Environment variables (.env files) are a popular way to manage configuration and secrets in modern applications.
leaving these files unencrypted exposes critical API keys, database credentials, and other sensitive data to risk.
In this post, weβll explore why encrypting your environment variables is essential, introduce dotenvxβa lightweight CLI for encrypting/decrypting your .env filesβand compare it with other industry-standard methods for secret management.
The Risk of Unencrypted .env Files
Version Control Exposure: Accidentally committing .env files can leak secrets publicly (e.g., GitHub incident examples).
Lateral Movement: If an attacker gains read-only access to a development server, they can harvest keys to pivot deeper into your systems.
Compliance & Auditing: Many regulations (PCI-DSS, GDPR) require encryption at rest for secrets and credentials.
Introducing dotenvx
dotenvx is a simple CLI tool that builds on the familiar .env workflow:
Encrypt: dotenvx encrypt .env produces an encrypted file (e.g., .env.enc).
Decrypt: dotenvx decrypt .env.enc restores the original .env.
Integration: Works seamlessly in CI/CD pipelines and local development.
Key Features
- AES-256 symmetric encryption under the hood.
- Support for rotating keys without re-encrypting all files.
- ~/.dotenvx/key management for team-shared secrets.
Alternative Approaches to Secret Management
While dotenvx is lightweight and developer-friendly, larger organizations or security-focused teams may opt for more comprehensive solutions:
HashiCorp Vault
Centralized secret vault with dynamic secrets, leasing, and revocation.
API-driven, integrates with Kubernetes, CI/CD.
AWS Secrets Manager / Parameter Store
Fully-managed, regionally redundant.
Automatic rotation, IAM-based access control.
Mozilla SOPS + Git-Crypt
Encrypt files in a Git repo using KMS backends (AWS KMS, GCP KMS).
Seamless developer experience via git-crypt.
CI/CD Native Secrets
GitHub Actions Secrets, GitLab CI/CD Variables: encrypted at rest and injected at runtime.
No file in repo, but limited to pipeline scope.
Comparison Table
| Solution | Encryption at Rest | Key Rotation | Dynamic Secrets | Ease of Use |
|---|---|---|---|---|
| dotenvx | β | β | β | βββββ |
| HashiCorp Vault | β | β | β | ββ |
| AWS Secrets Manager | β | β | β | βββ |
| SOPS + git-crypt | β | β | β | ββββ |
| CI/CD Secrets | β | β | β | βββββ |
Best Practices for Managing Encrypted Environment Variables
.gitignore: Always ignore decrypted .env files; only commit encrypted artifacts.
Key Rotation: Schedule regular key rotation and test decryption in CI.
Access Control: Limit decryption keys to essential team members or services.
Secrets Injection: Favor injecting secrets at runtime when possible.
Top comments (11)
Love seeing a simple tool like that instead of some huge system, sometimes all I want is not losing my API keys tbh - you think most people actually rotate their keys as much as theyre supposed to or nah?
Totally! I still see people commit their .env files right into the repoβrotating keys is the least of their worries :)
First of all, great article! Security nowadays should be one of the top concerns on every developer's mind. However, encrypting and decrypting the .env file takes time and planning, which is why very few developers actually do it.
Agreedβencrypting .env files takes effort, which is why many skip it. But that small step can save big trouble later.
dotenvx is a great simple solution.
For a more complete config toolkit, check out dmno.dev - it also does things like validation, coercion, type-safety, leak prevention, and more. It uses plugins to pull secrets from a variety of backends, like 1Password, encrypted files, etc.
Thanks! dmno.dev looks powerfulβappreciate the tip!
this is legit info, secrets in plain text always freak me out - you think most teams actually mess up key rotation or just get lazy with it over time
I've seen teams start strong, but over time, key rotation slips unless it's automated or enforced.
Thank you for helpful article. Using dotenvx to encrypt environment is a simple yet effective solution, and it's easy to intergrate into many process, In the past, a teammate accidentally commited a config file with sensitive data a public repo, and our company was alerted by AWS Security tools. Since then, I've realized how important it is to protect .env files. I'm planning to use dotenvx in our CI/CD pipeline - could you share more about how to set it up Jenkins or Gitlabs?
Thanks for sharing your experience and I'm glad you found the article helpful!
Your note about CI/CD integration is a great point, and it might just be the inspiration for my next post. Stay tuned! π
Loving dotenvx for encrypted env varsβsuper handy for team safety. Anyone else using it? How do you manage secrets?