Environment variables (.env files) are a popular way to manage configuration and secrets in modern applications.
leaving these files unencrypted exposes critical API keys, database credentials, and other sensitive data to risk.
In this post, weβll explore why encrypting your environment variables is essential, introduce dotenvxβa lightweight CLI for encrypting/decrypting your .env filesβand compare it with other industry-standard methods for secret management.
The Risk of Unencrypted .env Files
Introducing dotenvx
dotenvx is a simple CLI tool that builds on the familiar .env workflow:
Key Features
Alternative Approaches to Secret Management
While dotenvx is lightweight and developer-friendly, larger organizations or security-focused teams may opt for more comprehensive solutions:
HashiCorp Vault
AWS Secrets Manager / Parameter Store
Mozilla SOPS + Git-Crypt
CI/CD Native Secrets
Comparison Table
Best Practices for Managing Encrypted Environment Variables
More...
leaving these files unencrypted exposes critical API keys, database credentials, and other sensitive data to risk.
In this post, weβll explore why encrypting your environment variables is essential, introduce dotenvxβa lightweight CLI for encrypting/decrypting your .env filesβand compare it with other industry-standard methods for secret management.
The Risk of Unencrypted .env Files
- Version Control Exposure: Accidentally committing .env files can leak secrets publicly (e.g., GitHub incident examples).
- Lateral Movement: If an attacker gains read-only access to a development server, they can harvest keys to pivot deeper into your systems.
- Compliance & Auditing: Many regulations (PCI-DSS, GDPR) require encryption at rest for secrets and credentials.
Introducing dotenvx
dotenvx is a simple CLI tool that builds on the familiar .env workflow:
- Encrypt: dotenvx encrypt .env produces an encrypted file (e.g., .env.enc).
- Decrypt: dotenvx decrypt .env.enc restores the original .env.
- Integration: Works seamlessly in CI/CD pipelines and local development.
Key Features
- AES-256 symmetric encryption under the hood.
- Support for rotating keys without re-encrypting all files.
- ~/.dotenvx/key management for team-shared secrets.
Alternative Approaches to Secret Management
While dotenvx is lightweight and developer-friendly, larger organizations or security-focused teams may opt for more comprehensive solutions:
HashiCorp Vault
- Centralized secret vault with dynamic secrets, leasing, and revocation.
- API-driven, integrates with Kubernetes, CI/CD.
AWS Secrets Manager / Parameter Store
- Fully-managed, regionally redundant.
- Automatic rotation, IAM-based access control.
Mozilla SOPS + Git-Crypt
- Encrypt files in a Git repo using KMS backends (AWS KMS, GCP KMS).
- Seamless developer experience via git-crypt.
CI/CD Native Secrets
- GitHub Actions Secrets, GitLab CI/CD Variables: encrypted at rest and injected at runtime.
- No file in repo, but limited to pipeline scope.
Comparison Table
| dotenvx | β | β | β | βββββ |
| HashiCorp Vault | β | β | β | ββ |
| AWS Secrets Manager | β | β | β | βββ |
| SOPS + git-crypt | β | β | β | ββββ |
| CI/CD Secrets | β | β | β | βββββ |
Best Practices for Managing Encrypted Environment Variables
- .gitignore: Always ignore decrypted .env files; only commit encrypted artifacts.
- Key Rotation: Schedule regular key rotation and test decryption in CI.
- Access Control: Limit decryption keys to essential team members or services.
- Secrets Injection: Favor injecting secrets at runtime when possible.
More...