# dotenvx/dotenvx

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/dotenvx-dotenvx).**

4,974 stars · 118 forks · JavaScript · bsd-3-clause

## Links

- GitHub: https://github.com/dotenvx/dotenvx
- Homepage: https://dotenvx.com/docs
- awesome-repositories: https://awesome-repositories.com/repository/dotenvx-dotenvx.md

## Topics

`cli` `configuration-file` `curl` `dotenv` `dotenvx` `end-to-end-encryption` `env` `environment-variables` `homebrew` `secret-management` `secret-manager` `secrets` `secrets-management` `security-tools` `winget`

## Description

dotenvx is a cross-platform command-line tool that encrypts `.env` files using public-key cryptography and decrypts them at runtime, injecting the plaintext secrets into a process environment before execution. It treats encrypted environment files as self-contained vaults that are loaded and decrypted entirely in memory each time a command runs.

What sets dotenvx apart is its ability to armor the private decryption key itself with a passphrase, allowing that key to be stored remotely and retrieved only when decryption is needed. A single encrypted vault file can be bound to multiple per-environment decryption keys, so one artifact can unlock different secrets in development, staging, and production. The tool also supports public-key generation and encryption in a single command, and it can encrypt environment files for CI pipelines, commit them safely to version control, and deploy encrypted variables to cloud platforms with a single automated command.

Beyond its core encryption and injection workflow, dotenvx offers on-demand variable decryption, runtime secret injection for serverless functions and task runners, and integrations with frameworks such as Astro. It provides automatic key generation, keyless decryption that discards keys after use, and private key armoring for secure off-device storage. The tool also keeps encrypted environment variables hidden from AI agents while still allowing them to inspect and run projects.

## Tags

### Part of an Awesome List

- [File Encryption](https://awesome-repositories.com/f/awesome-lists/security/file-encryption.md) — Encrypts entire .env files with public-key cryptography for safe version control and storage. ([source](https://dotenvx.com/docs/secrets-in-dotnet))

### Development Tools & Productivity

- [Encryption CLI Utilities](https://awesome-repositories.com/f/development-tools-productivity/encryption-cli-utilities.md) — Ships a dedicated CLI for encrypting .env files with public-key cryptography and decrypting them at runtime.
- [Encrypted Variable Deployers](https://awesome-repositories.com/f/development-tools-productivity/environment-setup/encrypted-variable-deployers.md) — Dotenv Vault sets up encrypted environment variables for deployment on container and hosting platforms through a single command. ([source](https://dotenvx.com/docs/frameworks/rocket))

### DevOps & Infrastructure

- [Runtime Environment Variable Injections](https://awesome-repositories.com/f/devops-infrastructure/configuration-management/environment-management/environment-variable-management/environment-variable-configurations/environment-variable-configuration/runtime-environment-variable-injections.md) — Decrypts an encrypted vault file then injects the plaintext variables into a child process's environment before the command begins.
- [Per-Environment Vault Bindings](https://awesome-repositories.com/f/devops-infrastructure/environment-configuration/per-environment-vault-bindings.md) — Dotenv Vault manages different sets of environment variables for each deployment environment, loading the appropriate encrypted file and using per-environment decryption keys. ([source](https://cdn.jsdelivr.net/gh/dotenvx/dotenvx@main/README.md))
- [Environment Variable Deployers](https://awesome-repositories.com/f/devops-infrastructure/cloud-deployment-platforms/environment-variable-deployers.md) — Dotenv Vault deploys encrypted environment variables to cloud platforms using a single command, automating setup for each target environment. ([source](https://dotenvx.com/docs/languages/rust))
- [Cross-Platform Execution](https://awesome-repositories.com/f/devops-infrastructure/cross-platform-deployment-targets/cross-platform-execution.md) — Dotenv Vault executes the same encryption and injection tool across different languages and environments without custom integrations. ([source](https://dotenvx.com/))
- [Secrets Deployment Pipelines](https://awesome-repositories.com/f/devops-infrastructure/multi-platform-site-deployment/secrets-deployment-pipelines.md) — Deploying encrypted environment variables to cloud, serverless, and container platforms using a single decryption workflow.
- [Serverless & Task Secret Injections](https://awesome-repositories.com/f/devops-infrastructure/serverless-task-secret-injections.md) — Dotenv Vault decrypts and injects environment variables from encrypted files into serverless functions and remote task runners during execution. ([source](https://dotenvx.com/docs/languages/go))

### Operating Systems & Systems Programming

- [Process Injection Wrappers](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/process-and-memory-management/memory-management/process-lifecycle-orchestrators/process-injection-wrappers.md) — Acts as a process wrapper that decrypts and injects environment variables before executing the target command.

