Show Menu
Cheatography

Dotenvx encrypts your .env files–limiting their attack vector while retaining their benefits.

Create­/List key pairs

dotenvx init
Create .env and .env.keys in current directory
dotenv -p test init
Create .env.test and .env.keys for test profile
dotenvx init -g
Create $HOME/.en­v.keys for global profiles
dotenvx keypair
Validate and print key pair for .env
dotenvx -p test keypair
Validate ad print key pair for .env.test
dotenvx keypair --all
List all global key pairs
dotenvx keypair --import
Import private key
Please use 'cargo binstall dotenv­x-rs' to install dotenvx or download it from https:­//g­ith­ub.c­om­/li­nux­-ch­ina­/do­ten­vx-­rs/­rel­eases

encrypt and decrypt for .env files

dotenvx encrypt
Encrypt .env file
dotenvx -p test encrypt
Encrypt .env.test file
dotenvx encrypt --sign
Encrypt and sign .env file
dotenvx verify
Verify the .env file with public key and sign header in the file
dotenvx decrypt
Decrypt .env file
dotenvx -p test decrypt
Decrypt .env.test file
dotenvx decrypt --stdout
Read .env file and print the decrypted items to stdout
dotenvx decrypt --dump
Decrypt .env file and output entries to stdout with JSON format
You can sign an .env file. If somebody modify the .env file, and verifi­cation will be failed.

.env file example

# ---
# uuid: f7580ac5-0b24-4385-b3ff-819225b687f3
# name: input your name here
# group: demo
# ---

DOTENV_PUBLIC_KEY="02b497...."

# Environment variables. MAKE SURE to ENCRYPT them before committing to source control
HELLO=encrypted:base64_text

.env.key file example

# ---
# uuid: 8499c5c3-cee3-4c94-99a4-9c86b2ed5dd9
# name: input your name here
# group: demo
# ---

#  Private decryption keys. DO NOT commit to source control
DOTENV_PRIVATE_KEY=9e7018-hex-text
DOTENV_PRIVATE_KEY_EXAMPLE=a3d15-hex-text

GitHub Actions setup

jobs:
  dotenvx-demo:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: linux-china/setup-dotenvx@main
      - run: npm install
      - run: $HOME/.cargo/bin/dotenvx run -- node index.js
        env:
          DOTENV_PRIVATE_KEY: ${{ secrets.DOTENV_PRIVATE_KEY }}
Please add 
DOTENV­_PR­IVA­TE_KEY
secret to the 
Repository secrets
first.
If you use act for local GitHub Actions test, please use 
act -j dotenv­x-demo --secr­et-file .env.keys
.
  

Get/Set item from .env file

dotenvx get admin
Get 
ADMIN
value from .env file
dotenvx get
GET all key/value pairs from .env file
dotenvx set admin Jackie
SET 
ADMIN
to 
Jackie
in .env file
dotenvx set admin -
SET 
ADMIN
from input
dotenvx set privat­e_key - < ./priv­ate.pem
Set 
privat­e_key
from text of privat­e.pem file
Please press Ctrl+D on Linux/­macOS or Ctrl+Z on Windows to finish input.

Switch profile

dotenvx -p test
Change profile to test
dotenvx encrypt -f .env.test
Change profile to test by .env file name
NODE_E­NV=test dotenvx encrypt
Change profile to test by envrio­nment
profile's enviro­nment variable names: NODE_ENV, RUN_ENV, APP_ENV, SPRING­_PR­OFI­LES­_AC­TIVE.

Run command with .env support

dotenvx run -- ./demo.sh
Inject env variables from .env and run ./demo.sh
dotenvx -f prod run -- ./demo.sh
Inject env variables from .env.prod and run ./demo.sh
dotenvx run -- echo '$HELLO'
Inject env variables from .env to run command line
dotenvx -c 'echo $HELLO'
Inject env variables from .env and run commad line
Please use single quote to wrap variables from .env file.

Rotate key pair for project

dotenvx rotate
Rotate key pair for .env file
dotenvx -p prod rotate
Rotate key pair for .env.prod file
dotenvx rotate -f .env.prod
Rotate key pair for .env.prod file

Global private key management

dotenvx init --global
Generate global private keys in $HOME/.en­v.keys
dotenvx --seal
Encrypt $HOME/.en­v.keys, $HOME/.do­ten­vx/.en­v.k­ey.json with your password
dotenvx --unseal
Decrypt $HOME/.en­v.k­eys.aes, $HOME/.do­ten­vx/.en­v.k­eys.js­on.aes with password

Misc

eval $(dotenvx decrypt --export)
Export .env items to enviro­nment variables
eval $(dotenvx get hello --format shell)
Export HELLO from .env items as enviro­nment variable
dotenvx ls
List all .env file from current directory recurs­ively
dotenvx -f test ls
List all .env.test file from current directory recurs­ively
dotenvx diff key1,key2
Disply keys' values between all .env files
dotenvx diff key1,key2 --format csv
Disply keys' values between all .env files by csv
Tips: if you use direnv, and you can add "eval $(dotenvx decrypt --expo­rt)­" to the .envrc file to automa­tically load .env as the enviro­nment variables when you enter the directory.
   
 

Metadata

  • Languages:
  • Published: 24th July, 2025
  • Last Updated: 6th August, 2025

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

            Netflix Secret Codes Infographic by BonusVPN

          More Cheat Sheets by linux_china

          Justfile Cheat Sheet
          JBang Cheat Sheet
          httpx Cheat Sheet