Encrypt and decrypt your .env file so you can store sensitive information (passwords etc.) in source control
Encrypt and decrypt your .env so it doesn't expose sensitive information (passwords, tokens etc.)
You have a .env file in your project (usually at the app's root folder) and are using it with a package
like dotenv to expose its contents as environment variables in your app.
But your .env contains sensitive information (passwords, tokens etc.) in clear-text so you don't want to place it in
your versioned code. Using dotenvenc you generate from .env an encrypted version .env.enc and only share
this in your project. In your code you regenerate .env from .env.enc at runtime when you need to access the sensitive data.
NOTE: this package is meaningful only if used in combination with a package like dotenv
which actually creates the environment variables found in the generated decrypted .env file.
TIP: add .env in your .gitignore so it's guaranteed to never get versioned.
Install and save as a local dependency in your project:
npm i dotenvenc
Generate the encrypted .env.enc from the clear-text .env (for this file's format, consult the dotenv docs)
using the installed command line script dotenvenc:
<PROJECT_PATH>/node_modules/.bin/dotenvenc -e myPassword
Also you can define custom pathnames for both the input and output file of the encryption or decryption operation.
For example to create encrypt a custom clear-text file /somewhere/.env.custom into custom encrypted file ./somewhere/else/.env.enc.custom:
<PROJECT_PATH>/node_modules/.bin/dotenvenc -e -i /somewhere/.env.custom -o ./somewhere/else/.env.enc.custom myPassword
You need to do this once in the beginning or when you make changes to your .env.
If -i and -o are ommitted, the defaults are:
./.env for the unencrypted file used as input for the encryption or as output for the decryption./.env.enc for the encrypted file used as output for the encryption or as input for the decryptionNOTE: If you have npm@5.2.0 or better, then you have in your path also npx, so the above command is simply:
npx dotenvenc ...
Save the key myPassword as environment variable in your .bashrc or .bash_profile:
export DOTENVENC_KEY='myPassword';
You can choose any name for this variable.
Once you have created the .env.enc you need to regenerate the clear-text .env at runtime to access the password, tokens etc.
Assuming your .env with the sensitive data is:
DB_PASS='mySupercalifragilisticexpialidociousPassword'
CHASTITY_KEY='youShallNotPass'
and you have generated .env.enc with the key myPassword which you saved in environment variale DOTENVENC_KEY (see Ecryption above), there are two ways to do this.
require('dotenvenc').decrypt({ passwd: process.env.DOTENVENC_KEY});
require('dotenv').config();
// From here on you have access the passwords through process.env.DB_PASS and process.env.CHASTITIY_KEY
Or if you used custom encrypted and decrypted pathnames e.g. ./somewhere/.env.enc.custom and ./somewhere/else/.env.custom respectively, then:
require('dotenvenc').decrypt({ passwd: process.env.DOTENVENC_KEY, encryptedPathname: './somewhere/.env.enc.custom', decryptedPathname: './somewhere/else/.env.custom'});
require('dotenv').config();
// From here on you have access the passwords through process.env.DB_PASS and process.env.CHASTITIY_KEY
Using the script mentioned earlier with the -d flag:
<PROJECT_PATH>/node_modules/.bin/dotenvenc -d myPassword
Or if you used custom encrypted and decrypted pathnames e.g. ./somewhere/.env.enc.custom and ./somewhere/else/.env.custom respectively, then:
<PROJECT_PATH>/node_modules/.bin/dotenvenc -d -i ./somewhere/.env.enc.custom -o ./somewhere/else/.env.custom myPassword
This can be useful if you corrupt your .env (remember that .env is an unversioned file). With the dotenvenc script
you can recreate it to its last functioning state from your .env.enc unless you corrupted that one too by running
the Encryption step above on the corrupted .env (then you're done!)
NOTE: this only regenerates the .env from the encrypted .env.enc file (no environment variables are created from its contents).
There are two sample files used for the tests.
File .env.sample with contents:
FOO=bar
and its encrypted counterpart .env.enc.sample.
To run the tests:
npm t
FAQs
Encrypt and decrypt your .env file so you can store sensitive information (passwords etc.) in source control
We found that dotenvenc demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
OpenAI rotated macOS signing certificates after a malicious Axios package reached its CI pipeline in a broader software supply chain attack.
Security News
Open source is under attack because of how much value it creates. It has been the foundation of every major software innovation for the last three decades. This is not the time to walk away from it.
Security News
Socket CEO Feross Aboukhadijeh breaks down how North Korea hijacked Axios and what it means for the future of software supply chain security.