### Security & Cryptography

- [Environment File Encryptors](https://awesome-repositories.com/f/security-cryptography/credential-vaults/encrypted-vaults/encrypted-vault-export/environment-file-encryptors.md) — Dotenv Vault encrypts environment variable files and injects them into build or runtime processes using a private decryption key in a single command. ([source](https://dotenvx.com/docs/platforms/netlify))
- [Environment File Vaults](https://awesome-repositories.com/f/security-cryptography/credential-vaults/encrypted-vaults/environment-file-vaults.md) — Treats the encrypted .env file as a single-file vault that is loaded and decrypted entirely in memory before the application runs.
- [Cross-Platform Encryption Utilities](https://awesome-repositories.com/f/security-cryptography/cross-platform-encryption-utilities.md) — Provides a cross-platform CLI tool that encrypts and decrypts environment files consistently across local, CI, cloud, and serverless platforms.
- [Runtime Secret Injection](https://awesome-repositories.com/f/security-cryptography/cryptographic-key-management/external-key-integration/runtime-secret-injection.md) — Provides automated decryption of encrypted .env files and injection of secrets into the process environment at startup.
- [GPG Key-Based File Encryption](https://awesome-repositories.com/f/security-cryptography/encryption-key-management/asymmetric-encryption/gpg-key-based-file-encryption.md) — Encrypts a plaintext .env file using an asymmetric keypair so secrets stay encrypted at rest and decrypt only at process start.
- [Public-Key Vault Generators](https://awesome-repositories.com/f/security-cryptography/encryption-key-management/asymmetric-encryption/public-key-vault-generators.md) — Generates a public-private key pair and immediately encrypts the environment file, keeping the public key in clear text and the private key separate. ([source](https://dotenvx.com/docs/env-file))
- [Deployment Decryptions](https://awesome-repositories.com/f/security-cryptography/passkey-authentication/vault-decryption/deployment-decryptions.md) — Dotenv Vault injects decrypted environment variables from an encrypted file at application start during each deployment, for any hosting platform. ([source](https://dotenvx.com/docs/platforms/heroku))
- [Environment Variable Key Configurations](https://awesome-repositories.com/f/security-cryptography/passkey-authentication/vault-decryption/environment-variable-key-configurations.md) — Configuring separate decryption keys for each deployment environment so the same encrypted file can be reused with different secrets. ([source](https://dotenvx.com/docs/platforms/render))
- [Per-Environment Key Bindings](https://awesome-repositories.com/f/security-cryptography/passkey-authentication/vault-decryption/environment-variable-key-configurations/per-environment-key-bindings.md) — Assigns per-environment decryption keys to the same encrypted vault file, allowing one artifact to unlock different secrets in dev, staging, and production.
- [Password-Protected Key Armor Utilities](https://awesome-repositories.com/f/security-cryptography/password-protected-key-armor-utilities.md) — Encrypts the private key itself with a passphrase so it can be stored remotely and synced only when a decryption workflow is triggered. ([source](https://dotenvx.com/docs/learn/armoring/introduction))
- [Version-Controlled Secret Encryption](https://awesome-repositories.com/f/security-cryptography/version-controlled-secret-encryption.md) — Dotenv Vault commits encrypted .env files to version control while keeping decryption keys separate, preserving developer workflow without exposing secrets. ([source](https://dotenvx.com/))
- [Key Generation Utilities](https://awesome-repositories.com/f/security-cryptography/encryption-key-management/key-generation-utilities.md) — Automatically generates encryption keys as part of the encrypted environment setup process. ([source](https://dotenvx.com/docs/env-keys-file))
- [Ephemeral Key Retrieval Methods](https://awesome-repositories.com/f/security-cryptography/ephemeral-key-retrieval-methods.md) — Implements keyless decryption by retrieving private keys from memory only when needed and discarding them immediately. ([source](https://dotenvx.com/armor))
- [On-Demand Secret Decryption](https://awesome-repositories.com/f/security-cryptography/on-demand-secret-decryption.md) — Provides on-demand decryption of environment variables, only decrypting secrets when accessed rather than at process startup. ([source](https://dotenvx.com/docs/languages/nodejs))

### Software Engineering & Architecture

- [File-Based Loading](https://awesome-repositories.com/f/software-engineering-architecture/application-lifecycle-management/configuration-management/environment-variable-management/environment-variables/environment-variable-based-configuration/file-based-loading.md) — Loads environment variables from plaintext .env files into the process environment, supporting both CLI and programmatic usage. ([source](https://cdn.jsdelivr.net/gh/dotenvx/dotenvx@main/README.md))

### Web Development

- [Framework Integrations](https://awesome-repositories.com/f/web-development/framework-integrations.md) — Dotenv Vault integrates encrypted environment variables into the Astro framework, decrypting and injecting them during application startup. ([source](https://dotenvx.com/docs/frameworks/astro))