🔐 senv


A simple CLI tool for encrypting and decrypting .env files.

Features:

- 🔒 Encrypt and decrypt .env files so they can be securely tracked in Git
- 👀 .env file changes are easily visible during code review
- 🔢 Supports multiple .env files for different environment configurations
- 🎮 Supports encryption and decryption via CLI tool
- 🚢 Easy to configure for use with a CI system

Installation:

$ yarn global add senv

or

$ npm install -g senv

Basic Usage

#### Setup your encryption key
``
$ echo "your_password_here" >> .env.pass
`

#### Encrypt a plain text .env file:
`
$ senv encrypt .env -o .env.enc
`

#### Decrypt an encrypted .env file:
`
$ senv decrypt .env.enc -o .env
`




Passwords

There are several ways to store your passwords, depending on what works best with
your project's existing setup.

#### One password for all .env files
To configure senv to use a single password for all .env files you have two options:

1) Set the DOTENV_PASS environment variable in your ~/.bash_profile:
`
$ export DOTENV_PASS=your_password_here
`

2) Create a file named .env.pass in the same directory as your .env file:
`
$ echo "your_password_here" >> .env.pass
`

If both an environment variable and a password file are present, senv will default to using the
environment variable.

#### One password for each .env file
senv will look for and use an environment variables or password file for each .env file based
on the filename that is passed in, like so:

`
$ senv encrypt .env # Looks for $DOTENV_PASS or .env.pass
$ senv encrypt .env.prod # Looks for $DOTENV_PROD_PASS or .env.prod.pass

$ senv decrypt .env.prod.enc # Looks for $DOTENV_PROD_PASS or .env.prod.pass
$ senv decrypt .env.prod.encrypted # Looks for $DOTENV_PROD_PASS or .env.prod.pass
$ senv decrypt .env.prod.suffix # Looks for $DOTENV_PROD_SUFFIX_PASS or .env.prod.suffix.pass
`

If both an environment variable and a password file are present for an individual .env file,
senv will default to using the environment variable.

#### CLI Argument (insecure)
You can also pass in your password as a command line argument, like so:
`
$ senv encrypt .env -p your_password_here
`

However, this method is insecure and should not be your first choice.

Advanced Usage

#### Update encrypted .env file on each commit:
`
$ echo "#!/bin/sh" >> .git/hooks/pre-commit
$ echo "senv encrypt .env -o .env.enc" >> .git/hooks/pre-commit
$ chmod +x .git/hooks/pre-commit
`

#### Decrypt .env.env file in CI pipeline:
- Add $DOTENV_PASS or individual file environment variable via UI

Why?

Everyone knows it's bad practice to store plaintext secrets in git. Often the alternatives are unecessarily complex for small projects (e.g. Hashicorp Vault), or are a pain to manage (e.g. passing around .env files among developers via slack or email 🤮).

This tool makes it easy to encrypt and decrypt any .env files so they can be securely tracked in Git.

There are several other great libraries that support encryption of environment variables (encrypt-env, secure-env, etc), but none fit our use case well (managing secrets in .env files with react-native-config`) for one reason or another.

So I created this tool. Hope it helps someone else out 😊.