A dev-friendly CLI workflow for encrypting, auditing, and sharing your environment secrets. AES-256-GCM. Zero account. Zero server. Zero drama.
Every team has done it. It's not carelessness — it's a missing tool. envcrypted is that tool.
Four steps. One secret key. Your .env stays yours.
Everything your team needs to secure, share, audit, and sync environment variables.
Set up envcrypted, generate a secret key, choose storage (local or GitHub), and auto-update .gitignore to protect .env.
Encrypts your .env with AES-256-GCM and saves as .env.vault. GitHub storage auto-commits and pushes.
Decrypts the vault and restores your .env file. Perfect for new team members getting started in seconds.
Scans .env for weak passwords, placeholder keys, exposed DB URIs, localhost in production, debug flags, and more.
Strips all values from .env, keeps keys → creates .env.example safe to commit publicly.
Quick snapshot of your project: vault state, gitignore, hook installed, .env.example — all at once.
Runs 8 health checks on your setup and tells you exactly what's wrong and how to fix it.
Adds a git pre-commit hook that warns if .env is unencrypted and blocks any commit where .env is accidentally staged.
Removes the envcrypted pre-commit hook from your repository cleanly without affecting other hooks.
Uses Node.js's built-in crypto module — the same one used by millions of production apps. Open source. No black boxes.
| Algorithm | AES-256-GCM |
| Key Derivation | PBKDF2-SHA512 |
| Iterations | 100,000 |
| Salt | 64 bytes (random per encryption) |
| IV | 16 bytes (random per encryption) |
| Auth Tag | 16 bytes (tamper detection) |
| Secret Key Storage | Never stored anywhere |
| License | MIT — open source |
Solo dev, small team, or large org — the workflow scales with you.
envcrypted is open source and actively improving based on real developer feedback. Every issue, idea, and PR matters.
Free. Open source. No account. No server.
Works on Windows, macOS and Linux. Requires Node.js 16+