographic details. Threat model: protects .env files stored in Git/CI systems against unauthorized access to individual encrypted files. Assumptions: DOTENV_PRIVATE_KEY is kept secret in CI/CD, CLI and npm packages are not compromised, and users generate strong keypairs. No built-in key rotation, revocation, or audit logs. Private keys are read fresh on each invocation (no caching leaks). Deno encryption support is incomplete (documented limitation). Consider threat model scope (Git-at-rest protection vs. runtime secret injection) before adopting for highly sensitive workloads.
Alternatives to consider
HashiCorp Vault
Enterprise-grade secrets management with dynamic secret generation, audit logging, key rotation, and multi-cloud support. Steeper operational overhead; better for large orgs with compliance mandates.
AWS Secrets Manager / Azure Key Vault
Cloud-native secrets storage with IAM integration, automatic rotation, and compliance certifications (SOC2, HIPAA, PCI-DSS). Lock-in to cloud vendor; higher cost for small teams.
1Password Secrets Automation / Bitwarden Secrets Manager
Team-friendly password managers with CLI support and CI/CD integration. Less technical than Vault; better for smaller teams. 1Password has higher cost.
Build on dotenvx with DEV.co software developers
Ready to encrypt and manage secrets across environments? Review the BSD-3-Clause license, test with a single encrypted .env file, and assess private key injection in your CI/CD. Contact us to discuss integration with your deployment architecture.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
dotenvx FAQ
Can I commit encrypted .env files to Git safely?
What happens if DOTENV_PRIVATE_KEY is leaked?
Does dotenvx work with Deno?
Can I use dotenvx with existing secrets managers (Vault, AWS Secrets Manager)?
Software development & web development with DEV.co
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If dotenvx is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.
Evaluate dotenvx for your team
Ready to encrypt and manage secrets across environments? Review the BSD-3-Clause license, test with a single encrypted .env file, and assess private key injection in your CI/CD. Contact us to discuss integration with your deployment architecture.