npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

mytabru-dotenvenc

v5.1.1

Published

Encrypt and decrypt in-memory at runtime your .env file so you can store sensitive information (passwords etc.) in source control

Downloads

4

Readme

@tka85/dotenvenc

NOTE: This is an improved version of the now deprecated dotenvenc.

Are you using .env and it contains secrets like passwords & tokens?

And are you using dotenv to expose those secrets as process.env variables to your app?

Problem: you are exposing the secrets in plain text in your repository and your production system.

Solution: you can now save your .env encrypted as .env.enc, then decrypt it during runtime only in memory (never on disk) and transparently get the same functionality as you enjoyed from dotenv.

Benefits

  • Secure! ✔ You can safely commit into your codebase the encrypted .env.enc without compromosing your secrets
  • Secure!! ✔ Your secrets exist unencrypted only in memory during runtime; never on disk
  • Secure!!! ✔ Secrets protected with strong encryption (AES-256)
  • Handy! ✔ Comes with CLI script dotenvenc for easily updating your .env.enc from your local (uncommitted) .env
  • Lean! ✔ Still maintain a single dependency but now on dotenvenc instead of dotenv
  • Easy! ✔ Transition from dotenv replacing a single line of code
  • Flexible! ✔ Not limited to .env and .env.enc i.e. you can set any custom filenames for the encrypted and unencrypted files
  • Modern! ✔ Fully re-written in Typescript

Tip

Add .env in your .gitignore so your unencrypted secrets are guaranteed to never get committed in your codebase.

Installation

npm i @tka85/dotenvenc

Encryption

You have a .env (or custom-named unencrypted secrets file) and you will generate a .env.enc (or custom-named file) which is encrypted and safe to commit.

You can use the handy command-line script dotenvenc that comes installed with the package. Just run it without arguments to see the help page.

Step 1 (optional)

Convenient option

Save the encryption/decryption password you will be using in the environment variable DOTENVENC_PASS in your .bashrc (or .bash_profile):

export DOTENVENC_PASS='mySuperDuperPassword';

and reload it:

source ~/.bashrc

Upon runtime your app will use this env variable when reading the encrypted .env.enc to decrypt it and populate your process.env (see following section Decryption on how to do this).

But setting this env variable is also helpful for the CLI tool dotenvenc. If DOTENVENC_PASS is set, the dotenvenc script will not prompt you each time to type the password for encryption/decryption.

Secure option

For maximum security, do not save the DOTENVENC_PASS not even as an environment variable in your .bashrc. If it is not set, the application will ask for it upon startup before it can proceed to decrypt .env.enc and populate your process.enc.

Step 2: encrypt .env

Note: you will have to repeat this step each time you make changes to a secret in your unencrypted .env and need to reflect it into the encrypted .env.enc.

If your unencrypted secrets file is .env and resides at the root of the project, then simply:

./node_modules/.bin/dotenvenc -e

will prompt you (x2) for an encryption password (unless DOTENVENC_PASS is set) and proceed to generate an encrypted secrets file .env.enc.

And if your unencrypted secrets file is not named the default .env, we have you covered:

./node_modules/.bin/dotenvenc -e -i /path/to/my/secrets-env-filename

will prompt you (x2) for an encryption password (unless DOTENVENC_PASS is set) and proceed to generate an encrypted secrets file .env.enc.

And if you don't want to name the encrypted secrets file .env.enc, we also have you covered:

./node_modules/.bin/dotenvenc -e -i /path/to/my/secrets-env-filename -o /another/place/to/my/encrypted-secrets-env-filename

will prompt you (x2) for an encryption password (unless DOTENVENC_PASS is set) and proceed to generate an encrypted secrets file /another/place/to/my/encrypted-secrets-env-filename.

Decryption

Let's assume the contents of the .env that you encrypted into .env.enc are:

DB_PASS='superDuperPassword'
SECRET_TOKEN='noMoreSecrets'

For all possible decryption scenarios that follow, the principle is:

  • If you have set env var DOTENVENC_PASS, no additional step is needed
  • If you have not set env var DOTENVENC_PASS, you will be prompted to supply the decryption password before proceeding

You can now populate the process.env in your app's code as follows:

require('dotenvenc').decrypt();
// From here on your app will have access to the secrets through `process.env.DB_PASS` and `process.env.SECRET_TOKEN`

or in ES6:

import { decrypt } from 'dotenvenc';
decrypt();
// From here on your app will have access to the secrets through `process.env.DB_PASS` and `process.env.SECRET_TOKEN`

If you used a custom encrypted filename:

require('dotenvenc').decrypt({ encryptedFile: './somewhere/.secrets.custom.enc'});
// From here on your app will have access to the secrets through `process.env.DB_PASS` and `process.env.SECRET_TOKEN`

or in ES6:

import { decrypt } from 'dotenvenc';
decrypt({ encryptedFile: './somewhere/.secrets.custom.enc'});
// From here on your app will have access to the secrets through `process.env.DB_PASS` and `process.env.SECRET_TOKEN`

Recovery of unencrypted secrets file

You want to decrypt and view the contents of your encrypted secrets file? A new team member wants to recreate the .env upon checkout of the project? (remember that .env is an unversioned file) Or you want to recreate the .env because it got lost or corrupted?

You can use the same handy command-line dotenvenc you used to initially encrypt your unencrypted .env secrets file.

Using the script's -d flag:

./node_modules/.bin/dotenvenc -d

or if you used custom name instead of the default .env.enc:

./node_modules/.bin/dotenvenc -d -i ./somewhere/.secrets.custom.enc

In both cases you will be prompted to provide the password that was used to create the encrypted file (if DOTENVENC_PASS is not set) and, assuming the password is correct, you will have the contents printed on the screen in the format:

VAR1=VALUE1
VAR2=VALUE2
...

Bonus

You can dump the contents of your encrypted secrets file as shell export statements.

Using the script's -x flag:

./node_modules/.bin/dotenvenc -x -i ./somewhere/.secrets.custom.enc

This will print on console:

export VAR1=VALUE1;
export VAR2=VALUE2;

How is that useful?

Using the shell's eval in a shell script you can populate your environment dynamically without ever storing the sensitive information on disk.

eval `./node_modules/.bin/dotenvenc -x`
# all commands following in the script will now have access to the env variables

Comments

Anything following a # sign in the .env file, is stripped. That means you can have full line comments:

# the whole line is a comments because it start with a "#"

or inline comments:

VAR="a value" # text before the "#" is kept; text following the "#" is stripped

Inspired by