envcrypt encrypts your environment variables with AES-256-GCM. Generate secrets, detect safe ports, and decrypt straight into memory — so plaintext never touches your disk.
Every plaintext .env file is a potential data breach waiting to happen.
Secrets stored in plaintext .env files. Accidentally committed to git. Leaked in code reviews. Exposed in backups.
Secrets encrypted with AES-256-GCM. Only .env.enc is committed. Decrypted straight into memory. Never touches disk.
From initialization to runtime — envcrypt handles everything.
Run envcrypt init and answer a few questions. Choose a preset or configure custom variables.
envcrypt creates cryptographically secure secrets and finds safe, unblocked ports automatically.
Everything is bundled into an AES-256-GCM encrypted .env.enc file with Argon2id key derivation.
Use envcrypt run to decrypt into memory and execute. Auto-cleanup when done.
Built by developers, for developers. Every feature designed to make secret management effortless.
Military-grade encryption with Argon2id key derivation. Your password never leaves your machine.
Cryptographically secure random strings for JWT, sessions, and API keys. No more changeme123.
Scans active processes and suggests completely safe, unblocked ports. No more EADDRINUSE.
Secrets decrypted straight into application memory. Auto-shred on exit. Never touches disk as plaintext.
Automatically blocks plaintext .env commits. Never accidentally expose secrets again.
Asymmetric key sharing and one-time bootstrap tokens. Share .env.enc safely with your team.
Add envcrypt to any Node.js project in seconds.
// At the top of your entry file import { decryptToEnv } from "envcrypt"; await decryptToEnv(); // process.env is now populated import express from "express"; const app = express(); // Your secrets are in memory, never on disk
Everything you need to know about envcrypt.
dotenv loads plaintext .env files into memory. envcrypt encrypts your environment variables with AES-256-GCM, so only an encrypted .env.enc file exists on disk. Secrets are decrypted at runtime and never saved as plaintext. Plus, envcrypt auto-generates secure secrets and detects safe ports.
envcrypt uses AES-256-GCM for encryption with Argon2id for key derivation. The encrypted file includes an HMAC-SHA256 header for tamper detection. This is the same encryption standard used by governments and military organizations worldwide.
Yes! .env.enc is designed to be committed to version control. For team sharing, envcrypt supports asymmetric encryption — the AES key is encrypted with each team member's public key. New members can join with one-time bootstrap tokens.
Your password is never stored anywhere — it's used to derive the encryption key via Argon2id. If you forget it, you cannot decrypt .env.enc. You'll need to run envcrypt init again to create a new encrypted environment. This is by design — zero-knowledge security.
Yes, envcrypt is completely free and open source under the MIT license. All core features — encryption, secret generation, port detection, and the CLI — are free forever. Future cloud integrations may have paid tiers.