simple dotenv encrypt tool inspired by yaml_vault

Default cipher is aes-256-cbc. Default sign digest is SHA256.

For MacOS:

git clone https://github.com/acro5piano/dotenv-vault ~/.dotenv-vault
ln -sfnv ~/.dotenv-vault/bin/dotenv-vault /usr/local/bin/dotenv-vault

For Linux:

git clone https://github.com/acro5piano/dotenv-vault ~/.dotenv-vault
sudo ln -sfnv ~/.dotenv-vault/bin/dotenv-vault /usr/bin/dotenv-vault

dotenv-vault requires the following:

• Bash >= 2
• Openssl >= 2
• Perl >= 5

Almost all machine does not need any additional installation process.

Input file (.env):

NODE_ENV=development
API_KEY=123456789

Command:

$ dotenv-vault -e API_KEY -k foobarbaz encrypt .env

where -e specify the key you encrypt.

Output:

NODE_ENV=development
API_KEY=U2FsdGVkX186T6zdupR27pXHO0Hdnz9rqZfVdgqBEqk=

Input file (.env.encrypted):

NODE_ENV=development
API_KEY=U2FsdGVkX186T6zdupR27pXHO0Hdnz9rqZfVdgqBEqk=

Command:

$ dotenv-vault -e API_KEY -k foobarbaz decrypt .env

Output:

NODE_ENV=development
API_KEY=123456789

dotenv-vault create command is convenient to create new entry:

$ bin/dotenv-vault -k foobarbaz create 'SOME_KEY=123456'

# => SOME_KEY=U2FsdGVkX18tEclKImEV30HSG0b7IOu3dyO3MpceCd4=

You can paste or redirect to register new entry like this:

$ bin/dotenv-vault -k foobarbaz create 'SOME_KEY=123456' >> .env

• -k specify password
• -e specify the key to encrypt or decrypt. You can use Regular Expression like -e 'A_KEY|ANOTHER_KEY|SECRET_.*'

• If -k option present, use it as password.
• If DOTENV_PASSWORD environment variable present, use it as password.
• If .dotenv-password file present, use the content of the file as password.
• Else, dotenv-vault ask you at runtime.

Note you must not include the .dotenv-password file to any repo.

cd ~/.dotenv-vault
git pull origin master

After checking out the repo, run make to run all tests.

• Add .dotenv-password to save the password
• Add auth methods
  • AWS KMS
  • GCP KMS