dotenvx is a cross-platform command-line tool that encrypts .env files using public-key cryptography and decrypts them at runtime, injecting the plaintext secrets into a process environment before execution. It treats encrypted environment files as self-contained vaults that are loaded and decrypted entirely in memory each time a command runs.
What sets dotenvx apart is its ability to armor the private decryption key itself with a passphrase, allowing that key to be stored remotely and retrieved only when decryption is needed. A single encrypted vault file can be bound to multiple per-environment decryption keys, so one artifact can unlock different secrets in development, staging, and production. The tool also supports public-key generation and encryption in a single command, and it can encrypt environment files for CI pipelines, commit them safely to version control, and deploy encrypted variables to cloud platforms with a single automated command.
Beyond its core encryption and injection workflow, dotenvx offers on-demand variable decryption, runtime secret injection for serverless functions and task runners, and integrations with frameworks such as Astro. It provides automatic key generation, keyless decryption that discards keys after use, and private key armoring for secure off-device storage. The tool also keeps encrypted environment variables hidden from AI agents while still allowing them to inspect and run projects.
