Skip to content
/ env-vault-node Public

A CLI tool for securely encrypting/decrypting .env files (Node.js version)

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ouchanip/env-vault-node

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
assets
assets
 
 
bin
bin
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
eslint.config.mjs
eslint.config.mjs
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

env-vault

🔐 env-vault

Secure .env file encryption for team collaboration.
AES-256-GCM · Zero config · Works with npx

npm version npm downloads MIT License

The Problem

Every dev team has .env files with API keys, database passwords, and tokens. You can't commit them to Git, so you end up sharing them over Slack, email, or sticky notes.

That's a security nightmare.

The Solution

env-vault encrypts your .env into .env.enc — a file you can safely commit to Git. Only team members with the key can decrypt it.

📟 CLI in Action

env-vault CLI demo

Quick Start

# 1. Generate encryption key
npx @ouchanip/env-vault init

# 2. Encrypt .env → .env.enc (safe to commit)
npx @ouchanip/env-vault encrypt

# 3. Decrypt .env.enc → .env (restore secrets)
npx @ouchanip/env-vault decrypt -o .env

That's it. Three commands. Zero config.

Installation

# Run directly (no install)
npx @ouchanip/env-vault <command>

# Or install globally
npm install -g @ouchanip/env-vault

# Or as a dev dependency
npm install --save-dev @ouchanip/env-vault

Commands

Command Description
init Generate a new .env.key encryption key
encrypt Encrypt .env.env.enc
decrypt Decrypt .env.enc → stdout or file

Options

encrypt:
  -i, --input-file <path>   Input file (default: .env)
  -o, --output-file <path>  Output file (default: .env.enc)

decrypt:
  -i, --input-file <path>   Input file (default: .env.enc)
  -o, --output-file <path>  Output file (default: stdout)

Workflow

 Developer A         Git Repo          Developer B
┌─────────────┐   ┌─────────────┐   ┌─────────────┐
│ .env        │──►│ .env.enc    │◄──│             │
│ .env.key    │   │             │   │ .env.key    │
└─────────────┘   └─────────────┘   └─────────────┘
                                      │
                                      ▼
                                 decrypt ──► .env
  1. Developer A runs env-vault encrypt and commits .env.enc
  2. Developer B pulls and runs env-vault decrypt -o .env
  3. Share .env.key once (securely), commit .env.enc as often as you like

.gitignore Setup

# Secrets — NEVER commit these
.env
.env.key
.env.*.key

# Safe to commit
.env.enc

Security

Property Value
Algorithm AES-256-GCM (authenticated encryption)
Key size 256 bits (32 bytes, hex-encoded)
IV 96 bits (12 bytes), random per encryption
Auth Tag 128 bits (16 bytes)
Dependencies Node.js built-in crypto only

Every encryption generates a fresh random IV. The auth tag ensures integrity — any tampering is detected.

Testing

npm test

15 tests across 3 suites covering encryption, decryption, key generation, error handling, and edge cases.

Contributing

Issues and PRs are welcome! Please open an issue first to discuss major changes.

License

MIT

About

A CLI tool for securely encrypting/decrypting .env files (Node.js version)

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages