npm - @dotenvx/dotenvx - Versions diffs - 0.37.0 → 0.38.0 - Mend

@dotenvx/dotenvx 0.37.0 → 0.38.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/README.md +69 -183
package/package.json +2 -1
package/src/cli/actions/set.js +7 -2
package/src/cli/actions/{decrypt.js → vault/decrypt.js} +4 -4
package/src/cli/actions/{encrypt.js → vault/encrypt.js} +5 -5
package/src/cli/actions/{status.js → vault/status.js} +13 -3
package/src/cli/commands/hub.js +43 -7
package/src/cli/commands/vault.js +31 -0
package/src/cli/dotenvx.js +41 -22
package/src/lib/helpers/decryptValue.js +29 -0
package/src/lib/helpers/encryptValue.js +12 -0
package/src/lib/helpers/findOrCreatePublicKey.js +80 -0
package/src/lib/helpers/guessEnvironment.js +1 -0
package/src/lib/helpers/guessPrivateKeyFilename.js +15 -0
package/src/lib/helpers/guessPrivateKeyName.js +18 -0
package/src/lib/helpers/guessPublicKeyName.js +18 -0
package/src/lib/helpers/keyPair.js +15 -0
package/src/lib/helpers/{parseExpandAndEval.js → parseDecryptEvalExpand.js} +14 -2
package/src/lib/helpers/replace.js +26 -0
package/src/lib/helpers/smartDotenvPrivateKey.js +30 -0
package/src/lib/main.js +2 -2
package/src/lib/services/run.js +26 -4
package/src/lib/services/sets.js +21 -29
package/src/lib/services/status.js +11 -2

package/README.md CHANGED Viewed

@@ -490,230 +490,99 @@ More examples
   Available log levels are `error, warn, info, verbose, debug, silly`
   </details>
+* <details><summary>`--convention` flag</summary><br>
-&nbsp;
-## Encryption
-> Encrypt your secrets to a `.env.vault` file and load from it (recommended for production and ci).
-```sh
-$ echo "HELLO=World" > .env
-$ echo "HELLO=production" > .env.production
-$ echo "console.log('Hello ' + process.env.HELLO)" > index.js
-$ dotenvx encrypt
-[dotenvx][info] encrypted to .env.vault (.env,.env.production)
-[dotenvx][info] keys added to .env.keys (DOTENV_KEY_PRODUCTION,DOTENV_KEY_PRODUCTION)
-$ DOTENV_KEY='<dotenv_key_production>' dotenvx run -- node index.js
-[dotenvx][info] loading env (1) from encrypted .env.vault
-Hello production
-^ :-]
-```
-More examples
-* <details><summary>AWS Lambda</summary><br>
-  ```sh
-  coming soon
-  ```
-  </details>
-* <details><summary>Digital Ocean</summary><br>
-  ```sh
-  coming soon
-  ```
-  </details>
-* <details><summary>Docker 🐳</summary><br>
-  > Add the `dotenvx` binary to your Dockerfile
-  ```sh
-  # Install dotenvx
-  RUN curl -fsS https://dotenvx.sh/ | sh
-  ```
-  > Use it in your Dockerfile CMD
+  Want to load envs conveniently usng the same convention as Next.js? Set `--convention` to `nextjs`:
   ```sh
-  # Prepend dotenvx run
-  CMD ["dotenvx", "run", "--", "node", "index.js"]
-  ```
-  see [docker guide](https://dotenvx.com/docs/platforms/docker)
-  </details>
-* <details><summary>Fly.io 🎈</summary><br>
-  > Add the `dotenvx` binary to your Dockerfile
+  $ echo "HELLO=development local" > .env.development.local
+  $ echo "HELLO=local" > .env.local
+  $ echo "HELLO=development" > .env.development
+  $ echo "HELLO=env" > .env
-  ```sh
-  # Install dotenvx
-  RUN curl -fsS https://dotenvx.sh/ | sh
+  $ dotenvx run --convention=nextjs -- node index.js
+  Hello development local
   ```
-  > Use it in your Dockerfile CMD
-  ```sh
-  # Prepend dotenvx run
-  CMD ["dotenvx", "run", "--", "node", "index.js"]
-  ```
+  See [next.js environment variable load order](https://nextjs.org/docs/pages/building-your-application/configuring/environment-variables#environment-variable-load-order)
-  see [fly guide](https://dotenvx.com/docs/platforms/fly)
+  (more conventions available upon request)
   </details>
-* <details><summary>Heroku 🟣</summary><br>
-  > Add the buildpack, installing the `dotenvx` binary to your heroku deployment.
-  ```sh
-  heroku buildpacks:add https://github.com/dotenvx/heroku-buildpack-dotenvx
-  ```
-  > Use it in your Procfile.
-  ```sh
-  web: dotenvx run -- node index.js
-  ```
+&nbsp;
-  see [heroku guide](https://dotenvx.com/docs/platforms/heroku)
+## Encryption
-  </details>
+> Add encryption to your `.env` files with a single command. Pass the `--encrypt` flag.
-* <details><summary>Laravel Forge</summary><br>
+```sh
+$ dotenvx set HELLO World --encrypt
+set HELLO with encryption (.env)
+```
-  ```sh
-  coming soon
-  ```
+![](https://github.com/dotenvx/dotenvx/assets/3848/21f7a529-7a40-44e4-87d4-a72e1637b702)
-  </details>
+> A `DOTENV_PUBLIC_KEY` (encryption key) and a `DOTENV_PRIVATE_KEY` (decryption key) is generated using the same public-key cryptography as [Bitcoin](https://en.bitcoin.it/wiki/Secp256k1).
-* <details><summary>Netlify 🔷</summary><br>
+More examples
-  > Add the `dotenvx` npm module
+* <details><summary>`.env`</summary><br>
   ```sh
-  npm install @dotenvx/dotenvx --save
-  ```
-  > Use it in your `package.json scripts`
-  ```json
-  "scripts": {
-    "dotenvx": "dotenvx",
-    "dev": "dotenvx run -- next dev --turbo",
-    "build": "dotenvx run -- next build",
-    "start": "dotenvx run -- next start"
-  },
-  ```
-  see [netlify guide](https://dotenvx.com/docs/platforms/netlify)
-  </details>
-* <details><summary>Railway 🚄</summary><br>
-  > Add the `dotenvx` binary to your Dockerfile
+  $ dotenvx set HELLO World --encrypt
+  $ echo "console.log('Hello ' + process.env.HELLO)" > index.js
-  ```sh
-  # Install dotenvx
-  RUN curl -fsS https://dotenvx.sh/ | sh
+  $ dotenvx run -- node index.js
+  [dotenvx] injecting env (2) from .env
+  Hello World
   ```
-  > Use it in your Dockerfile CMD
+* <details><summary>`.env.production`</summary><br>
   ```sh
-  # Prepend dotenvx run
-  CMD ["dotenvx", "run", "--", "node", "index.js"]
-  ```
-  see [railway guide](https://dotenvx.com/docs/platforms/railway)
-  </details>
-* <details><summary>Render</summary><br>
+  $ dotenvx set HELLO Production --encrypt -f .env.production
+  $ echo "console.log('Hello ' + process.env.HELLO)" > index.js
-  ```sh
-  coming soon
+  $ DOTENV_PRIVATE_KEY_PRODUCTION="<.env.production private key>" dotenvx run -- node index.js
+  [dotenvx] injecting env (2) from .env.production
+  Hello Production
   ```
-  </details>
-* <details><summary>Vercel ▲</summary><br>
+  Note the `DOTENV_PRIVATE_KEY_PRODUCTION` ends with `_PRODUCTION`. This instructs `dotenvx run` to load the `.env.production` file.
-  > Add the `dotenvx` npm module
+* <details><summary>`.env.ci`</summary><br>
   ```sh
-  npm install @dotenvx/dotenvx --save
-  ```
-  > Use it in your `package.json scripts`
+  $ dotenvx set HELLO Ci --encrypt -f .env.ci
+  $ echo "console.log('Hello ' + process.env.HELLO)" > index.js
-  ```json
-  "scripts": {
-    "dotenvx": "dotenvx",
-    "dev": "dotenvx run -- next dev --turbo",
-    "build": "dotenvx run -- next build",
-    "start": "dotenvx run -- next start"
-  },
+  $ DOTENV_PRIVATE_KEY_CI="<.env.ci private key>" dotenvx run -- node index.js
+  [dotenvx] injecting env (2) from .env.ci
+  Hello Ci
   ```
-  see [vercel guide](https://dotenvx.com/docs/platforms/vercel)
-  </details>
+  Note the `DOTENV_PRIVATE_KEY_CI` ends with `_CI`. This instructs `dotenvx run` to load the `.env.ci` file. See the pattern?
-* <details><summary>CircleCI</summary><br>
+* <details><summary>combine multiple encrypted .env files</summary><br>
   ```sh
-  coming soon
-  ```
-  </details>
-* <details><summary>GitHub Actions 🐙</summary><br>
-  > Add the `dotenvx` binary to GitHub Actions
+  $ dotenvx set HELLO World --encrypt -f .env
+  $ dotenvx set HELLO Production --encrypt -f .env.production
+  $ echo "console.log('Hello ' + process.env.HELLO)" > index.js
-  ```sh
-  name: build
-  on: [push]
-  jobs:
-    build:
-      runs-on: ubuntu-latest
-      steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
-        with:
-          node-version: 16
-      - run: curl -fsS https://dotenvx.sh/ | sh
-      - run: dotenvx run -- node build.js
-        env:
-          DOTENV_KEY: ${{ secrets.DOTENV_KEY }}
+  $ DOTENV_PRIVATE_KEY="<.env private key>" DOTENV_PRIVATE_KEY_PRODUCTION="<.env.production private key>" dotenvx run -- node index.js
+  [dotenvx] injecting env (3) from .env, .env.production
+  Hello World
   ```
-  see [github actions guide](https://dotenvx.com/docs/cis/github-actions)
+  Note the `DOTENV_PRIVATE_KEY` instructs `dotenvx run` to load the `.env` file and the `DOTENV_PRIVATE_KEY_PRODUCTION` instructs it to load the `.env.production` file. See the pattern?
-  </details>
+* <details><summary>other curves</summary><br>
-&nbsp;
-## Hub
-> Integrate tightly with [GitHub](https://github.com) 🐙 and as a team
-```sh
-$ dotenvx hub login
-$ dotenvx hub push
-```
-**beta**: more details coming soon.
+  > `secp256k1` is a well-known and battle tested curve, in use with Bitcoin and other cryptocurrencies, but we are open to adding support for more curves.
+  >
+  > If your organization's compliance department requires [NIST approved curves](https://csrc.nist.gov/projects/elliptic-curve-cryptography) or other curves like `curve25519`, please reach out at [security@dotenvx.com](mailto:security@dotenvx.com).
 &nbsp;
@@ -768,6 +637,23 @@ This fix is easy. Replace `--env-file` with `-f`.
 [more context](https://github.com/dotenvx/dotenvx/issues/131)
+#### What happened to the `.env.vault` file?
+I've decided we should sunset it as a technological solution to this.
+The `.env.vault` file got us far, but it had limitations such as:
+* *Pull Requests* - it was difficult to tell which key had been changed
+* *Security* - there was no mechanism to give a teammate the ability to encrypt without also giving them the ability to decrypt. Sometimes you just want to let a contractor encrypt a new value, but you don't want them to know the rest of the secrets.
+* *Conceptual* - it takes more mental energy to understand the `.env.vault` format. Encrypted values inside a `.env` file is easier to quickly grasp.
+* *Combining Multiple Files* - there was simply no mechanism to do this well with the `.env.vault` file format.
+That said, the `.env.vault` tooling will still stick around for at least 1 year under `dotenvx vault` parent command. I'm still using it in projects as are many thousands of other people.
+#### Will you provide a migration tool to quickly switch `.env.vault` files to encrypted `.env` files?
+Yes. Working on this soon.
 &nbsp;
 ## Contributing

package/package.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "version": "0.37.0",
+  "version": "0.38.0",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",
@@ -35,6 +35,7 @@
     "diff": "^5.2.0",
     "dotenv": "^16.4.5",
     "dotenv-expand": "^11.0.6",
+    "eciesjs": "^0.4.6",
     "execa": "^5.1.1",
     "glob": "^10.3.10",
     "ignore": "^5.3.0",

package/src/cli/actions/set.js CHANGED Viewed

@@ -13,7 +13,9 @@ function set (key, value) {
     const {
       processedEnvFiles,
       settableFilepaths
-    } = main.set(key, value, options.envFile)
+    } = main.set(key, value, options.envFile, options.encrypt)
+    let atLeastOneSuccess = false
     for (const processedEnvFile of processedEnvFiles) {
       logger.verbose(`setting for ${processedEnvFile.filepath}`)
@@ -26,12 +28,15 @@ function set (key, value) {
           logger.warn(processedEnvFile.error)
         }
       } else {
+        atLeastOneSuccess = true
         logger.verbose(`${processedEnvFile.key} set`)
         logger.debug(`${processedEnvFile.key} set to ${processedEnvFile.value}`)
       }
     }
-    logger.success(`set ${key} (${settableFilepaths.join(', ')})`)
+    if (atLeastOneSuccess) {
+      logger.success(`set ${key} (${settableFilepaths.join(', ')})`)
+    }
   } catch (error) {
     logger.error(error.message)
     if (error.help) {

package/src/cli/actions/{decrypt.js → vault/decrypt.js} RENAMED Viewed

@@ -1,10 +1,10 @@
 const fs = require('fs')
-const logger = require('./../../shared/logger')
-const createSpinner = require('./../../shared/createSpinner')
-const sleep = require('./../../lib/helpers/sleep')
+const logger = require('./../../../shared/logger')
+const createSpinner = require('./../../../shared/createSpinner')
+const sleep = require('./../../../lib/helpers/sleep')
-const Decrypt = require('./../../lib/services/decrypt')
+const Decrypt = require('./../../../lib/services/decrypt')
 const spinner = createSpinner('decrypting')

package/src/cli/actions/{encrypt.js → vault/encrypt.js} RENAMED Viewed

@@ -1,11 +1,11 @@
 const fs = require('fs')
 const path = require('path')
-const main = require('./../../lib/main')
-const logger = require('./../../shared/logger')
-const createSpinner = require('./../../shared/createSpinner')
-const sleep = require('./../../lib/helpers/sleep')
-const pluralize = require('./../../lib/helpers/pluralize')
+const main = require('./../../../lib/main')
+const logger = require('./../../../shared/logger')
+const createSpinner = require('./../../../shared/createSpinner')
+const sleep = require('./../../../lib/helpers/sleep')
+const pluralize = require('./../../../lib/helpers/pluralize')
 const spinner = createSpinner('encrypting')

package/src/cli/actions/{status.js → vault/status.js} RENAMED Viewed

@@ -1,6 +1,6 @@
-const logger = require('./../../shared/logger')
+const logger = require('./../../../shared/logger')
-const main = require('./../../lib/main')
+const main = require('./../../../lib/main')
 function status (directory) {
   // debug args
@@ -10,10 +10,11 @@ function status (directory) {
   logger.debug(`options: ${JSON.stringify(options)}`)
   try {
-    const { changes, nochanges } = main.status(directory)
+    const { changes, nochanges, untracked } = main.status(directory)
     const changeFilenames = []
     const nochangeFilenames = []
+    const untrackedFilenames = []
     for (const row of nochanges) {
       nochangeFilenames.push(row.filename)
@@ -50,6 +51,15 @@ function status (directory) {
       logger.warn('no .env* files.')
       logger.help('? add one with [echo "HELLO=World" > .env] and then run [dotenvx status]')
     }
+    for (const row of untracked) {
+      untrackedFilenames.push(row.filename)
+    }
+    if (untrackedFilenames.length > 0) {
+      logger.warn(`untracked (${untrackedFilenames.join(', ')})`)
+      logger.help(`? track them with [dotenvx encrypt ${directory}]`)
+    }
   } catch (error) {
     logger.error(error.message)
     if (error.help) {

package/src/cli/commands/hub.js CHANGED Viewed

@@ -1,53 +1,89 @@
 const { Command } = require('commander')
 const store = require('./../../shared/store')
+const logger = require('./../../shared/logger')
 const hub = new Command('hub')
 hub
   .description('interact with dotenvx hub')
+const loginAction = require('./../actions/hub/login')
 hub
   .command('login')
   .description('authenticate to dotenvx hub')
   .option('-h, --hostname <url>', 'set hostname', store.getHostname())
-  .action(require('./../actions/hub/login'))
+  .action(function (...args) {
+    logger.warn('DEPRECATION NOTECE: [dotenvx hub login] will be removed in 1.0.0 release soon')
+    loginAction.apply(this, args)
+  })
+const pushAction = require('./../actions/hub/push')
 hub
   .command('push')
   .description('push .env.keys to dotenvx hub')
   .argument('[directory]', 'directory to push', '.')
   .option('-h, --hostname <url>', 'set hostname', store.getHostname())
-  .action(require('./../actions/hub/push'))
+  .action(function (...args) {
+    logger.warn('DEPRECATION NOTECE: [dotenvx hub push] will be removed in 1.0.0 release soon')
+    pushAction.apply(this, args)
+  })
+const pullAction = require('./../actions/hub/pull')
 hub
   .command('pull')
   .description('pull .env.keys from dotenvx hub')
   .argument('[directory]', 'directory to pull', '.')
   .option('-h, --hostname <url>', 'set hostname', store.getHostname())
-  .action(require('./../actions/hub/pull'))
+  .action(function (...args) {
+    logger.warn('DEPRECATION NOTECE: [dotenvx hub pull] will be removed in 1.0.0 release soon')
+    pullAction.apply(this, args)
+  })
+const openAction = require('./../actions/hub/open')
 hub
   .command('open')
   .description('view repository on dotenvx hub')
   .option('-h, --hostname <url>', 'set hostname', store.getHostname())
-  .action(require('./../actions/hub/open'))
+  .action(function (...args) {
+    logger.warn('DEPRECATION NOTECE: [dotenvx hub open] will be removed in 1.0.0 release soon')
+    openAction.apply(this, args)
+  })
+const tokenAction = require('./../actions/hub/token')
 hub
   .command('token')
   .description('print the auth token dotenvx hub is configured to use')
   .option('-h, --hostname <url>', 'set hostname', 'https://hub.dotenvx.com')
-  .action(require('./../actions/hub/token'))
+  .action(function (...args) {
+    logger.warn('DEPRECATION NOTECE: [dotenvx hub token] will be removed in 1.0.0 release soon')
+    tokenAction.apply(this, args)
+  })
+const statusAction = require('./../actions/hub/status')
 hub
   .command('status')
   .description('display logged in user')
-  .action(require('./../actions/hub/status'))
+  .action(function (...args) {
+    logger.warn('DEPRECATION NOTECE: [dotenvx hub status] will be removed in 1.0.0 release soon')
+    statusAction.apply(this, args)
+  })
+const logoutAction = require('./../actions/hub/logout')
 hub
   .command('logout')
   .description('log out this machine from dotenvx hub')
   .option('-h, --hostname <url>', 'set hostname', store.getHostname())
-  .action(require('./../actions/hub/logout'))
+  .action(function (...args) {
+    logger.warn('DEPRECATION NOTECE: [dotenvx hub logout] will be removed in 1.0.0 release soon')
+    logoutAction.apply(this, args)
+  })
 module.exports = hub

package/src/cli/commands/vault.js ADDED Viewed

@@ -0,0 +1,31 @@
+const { Command } = require('commander')
+const examples = require('./../examples')
+const vault = new Command('vault')
+vault
+  .description('manage .env.vault files')
+// dotenvx vault encrypt
+vault.command('encrypt')
+  .description('encrypt .env.* to .env.vault')
+  .addHelpText('after', examples.encrypt)
+  .argument('[directory]', 'directory to encrypt', '.')
+  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
+  .action(require('./../actions/vault/encrypt'))
+// dotenvx vault decrypt
+vault.command('decrypt')
+  .description('decrypt .env.vault to .env*')
+  .argument('[directory]', 'directory to decrypt', '.')
+  .option('-e, --environment <environments...>', 'environment(s) to decrypt')
+  .action(require('./../actions/vault/decrypt'))
+// dotenvx vault status
+vault.command('status')
+  .description('compare your .env* content(s) to your .env.vault decrypted content(s)')
+  .argument('[directory]', 'directory to check status against', '.')
+  .action(require('./../actions/vault/status'))
+module.exports = vault

package/src/cli/dotenvx.js CHANGED Viewed

@@ -12,7 +12,7 @@ const packageJson = require('./../lib/helpers/packageJson')
 const notice = new UpdateNotice()
 notice.check()
 if (notice.update) {
-  logger.warn(`Update available ${notice.packageVersion} → ${notice.latestVersion} changelog: https://dotenvx.com/changelog`)
+  logger.warn(`Update available ${notice.packageVersion} → ${notice.latestVersion} 0.38.0 and higher have SIGNIFICANT changes. please read the changelog: https://dotenvx.com/changelog`)
 }
 // for use with run
@@ -99,29 +99,9 @@ program.command('set')
   .argument('KEY', 'KEY')
   .argument('value', 'value')
   .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', '.env')
+  .option('-c, --encrypt', 'encrypt value')
   .action(require('./actions/set'))
-// dotenvx encrypt
-program.command('encrypt')
-  .description('encrypt .env.* to .env.vault')
-  .addHelpText('after', examples.encrypt)
-  .argument('[directory]', 'directory to encrypt', '.')
-  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
-  .action(require('./actions/encrypt'))
-// dotenvx decrypt
-program.command('decrypt')
-  .description('decrypt .env.vault to .env*')
-  .argument('[directory]', 'directory to decrypt', '.')
-  .option('-e, --environment <environments...>', 'environment(s) to decrypt')
-  .action(require('./actions/decrypt'))
-// dotenvx status
-program.command('status')
-  .description('compare your .env* content(s) to your .env.vault decrypted content(s)')
-  .argument('[directory]', 'directory to check status against', '.')
-  .action(require('./actions/status'))
 // dotenvx genexample
 program.command('genexample')
   .description('generate .env.example')
@@ -167,6 +147,45 @@ program.command('settings')
   .option('-pp, --pretty-print', 'pretty print output')
   .action(require('./actions/settings'))
+// dotenvx encrypt
+const encryptAction = require('./actions/vault/encrypt')
+program.command('encrypt')
+  .description('DEPRECATED: moved to [dotenvx vault encrypt]')
+  .addHelpText('after', examples.encrypt)
+  .argument('[directory]', 'directory to encrypt', '.')
+  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
+  .action(function (...args) {
+    logger.warn('DEPRECATION NOTICE: [dotenvx encrypt] has moved. change your command to [dotenvx vault encrypt]')
+    encryptAction.apply(this, args)
+  })
+// dotenvx decrypt
+const decryptAction = require('./actions/vault/decrypt')
+program.command('decrypt')
+  .description('DEPRECATED: moved to [dotenvx vault decrypt]')
+  .argument('[directory]', 'directory to decrypt', '.')
+  .option('-e, --environment <environments...>', 'environment(s) to decrypt')
+  .action(function (...args) {
+    logger.warn('DEPRECATION NOTECE: [dotenvx decrypt] has moved. change your command to [dotenvx vault decrypt]')
+    decryptAction.apply(this, args)
+  })
+// dotenvx status
+const statusAction = require('./actions/vault/status')
+program.command('status')
+  .description('DEPRECATED: moved to [dotenvx vault status]')
+  .argument('[directory]', 'directory to check status against', '.')
+  .action(function (...args) {
+    logger.warn('DEPRECATION NOTICE: [dotenvx status] has moved. change your command to [dotenvx vault status]')
+    statusAction.apply(this, args)
+  })
+// dotenvx vault
+program.addCommand(require('./commands/vault'))
 // dotenvx hub
 program.addCommand(require('./commands/hub'))

package/src/lib/helpers/decryptValue.js ADDED Viewed

@@ -0,0 +1,29 @@
+const { decrypt } = require('eciesjs')
+const PREFIX = 'encrypted:'
+function decryptValue (value, privateKey) {
+  if (!value.startsWith(PREFIX)) {
+    return value
+  }
+  const privateKeys = privateKey.split(',')
+  let decryptedValue
+  for (const key of privateKeys) {
+    const secret = Buffer.from(key, 'hex')
+    const encoded = value.substring(PREFIX.length)
+    const ciphertext = Buffer.from(encoded, 'base64')
+    try {
+      decryptedValue = decrypt(secret, ciphertext).toString()
+      break
+    } catch (_error) {
+      // TODO: somehow surface these errors to the user's logs
+    }
+  }
+  return decryptedValue || value
+}
+module.exports = decryptValue

package/src/lib/helpers/encryptValue.js ADDED Viewed

@@ -0,0 +1,12 @@
+const { encrypt } = require('eciesjs')
+const PREFIX = 'encrypted:'
+function encryptValue (value, publicKey) {
+  const ciphertext = encrypt(publicKey, Buffer.from(value))
+  const encoded = Buffer.from(ciphertext, 'hex').toString('base64') // base64 encode ciphertext
+  return `${PREFIX}${encoded}`
+}
+module.exports = encryptValue

package/src/lib/helpers/findOrCreatePublicKey.js ADDED Viewed

@@ -0,0 +1,80 @@
+const fs = require('fs')
+const path = require('path')
+const dotenv = require('dotenv')
+const keyPair = require('./keyPair')
+const guessPublicKeyName = require('./guessPublicKeyName')
+const guessPrivateKeyName = require('./guessPrivateKeyName')
+const ENCODING = 'utf8'
+function findOrCreatePublicKey (envFilepath, envKeysFilepath) {
+  // filename
+  const filename = path.basename(envFilepath)
+  const publicKeyName = guessPublicKeyName(envFilepath)
+  const privateKeyName = guessPrivateKeyName(envFilepath)
+  // src
+  let envSrc = fs.readFileSync(envFilepath, { encoding: ENCODING })
+  let keysSrc = ''
+  if (fs.existsSync(envKeysFilepath)) {
+    keysSrc = fs.readFileSync(envKeysFilepath, { encoding: ENCODING })
+  }
+  // parsed
+  const envParsed = dotenv.parse(envSrc)
+  const keysParsed = dotenv.parse(keysSrc)
+  // if DOTENV_PUBLIC_KEY_${environment} already present then go no further
+  if (envParsed[publicKeyName] && envParsed[publicKeyName].length > 0) {
+    return {
+      envSrc,
+      keysSrc,
+      publicKey: envParsed[publicKeyName],
+      privateKey: keysParsed[privateKeyName]
+    }
+  }
+  // generate key pair
+  const { publicKey, privateKey } = keyPair()
+  // publicKey
+  const prependPublicKey = [
+    '#/-------------------[DOTENV_PUBLIC_KEY]--------------------/',
+    '#/            public-key encryption for .env files          /',
+    '#/       [how it works](https://dotenvx.com/encryption)     /',
+    '#/----------------------------------------------------------/',
+    `${publicKeyName}="${publicKey}"`,
+    '',
+    `# ${filename}`
+  ].join('\n')
+  // privateKey
+  const firstTimeKeysSrc = [
+    '#/------------------!DOTENV_PRIVATE_KEYS!-------------------/',
+    '#/ private decryption keys. DO NOT commit to source control /',
+    '#/     [how it works](https://dotenvx.com/encryption)       /',
+    '#/----------------------------------------------------------/'
+  ].join('\n')
+  const appendPrivateKey = [
+    `# ${filename}`,
+    `${privateKeyName}="${privateKey}"`,
+    ''
+  ].join('\n')
+  envSrc = `${prependPublicKey}\n${envSrc}`
+  keysSrc = keysSrc.length > 1 ? keysSrc : `${firstTimeKeysSrc}\n`
+  keysSrc = `${keysSrc}\n${appendPrivateKey}`
+  fs.writeFileSync(envFilepath, envSrc)
+  fs.writeFileSync(envKeysFilepath, keysSrc)
+  return {
+    envSrc,
+    keysSrc,
+    publicKey,
+    privateKey
+  }
+}
+module.exports = findOrCreatePublicKey

package/src/lib/helpers/guessEnvironment.js CHANGED Viewed

@@ -2,6 +2,7 @@ const path = require('path')
 function guessEnvironment (filepath) {
   const filename = path.basename(filepath)
   const parts = filename.split('.')
   const possibleEnvironmentList = [...parts.slice(2)]

package/src/lib/helpers/guessPrivateKeyFilename.js ADDED Viewed

@@ -0,0 +1,15 @@
+const PREFIX = 'DOTENV_PRIVATE_KEY'
+function guessPrivateKeyFilename (privateKeyName) {
+  // .env
+  if (privateKeyName === PREFIX) {
+    return '.env'
+  }
+  const filenameSuffix = privateKeyName.substring(`${PREFIX}_`.length).split('_').join('.').toLowerCase()
+  // .env.ENVIRONMENT
+  return `.env.${filenameSuffix}`
+}
+module.exports = guessPrivateKeyFilename

package/src/lib/helpers/guessPrivateKeyName.js ADDED Viewed

@@ -0,0 +1,18 @@
+const path = require('path')
+const guessEnvironment = require('./guessEnvironment')
+function guessPrivateKeyName (filepath) {
+  const filename = path.basename(filepath).toLowerCase()
+  // .env
+  if (filename === '.env') {
+    return 'DOTENV_PRIVATE_KEY'
+  }
+  // .env.ENVIRONMENT
+  const environment = guessEnvironment(filename)
+  return `DOTENV_PRIVATE_KEY_${environment.toUpperCase()}`
+}
+module.exports = guessPrivateKeyName

package/src/lib/helpers/guessPublicKeyName.js ADDED Viewed

@@ -0,0 +1,18 @@
+const path = require('path')
+const guessEnvironment = require('./guessEnvironment')
+function guessPublicKeyName (filepath) {
+  const filename = path.basename(filepath).toLowerCase()
+  // .env
+  if (filename === '.env') {
+    return 'DOTENV_PUBLIC_KEY'
+  }
+  // .env.ENVIRONMENT
+  const environment = guessEnvironment(filename)
+  return `DOTENV_PUBLIC_KEY_${environment.toUpperCase()}`
+}
+module.exports = guessPublicKeyName

package/src/lib/helpers/keyPair.js ADDED Viewed

@@ -0,0 +1,15 @@
+const { PrivateKey } = require('eciesjs')
+function keyPair () {
+  const kp = new PrivateKey()
+  const publicKey = kp.publicKey.toHex()
+  const privateKey = kp.secret.toString('hex')
+  return {
+    publicKey,
+    privateKey
+  }
+}
+module.exports = keyPair

package/src/lib/helpers/{parseExpandAndEval.js → parseDecryptEvalExpand.js} RENAMED Viewed

@@ -1,11 +1,23 @@
 const dotenv = require('dotenv')
 const dotenvExpand = require('dotenv-expand')
 const dotenvEval = require('./dotenvEval')
+const decryptValue = require('./decryptValue')
-function parseExpandAndEval (src) {
+function parseDecryptEvalExpand (src, privateKey = null) {
   // parse
   const parsed = dotenv.parse(src)
+  // inline decrypt
+  for (const key in parsed) {
+    const value = parsed[key]
+    // handle inline encrypted values
+    if (privateKey && privateKey.length > 0) {
+      // privateKey
+      parsed[key] = decryptValue(value, privateKey)
+    }
+  }
   // eval parsed only. do NOT eval process.env ever. too risky/dangerous.
   const inputParsed = {
     processEnv: {},
@@ -28,4 +40,4 @@ function parseExpandAndEval (src) {
   return result
 }
-module.exports = parseExpandAndEval
+module.exports = parseDecryptEvalExpand

package/src/lib/helpers/replace.js ADDED Viewed

@@ -0,0 +1,26 @@
+const dotenv = require('dotenv')
+function replace (src, key, value) {
+  let output
+  let formatted = `${key}="${value}"`
+  const parsed = dotenv.parse(src)
+  if (Object.prototype.hasOwnProperty.call(parsed, key)) {
+    // replace
+    const regex = new RegExp(`^${key}=.*$`, 'm') // Regular expression to find the key and replace its value
+    output = src.replace(regex, formatted)
+  } else {
+    // append
+    if (src.endsWith('\n')) {
+      formatted = formatted + '\n'
+    } else {
+      formatted = '\n' + formatted
+    }
+    output = src + formatted
+  }
+  return output
+}
+module.exports = replace

package/src/lib/helpers/smartDotenvPrivateKey.js ADDED Viewed

@@ -0,0 +1,30 @@
+const fs = require('fs')
+const path = require('path')
+const dotenv = require('dotenv')
+const guessPrivateKeyName = require('./guessPrivateKeyName')
+function smartDotenvPrivateKey (envFilepath) {
+  const privateKeyName = guessPrivateKeyName(envFilepath) // DOTENV_PRIVATE_KEY_${ENVIRONMENT}
+  // process.env wins
+  if (process.env[privateKeyName] && process.env[privateKeyName].length > 0) {
+    return process.env[privateKeyName]
+  }
+  // fallback to presence of .env.keys - path/to/.env.keys
+  const directory = path.dirname(envFilepath)
+  const envKeysFilepath = path.resolve(directory, '.env.keys')
+  if (fs.existsSync(envKeysFilepath)) {
+    const keysSrc = fs.readFileSync(envKeysFilepath)
+    const keysParsed = dotenv.parse(keysSrc)
+    if (keysParsed[privateKeyName] && keysParsed[privateKeyName].length > 0) {
+      return keysParsed[privateKeyName]
+    }
+  }
+  return null
+}
+module.exports = smartDotenvPrivateKey

package/src/lib/main.js CHANGED Viewed

@@ -58,8 +58,8 @@ const get = function (key, envs = [], overload = false, DOTENV_KEY = '', all = f
   return new Get(key, envs, overload, DOTENV_KEY, all).run()
 }
-const set = function (key, value, envFile) {
-  return new Sets(key, value, envFile).run()
+const set = function (key, value, envFile, encrypt) {
+  return new Sets(key, value, envFile, encrypt).run()
 }
 const status = function (directory) {

package/src/lib/services/run.js CHANGED Viewed

@@ -11,11 +11,14 @@ const DEFAULT_ENV_VAULTS = [{ type: TYPE_ENV_VAULT_FILE, value: '.env.vault' }]
 const inject = require('./../helpers/inject')
 const decrypt = require('./../helpers/decrypt')
-const parseExpandAndEval = require('./../helpers/parseExpandAndEval')
+const parseDecryptEvalExpand = require('./../helpers/parseDecryptEvalExpand')
 const parseEnvironmentFromDotenvKey = require('./../helpers/parseEnvironmentFromDotenvKey')
+const smartDotenvPrivateKey = require('./../helpers/smartDotenvPrivateKey')
+const guessPrivateKeyFilename = require('./../helpers/guessPrivateKeyFilename')
 class Run {
   constructor (envs = [], overload = false, DOTENV_KEY = '', processEnv = process.env) {
+    this.dotenvPrivateKeyNames = Object.keys(processEnv).filter(key => key.startsWith('DOTENV_PRIVATE_KEY')) // important, must be first. used by determineEnvs
     this.envs = this._determineEnvs(envs, DOTENV_KEY)
     this.overload = overload
     this.DOTENV_KEY = DOTENV_KEY
@@ -35,6 +38,7 @@ class Run {
     //   { type: 'envFile', value: '.env' },
     //   { type: 'env', value: 'HELLO=three' }
     // ]
     for (const env of this.envs) {
       if (env.type === TYPE_ENV_VAULT_FILE) {
         this._injectEnvVaultFile(env.value)
@@ -59,7 +63,7 @@ class Run {
     row.string = env
     try {
-      const parsed = parseExpandAndEval(env)
+      const parsed = parseDecryptEvalExpand(env)
       row.parsed = parsed
       this.readableStrings.add(env)
@@ -87,7 +91,9 @@ class Run {
       const src = fs.readFileSync(filepath, { encoding: ENCODING })
       this.readableFilepaths.add(envFilepath)
-      const parsed = parseExpandAndEval(src)
+      // if DOTENV_PRIVATE_KEY_* already set in process.env then use it
+      const privateKey = smartDotenvPrivateKey(envFilepath)
+      const parsed = parseDecryptEvalExpand(src, privateKey)
       row.parsed = parsed
       const { injected, preExisted } = this._inject(this.processEnv, parsed, this.overload)
@@ -156,7 +162,7 @@ class Run {
     try {
       // parse this. it's the equivalent of the .env file
-      const parsed = parseExpandAndEval(decrypted)
+      const parsed = parseDecryptEvalExpand(decrypted)
       row.parsed = parsed
       const { injected, preExisted } = this._inject(this.processEnv, parsed, this.overload)
@@ -177,8 +183,24 @@ class Run {
     return inject(processEnv, parsed, overload)
   }
+  _determineEnvsFromDotenvPrivateKey () {
+    const envs = []
+    for (const privateKeyName of this.dotenvPrivateKeyNames) {
+      const filename = guessPrivateKeyFilename(privateKeyName)
+      envs.push({ type: TYPE_ENV_FILE, value: filename })
+    }
+    return envs
+  }
   _determineEnvs (envs = [], DOTENV_KEY = '') {
     if (!envs || envs.length <= 0) {
+      // if process.env.DOTENV_PRIVATE_KEY or process.env.DOTENV_PRIVATE_KEY_${environment} is set, assume inline encryption methodology
+      if (this.dotenvPrivateKeyNames.length > 0) {
+        return this._determineEnvsFromDotenvPrivateKey()
+      }
       if (DOTENV_KEY.length > 0) {
         // if DOTENV_KEY is set then default to look for .env.vault file
         return DEFAULT_ENV_VAULTS

package/src/lib/services/sets.js CHANGED Viewed

@@ -1,15 +1,20 @@
 const fs = require('fs')
 const path = require('path')
-const dotenv = require('dotenv')
+const findOrCreatePublicKey = require('./../helpers/findOrCreatePublicKey')
+const encryptValue = require('./../helpers/encryptValue')
+const replace = require('./../helpers/replace')
 const ENCODING = 'utf8'
 class Sets {
-  constructor (key, value, envFile = '.env') {
+  constructor (key, value, envFile = '.env', encrypt = false) {
     this.key = key
     this.value = value
     this.envFile = envFile
+    this.encrypt = encrypt
+    this.publicKey = null
     this.processedEnvFiles = []
     this.settableFilepaths = new Set()
   }
@@ -19,21 +24,26 @@ class Sets {
     for (const envFilepath of envFilepaths) {
       const row = {}
       row.key = this.key
-      row.value = this.value
       row.filepath = envFilepath
+      row.value = this.value
       const filepath = path.resolve(envFilepath)
       try {
-        const src = fs.readFileSync(filepath, { encoding: ENCODING })
-        const parsed = dotenv.parse(src)
-        let newSrc
-        if (Object.prototype.hasOwnProperty.call(parsed, this.key)) {
-          newSrc = this._srcReplaced(src)
-        } else {
-          newSrc = this._srcAppended(src)
+        let value = this.value
+        let src = fs.readFileSync(filepath, { encoding: ENCODING })
+        if (this.encrypt) {
+          const envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
+          const {
+            publicKey,
+            envSrc
+          } = findOrCreatePublicKey(filepath, envKeysFilepath)
+          src = envSrc // overwrite the original read (because findOrCreatePublicKey) rewrite to it
+          value = encryptValue(value, publicKey)
+          row.encryptedValue = value // useful
+          row.publicKey = publicKey
         }
+        const newSrc = replace(src, this.key, value)
         fs.writeFileSync(filepath, newSrc)
         this.settableFilepaths.add(envFilepath)
@@ -64,24 +74,6 @@ class Sets {
     return this.envFile
   }
-  _srcReplaced (src) {
-    // Regular expression to find the key and replace its value
-    const regex = new RegExp(`^${this.key}=.*$`, 'm')
-    return src.replace(regex, `${this.key}="${this.value}"`)
-  }
-  _srcAppended (src) {
-    let formatted = `${this.key}="${this.value}"`
-    if (src.endsWith('\n')) {
-      formatted = formatted + '\n'
-    } else {
-      formatted = '\n' + formatted
-    }
-    return src + formatted
-  }
 }
 module.exports = Sets

package/src/lib/services/status.js CHANGED Viewed

@@ -16,6 +16,7 @@ class Status {
     this.directory = directory
     this.changes = []
     this.nochanges = []
+    this.untracked = [] // not tracked in .env.vault
   }
   run () {
@@ -60,7 +61,14 @@ class Status {
       // grab decrypted
       const { processedEnvs } = new Decrypt(this.directory, row.environment).run()
-      row.decrypted = processedEnvs[0].decrypted
+      const result = processedEnvs[0]
+      // handle warnings
+      row.decrypted = result.decrypted
+      if (result.warning) {
+        this.untracked.push(row)
+        continue
+      }
       // differences
       row.differences = diff.diffWords(row.decrypted, row.raw)
@@ -78,7 +86,8 @@ class Status {
     return {
       changes: this.changes,
-      nochanges: this.nochanges
+      nochanges: this.nochanges,
+      untracked: this.untracked
     }
   }