🔐 senv
A simple CLI tool for encrypting and decrypting .env files.
Features:
- 🔒 Encrypt and decrypt
.env
files so they can be securely tracked in Git - 👀 .env file changes are easily visible during code review
- 🔢 Supports multiple
.env
files for different environment configurations - 🎮 Supports encryption and decryption via CLI tool
- 🚢 Easy to configure for use with a CI system
Installation:
$ yarn global add senv
or
$ npm install -g senv
Basic Usage
Setup your encryption key
$ echo "your_password_here" >> .env.pass
Encrypt a plain text .env file:
$ senv encrypt .env -o .env.enc
Decrypt an encrypted .env file:
$ senv decrypt .env.enc -o .env
Passwords
There are several ways to store your passwords, depending on what works best with your project's existing setup.
.env
files
One password for all To configure senv
to use a single password for all .env
files you have two options:
- Set the
DOTENV_PASS
environment variable in your~/.bash_profile
:
$ export DOTENV_PASS=your_password_here
- Create a file named
.env.pass
in the same directory as your.env
file:
$ echo "your_password_here" >> .env.pass
If both an environment variable and a password file are present, senv
will default to using the
environment variable.
.env
file
One password for each senv
will look for and use an environment variables or password file for each .env
file based
on the filename that is passed in, like so:
$ senv encrypt .env # Looks for $DOTENV_PASS or .env.pass
$ senv encrypt .env.prod # Looks for $DOTENV_PROD_PASS or .env.prod.pass
$ senv decrypt .env.prod.enc # Looks for $DOTENV_PROD_PASS or .env.prod.pass
$ senv decrypt .env.prod.encrypted # Looks for $DOTENV_PROD_PASS or .env.prod.pass
$ senv decrypt .env.prod.suffix # Looks for $DOTENV_PROD_SUFFIX_PASS or .env.prod.suffix.pass
If both an environment variable and a password file are present for an individual .env
file,
senv
will default to using the environment variable.
CLI Argument (insecure)
You can also pass in your password as a command line argument, like so:
$ senv encrypt .env -p your_password_here
However, this method is insecure and should not be your first choice.
Advanced Usage
Update encrypted .env file on each commit:
$ echo "#!/bin/sh" >> .git/hooks/pre-commit
$ echo "senv encrypt .env -o .env.enc" >> .git/hooks/pre-commit
$ chmod +x .git/hooks/pre-commit
Decrypt .env.env file in CI pipeline:
- Add
$DOTENV_PASS
or individual file environment variable via UI
Why?
Everyone knows it's bad practice to store plaintext secrets in git. Often the alternatives are unecessarily complex for small projects (e.g. Hashicorp Vault), or are a pain to manage (e.g. passing around .env
files among developers via slack or email 🤮).
This tool makes it easy to encrypt and decrypt any .env
files so they can be securely tracked in Git.
There are several other great libraries that support encryption of environment variables (encrypt-env, secure-env, etc), but none fit our use case well (managing secrets in .env
files with react-native-config
) for one reason or another.
So I created this tool. Hope it helps someone else out 😊.