MCPcopy Index your code
hub / github.com/anvie/envcrypt

github.com/anvie/envcrypt @v0.2.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.2.0 ↗ · + Follow
139 symbols 482 edges 15 files 27 documented · 19%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

envcrypt

Secure your .env files from accidental leaks.

.env files often contain sensitive secrets like API keys, database credentials, and tokens. In plain text, these are vulnerable to accidental exposure, a misplaced git add, a screen share, or an AI coding agent reading your project files can all leak secrets unintentionally.

Envcrypt solves this by encrypting your .env values in place. The workflow is simple:

  1. Encrypt your .env file using the envcrypt CLI tool
  2. Read encrypted values directly in your application — decryption happens transparently at runtime

This is especially useful in the era of agentic coding, where AI assistants routinely read project files. With envcrypt, your .env file can stay in your project directory without exposing raw secrets to any tool or agent that accesses it.

Features

  • AES-256-GCM encryption (authenticated encryption)
  • Encrypted values prefixed with encrypted: for easy identification
  • CLI tool for encrypting/decrypting .env files
  • Libraries for Rust, TypeScript/JavaScript, and Python
  • Cross-language compatibility — files encrypted with the CLI can be loaded from any supported language
  • Key stored in ~/.envcrypt.yaml

Project Structure

envcrypt/
├── cli/                  # CLI tool (Rust)
└── libs/
    ├── rust/             # Rust library (envcrypt-lib)
    ├── typescript/       # TypeScript/JavaScript library
    └── python/           # Python library

Installation

CLI

cargo install --path cli

Libraries

  • Rust: envcrypt-lib = { path = "libs/rust" } in your Cargo.toml
  • TypeScript/JavaScript: npm install envcrypt
  • Python: pip install envcrypt

See each library's README for detailed usage: - Rust library - TypeScript library - Python library

CLI Usage

Initialize (first time)

# Generate random key
envcrypt init --generate

# Or provide your own key (64 hex chars = 32 bytes)
envcrypt init --key "your-64-character-hex-key-here..."

Encrypt a .env file

# Output to stdout
envcrypt encrypt .env

# Output to file
envcrypt encrypt .env -o .env.encrypted

# Modify in-place
envcrypt encrypt .env --in-place

Decrypt a .env file

# Output to stdout
envcrypt decrypt .env.encrypted

# Output to file
envcrypt decrypt .env.encrypted -o .env

# Modify in-place
envcrypt decrypt .env.encrypted --in-place

Encrypt/decrypt single values

envcrypt encrypt-value "my-secret"
# Output: encrypted:base64...

envcrypt decrypt-value "encrypted:base64..."
# Output: my-secret

Check status

envcrypt status

Quick Start (Library)

Rust

use envcrypt_lib::EnvcryptLoader;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let loader = EnvcryptLoader::from_config(None)?;
    loader.load(".env")?;
    let db_url = std::env::var("DATABASE_URL")?;
    Ok(())
}

TypeScript

import { loadFromConfig } from "envcrypt";

loadFromConfig(".env");
console.log(process.env.DATABASE_URL);

Python

import envcrypt
import os

envcrypt.load(".env")
db_url = os.environ["DATABASE_URL"]

.env File Format

# Comments are preserved
DATABASE_URL=encrypted:base64encodeddata...
API_KEY=encrypted:base64encodeddata...
PLAIN_VALUE=this-is-not-encrypted

Encrypted values have the encrypted: prefix. Plain values are passed through as-is.

Security

  • Algorithm: AES-256-GCM (authenticated encryption with associated data)
  • Nonce: 12 bytes, randomly generated per encryption
  • Key: 32 bytes (256 bits), stored in config file
  • Format: encrypted:<base64(nonce + ciphertext + tag)>

Config File

Location: ~/.envcrypt.yaml

key: "64-character-hex-encoded-key..."

License

MIT

Core symbols most depended-on inside this repo

create_loader
called by 24
libs/rust/src/lib.rs
encrypt
called by 18
libs/typescript/src/loader.ts
encrypt
called by 17
libs/rust/src/lib.rs
decrypt
called by 16
libs/typescript/src/loader.ts
encrypt
called by 15
libs/python/envcrypt/loader.py
decrypt
called by 15
libs/python/envcrypt/loader.py
decrypt
called by 14
libs/rust/src/lib.rs
from_key
called by 11
libs/python/envcrypt/loader.py

Shape

Method 67
Function 53
Class 17
Enum 2

Languages

Rust46%
Python40%
TypeScript14%

Modules by API surface

libs/rust/src/lib.rs54 symbols
libs/python/tests/test_loader.py42 symbols
libs/typescript/src/loader.ts14 symbols
libs/python/envcrypt/loader.py14 symbols
cli/src/main.rs10 symbols
libs/typescript/src/errors.ts3 symbols
libs/typescript/tests/loader.test.ts1 symbols
libs/typescript/src/parser.ts1 symbols

For agents

$ claude mcp add envcrypt \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact