@dotenvx/dotenvx 1.29.0 → 1.30.1

package/CHANGELOG.md

@@ -2,7 +2,36 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.29.0...main)
+[Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.30.1...main)
+
+## [1.30.1](https://github.com/dotenvx/dotenvx/compare/v1.30.0...v1.30.1)
+
+### Added
+
+* support complex command substitution combining variable expansion ([#490](https://github.com/dotenvx/dotenvx/pull/490))
+
+## [1.30.0](https://github.com/dotenvx/dotenvx/compare/v1.29.0...v1.30.0)
+
+### Added
+
+* add `-fk` (`--env-keys-file`) flag to customize the path to your `.env.keys` file with `run, get, set, encrypt, decrypt, and keypair` 🎉 ([#486](https://github.com/dotenvx/dotenvx/pull/486))
+
+This is great for monorepos. Maintain one `.env.keys` file across all your apps.
+
+```sh
+$ dotenvx encrypt -fk .env.keys -f apps/backend/.env
+$ dotenvx encrypt -fk .env.keys -f apps/frontend/.env
+
+$ tree -a .
+├── .env.keys
+└── apps
+    ├── backend
+    │   └── .env
+    └── frontend
+        └── .env
+
+$ dotenvx get -fk .env.keys -f apps/backend/.env
+```
 
 ## [1.29.0](https://github.com/dotenvx/dotenvx/compare/v1.28.0...v1.29.0)
 

package/README.md

@@ -583,7 +583,7 @@ More examples
   </details>
 * <details><summary>`--log-level` flag</summary><br>
 
-  Set `--log-level` to whatever you wish. For example, to supress warnings (risky), set log level to `error`:
+  Set `--log-level` to whatever you wish. For example, to suppress warnings (risky), set log level to `error`:
 
   ```sh
   $ echo "HELLO=production" > .env.production
@@ -956,7 +956,7 @@ More examples
   </details>
 * <details><summary>`run --log-level`</summary><br>
 
-  Set `--log-level` to whatever you wish. For example, to supress warnings (risky), set log level to `error`:
+  Set `--log-level` to whatever you wish. For example, to suppress warnings (risky), set log level to `error`:
 
   ```sh
   $ echo "HELLO=production" > .env.production
@@ -1014,6 +1014,19 @@ More examples
 
   (more conventions available upon request)
 
+  </details>
+* <details><summary>`run -fk`</summary><br>
+
+  Specify path to `.env.keys`. This is useful with monorepos.
+
+  ```sh
+  $ mkdir -p apps/app1
+  $ touch apps/app1/.env
+  $ dotenvx set HELLO world -fk .env.keys -f apps/app1/.env
+
+  $ dotenvx run -fk .env.keys -f apps/app1/.env -- yourcommand
+  ```
+
   </details>
 * <details><summary>`get KEY`</summary><br>
 
@@ -1039,6 +1052,20 @@ More examples
   production
   ```
 
+  </details>
+* <details><summary>`get KEY -fk`</summary><br>
+
+  Specify path to `.env.keys`. This is useful with monorepos.
+
+  ```sh
+  $ mkdir -p apps/app1
+  $ touch apps/app1/.env
+  $ dotenvx set HELLO world -fk .env.keys -f apps/app1/.env
+
+  $ dotenvx get HELLO -fk .env.keys -f apps/app1/.env
+  world
+  ```
+
   </details>
 * <details><summary>`get KEY --env`</summary><br>
 
@@ -1212,6 +1239,32 @@ More examples
   set HELLO with encryption (.env.production)
   ```
 
+  </details>
+* <details><summary>`set KEY value -fk`</summary><br>
+
+  Specify path to `.env.keys`. This is useful with monorepos.
+
+  ```sh
+  $ mkdir -p apps/app1
+  $ touch apps/app1/.env
+
+  $ dotenvx set HELLO world -fk .env.keys -f apps/app1/.env
+  set HELLO with encryption (.env)
+  ```
+
+  Put it to use.
+
+  ```sh
+  $ dotenvx get -fk .env.keys -f apps/app1/.env
+  ```
+
+  Use it with a relative path.
+
+  ```sh
+  $ cd apps/app1
+  $ dotenvx get -fk ../../.env.keys -f .env
+  ```
+
   </details>
 * <details><summary>`set KEY "value with spaces"`</summary><br>
 
@@ -1279,6 +1332,32 @@ More examples
   ⮕  next run [DOTENV_PRIVATE_KEY='bff...bc4' dotenvx run -- yourcommand] to test decryption locally
   ```
 
+  </details>
+* <details><summary>`encrypt -fk`</summary><br>
+
+  Specify path to `.env.keys`. This is useful with monorepos.
+
+  ```sh
+  $ mkdir -p apps/app1
+  $ echo "HELLO=World" > apps/app1/.env
+
+  $ dotenvx encrypt -fk .env.keys -f apps/app1/.env
+  ✔ encrypted (apps/app1/.env)
+  ```
+
+  Put it to use.
+
+  ```sh
+  $ dotenvx run -fk .env.keys -f apps/app1/.env
+  ```
+
+  Use with a relative path.
+
+  ```sh
+  $ cd apps/app1
+  $ dotenvx run -fk ../../.env.keys -f .env
+  ```
+
   </details>
 * <details><summary>`encrypt -k`</summary><br>
 
@@ -1373,6 +1452,21 @@ More examples
   ✔ decrypted (.env.production)
   ```
 
+  </details>
+* <details><summary>`decrypt -fk`</summary><br>
+
+  Specify path to `.env.keys`. This is useful with monorepos.
+
+  ```sh
+  $ mkdir -p apps/app1
+  $ echo "HELLO=World" > apps/app1/.env
+
+  $ dotenvx encrypt -fk .env.keys -f apps/app1/.env
+  ✔ encrypted (apps/app1/.env)
+  $ dotenvx decrypt -fk .env.keys -f apps/app1/.env
+  ✔ decrypted (apps/app1/.env)
+  ```
+
   </details>
 * <details><summary>`decrypt -k`</summary><br>
 
@@ -1455,7 +1549,7 @@ More examples
   ```
 
   </details>
-* <details><summary>`keypair -f .env.production`</summary><br>
+* <details><summary>`keypair -f`</summary><br>
 
   Print public/private keys for `.env.production` file.
 
@@ -1467,6 +1561,20 @@ More examples
   {"DOTENV_PUBLIC_KEY_PRODUCTION":"<publicKey>","DOTENV_PRIVATE_KEY_PRODUCTION":"<privateKey>"}
   ```
 
+  </details>
+* <details><summary>`keypair -fk`</summary><br>
+
+  Specify path to `.env.keys`. This is useful for printing public/private keys for monorepos.
+
+  ```sh
+  $ mkdir -p apps/app1
+  $ echo "HELLO=World" > apps/app1/.env
+  $ dotenvx encrypt -fk .env.keys -f apps/app1/.env
+
+  $ dotenvx keypair -fk .env.keys -f apps/app1/.env
+  {"DOTENV_PUBLIC_KEY":"<publicKey>","DOTENV_PRIVATE_KEY":"<privateKey>"}
+  ```
+
   </details>
 * <details><summary>`keypair DOTENV_PRIVATE_KEY`</summary><br>
 
@@ -1904,6 +2012,21 @@ More examples
   Hello World
   ```
 
+  </details>
+* <details><summary>`config(envKeysFile:)` - envKeysFile</summary><br>
+
+  Use `envKeysFile` to customize the path to your `.env.keys` file. This is useful with monorepos.
+
+  ```ini
+  # .env
+  HELLO="World"
+  ```
+
+  ```js
+  // index.js
+  require('@dotenvx/dotenvx').config({envKeysFile: '../../.env.keys'})
+  ```
+
   </details>
 * <details><summary>`parse(src)`</summary><br>
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.29.0",
+  "version": "1.30.1",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",

package/src/cli/actions/decrypt.js

@@ -17,12 +17,15 @@ function decrypt () {
   if (options.stdout) {
     const {
       processedEnvs
-    } = new Decrypt(envs, options.key, options.excludeKey).run()
+    } = new Decrypt(envs, options.key, options.excludeKey, options.envKeysFile).run()
 
     for (const processedEnv of processedEnvs) {
       if (processedEnv.error) {
         errorCount += 1
         console.error(processedEnv.error.message)
+        if (processedEnv.error.help) {
+          console.error(processedEnv.error.help)
+        }
       } else {
         console.log(processedEnv.envSrc)
       }
@@ -39,7 +42,7 @@ function decrypt () {
         processedEnvs,
         changedFilepaths,
         unchangedFilepaths
-      } = new Decrypt(envs, options.key, options.excludeKey).run()
+      } = new Decrypt(envs, options.key, options.excludeKey, options.envKeysFile).run()
 
       for (const processedEnv of processedEnvs) {
         logger.verbose(`decrypting ${processedEnv.envFilepath} (${processedEnv.filepath})`)
@@ -52,6 +55,9 @@ function decrypt () {
             logger.help(`? add one with [echo "HELLO=World" > ${processedEnv.envFilepath}] and re-run [dotenvx decrypt]`)
           } else {
             console.error(processedEnv.error.message)
+            if (processedEnv.error.help) {
+              console.error(processedEnv.error.help)
+            }
           }
         } else if (processedEnv.changed) {
           fsx.writeFileX(processedEnv.filepath, processedEnv.envSrc)

package/src/cli/actions/encrypt.js

@@ -16,7 +16,7 @@ function encrypt () {
   if (options.stdout) {
     const {
       processedEnvs
-    } = new Encrypt(envs, options.key, options.excludeKey).run()
+    } = new Encrypt(envs, options.key, options.excludeKey, options.envKeysFile).run()
 
     for (const processedEnv of processedEnvs) {
       console.log(processedEnv.envSrc)
@@ -28,7 +28,7 @@ function encrypt () {
         processedEnvs,
         changedFilepaths,
         unchangedFilepaths
-      } = new Encrypt(envs, options.key, options.excludeKey).run()
+      } = new Encrypt(envs, options.key, options.excludeKey, options.envKeysFile).run()
 
       for (const processedEnv of processedEnvs) {
         logger.verbose(`encrypting ${processedEnv.envFilepath} (${processedEnv.filepath})`)

package/src/cli/actions/get.js

@@ -24,7 +24,7 @@ function get (key) {
   }
 
   try {
-    const { parsed, errors } = new Get(key, envs, options.overload, process.env.DOTENV_KEY, options.all).run()
+    const { parsed, errors } = new Get(key, envs, options.overload, process.env.DOTENV_KEY, options.all, options.envKeysFile).run()
 
     for (const error of errors || []) {
       if (options.strict) throw error // throw immediately if strict

package/src/cli/actions/keypair.js

@@ -10,7 +10,7 @@ function keypair (key) {
   const options = this.opts()
   logger.debug(`options: ${JSON.stringify(options)}`)
 
-  const results = main.keypair(options.envFile, key)
+  const results = main.keypair(options.envFile, key, options.envKeysFile)
 
   if (typeof results === 'object' && results !== null) {
     // inline shell format - env $(dotenvx keypair --format=shell) your-command

package/src/cli/actions/run.js

@@ -45,7 +45,7 @@ async function run () {
       readableStrings,
       readableFilepaths,
       uniqueInjectedKeys
-    } = new Run(envs, options.overload, process.env.DOTENV_KEY).run()
+    } = new Run(envs, options.overload, process.env.DOTENV_KEY, process.env, options.envKeysFile).run()
 
     for (const processedEnv of processedEnvs) {
       if (processedEnv.type === 'envVaultFile') {

package/src/cli/actions/set.js

@@ -21,12 +21,13 @@ function set (key, value) {
 
   try {
     const envs = this.envs
+    const envKeysFilepath = options.envKeysFile
 
     const {
       processedEnvs,
       changedFilepaths,
       unchangedFilepaths
-    } = new Sets(key, value, envs, encrypt).run()
+    } = new Sets(key, value, envs, encrypt, envKeysFilepath).run()
 
     let withEncryption = ''
 
@@ -65,7 +66,7 @@ function set (key, value) {
 
     for (const processedEnv of processedEnvs) {
       if (processedEnv.privateKeyAdded) {
-        logger.success(`✔ key added to .env.keys (${processedEnv.privateKeyName})`)
+        logger.success(`✔ key added to ${processedEnv.envKeysFilepath} (${processedEnv.privateKeyName})`)
 
         if (!isIgnoringDotenvKeys()) {
           logger.help('⮕  next run [dotenvx ext gitignore --pattern .env.keys] to gitignore .env.keys')

package/src/cli/dotenvx.js

@@ -56,6 +56,7 @@ program.command('run')
   .addHelpText('after', examples.run)
   .option('-e, --env <strings...>', 'environment variable(s) set as string (example: "HELLO=World")', collectEnvs('env'), [])
   .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', collectEnvs('envFile'), [])
+  .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
   .option('-fv, --env-vault-file <paths...>', 'path(s) to your .env.vault file(s)', collectEnvs('envVaultFile'), [])
   .option('-o, --overload', 'override existing env variables')
   .option('--strict', 'process.exit(1) on any errors (default: false)', false)
@@ -74,6 +75,7 @@ program.command('get')
   .argument('[KEY]', 'environment variable name')
   .option('-e, --env <strings...>', 'environment variable(s) set as string (example: "HELLO=World")', collectEnvs('env'), [])
   .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', collectEnvs('envFile'), [])
+  .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
   .option('-fv, --env-vault-file <paths...>', 'path(s) to your .env.vault file(s)', collectEnvs('envVaultFile'), [])
   .option('-o, --overload', 'override existing env variables')
   .option('--strict', 'process.exit(1) on any errors (default: false)', false)
@@ -97,6 +99,7 @@ program.command('set')
   .argument('KEY', 'KEY')
   .argument('value', 'value')
   .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', collectEnvs('envFile'), [])
+  .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
   .option('-c, --encrypt', 'encrypt value (default: true)', true)
   .option('-p, --plain', 'store value as plain text', false)
   .action(function (...args) {
@@ -109,6 +112,7 @@ const encryptAction = require('./actions/encrypt')
 program.command('encrypt')
   .description('convert .env file(s) to encrypted .env file(s)')
   .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', collectEnvs('envFile'), [])
+  .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
   .option('-k, --key <keys...>', 'keys(s) to encrypt (default: all keys in file)')
   .option('-ek, --exclude-key <excludeKeys...>', 'keys(s) to exclude from encryption (default: none)')
   .option('--stdout', 'send to stdout')
@@ -122,6 +126,7 @@ const decryptAction = require('./actions/decrypt')
 program.command('decrypt')
   .description('convert encrypted .env file(s) to plain .env file(s)')
   .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', collectEnvs('envFile'), [])
+  .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
   .option('-k, --key <keys...>', 'keys(s) to decrypt (default: all keys in file)')
   .option('-ek, --exclude-key <excludeKeys...>', 'keys(s) to exclude from decryption (default: none)')
   .option('--stdout', 'send to stdout')
@@ -137,6 +142,7 @@ program.command('keypair')
   .description('print public/private keys for .env file(s)')
   .argument('[KEY]', 'environment variable key name')
   .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
+  .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
   .option('-pp, --pretty-print', 'pretty print output')
   .option('--format <type>', 'format of the output (json, shell)', 'json')
   .action(keypairAction)

package/src/lib/helpers/findPrivateKey.js

@@ -1,33 +1,18 @@
-const path = require('path')
-const childProcess = require('child_process')
-
 // helpers
 const guessPrivateKeyName = require('./guessPrivateKeyName')
+const ProKeypair = require('./proKeypair')
 
 // services
 const Keypair = require('./../services/keypair')
 
-function findPrivateKey (envFilepath) {
+function findPrivateKey (envFilepath, envKeysFilepath = null) {
+  // use path/to/.env.${environment} to generate privateKeyName
   const privateKeyName = guessPrivateKeyName(envFilepath)
 
-  let privateKey
-  try {
-    // if installed as sibling module
-    const projectRoot = path.resolve(process.cwd())
-    const dotenvxProPath = require.resolve('@dotenvx/dotenvx-pro', { paths: [projectRoot] })
-    const { keypair } = require(dotenvxProPath)
-    privateKey = keypair(envFilepath, privateKeyName)
-  } catch (_e) {
-    try {
-      // if installed as binary cli
-      privateKey = childProcess.execSync(`dotenvx-pro keypair ${privateKeyName} -f ${envFilepath}`, { stdio: ['pipe', 'pipe', 'ignore'] }).toString().trim()
-    } catch (_e) {
-      // fallback to local KeyPair - smart enough to handle process.env, .env.keys, etc
-      privateKey = new Keypair(envFilepath, privateKeyName).run()
-    }
-  }
+  const proKeypairs = new ProKeypair(envFilepath).run() // TODO: implement custom envKeysFilepath
+  const keypairs = new Keypair(envFilepath, envKeysFilepath).run()
 
-  return privateKey
+  return proKeypairs[privateKeyName] || keypairs[privateKeyName]
 }
 
 module.exports = findPrivateKey

package/src/lib/helpers/findPublicKey.js

@@ -1,8 +1,6 @@
-const path = require('path')
-const childProcess = require('child_process')
-
 // helpers
 const guessPublicKeyName = require('./guessPublicKeyName')
+const ProKeypair = require('./proKeypair')
 
 // services
 const Keypair = require('./../services/keypair')
@@ -10,24 +8,10 @@ const Keypair = require('./../services/keypair')
 function findPublicKey (envFilepath) {
   const publicKeyName = guessPublicKeyName(envFilepath)
 
-  let publicKey
-  try {
-    // if installed as sibling module
-    const projectRoot = path.resolve(process.cwd())
-    const dotenvxProPath = require.resolve('@dotenvx/dotenvx-pro', { paths: [projectRoot] })
-    const { keypair } = require(dotenvxProPath)
-    publicKey = keypair(envFilepath, publicKeyName)
-  } catch (_e) {
-    try {
-      // if installed as binary cli
-      publicKey = childProcess.execSync(`dotenvx-pro keypair ${publicKeyName} -f ${envFilepath}`, { stdio: ['pipe', 'pipe', 'ignore'] }).toString().trim()
-    } catch (_e) {
-      // fallback to local KeyPair - smart enough to handle process.env, .env.keys, etc
-      publicKey = new Keypair(envFilepath, publicKeyName).run()
-    }
-  }
+  const proKeypairs = new ProKeypair(envFilepath).run()
+  const keypairs = new Keypair(envFilepath).run()
 
-  return publicKey
+  return proKeypairs[publicKeyName] || keypairs[publicKeyName]
 }
 
 module.exports = findPublicKey

package/src/lib/helpers/{keyPair.js → keypair.js}

@@ -1,6 +1,6 @@
 const { PrivateKey } = require('eciesjs')
 
-function keyPair (existingPrivateKey) {
+function keypair (existingPrivateKey) {
   let kp
 
   if (existingPrivateKey) {
@@ -18,4 +18,4 @@ function keyPair (existingPrivateKey) {
   }
 }
 
-module.exports = keyPair
+module.exports = keypair

package/src/lib/helpers/parse.js

@@ -136,10 +136,9 @@ class Parse {
   eval (value) {
     // Match everything between the outermost $() using a regex with non-capturing groups
     const matches = value.match(/\$\(([^)]+(?:\)[^(]*)*)\)/g) || []
-
-    return matches.reduce(function (newValue, match) {
+    return matches.reduce((newValue, match) => {
       const command = match.slice(2, -1) // Extract command by removing $() wrapper
-      const result = chomp(execSync(command).toString()) // execute command
+      const result = chomp(execSync(command, { env: { ...this.processEnv, ...this.runningParsed } }).toString()) // execute command (including runningParsed)
       return newValue.replace(match, result) // Replace match with result
     }, value)
   }

package/src/lib/helpers/proKeypair.js

@@ -0,0 +1,42 @@
+const path = require('path')
+const childProcess = require('child_process')
+
+const guessPrivateKeyName = require('./guessPrivateKeyName')
+const guessPublicKeyName = require('./guessPublicKeyName')
+
+class ProKeypair {
+  constructor (envFilepath) {
+    this.envFilepath = envFilepath
+  }
+
+  run () {
+    let result = {}
+
+    try {
+      // if installed as sibling module
+      const projectRoot = path.resolve(process.cwd())
+      const dotenvxProPath = require.resolve('@dotenvx/dotenvx-pro', { paths: [projectRoot] })
+      const { keypair } = require(dotenvxProPath)
+
+      result = keypair(this.envFilepath)
+    } catch (_e) {
+      try {
+        // if installed as binary cli
+        const output = childProcess.execSync(`dotenvx-pro keypair -f ${this.envFilepath}`, { stdio: ['pipe', 'pipe', 'ignore'] }).toString().trim()
+
+        result = JSON.parse(output)
+      } catch (_e) {
+        const privateKeyName = guessPrivateKeyName(this.envFilepath)
+        const publicKeyName = guessPublicKeyName(this.envFilepath)
+
+        // match format of dotenvx-pro
+        result[privateKeyName] = null
+        result[publicKeyName] = null
+      }
+    }
+
+    return result
+  }
+}
+
+module.exports = ProKeypair

package/src/lib/helpers/smartDotenvPrivateKey.js

@@ -13,12 +13,14 @@ function searchProcessEnv (privateKeyName) {
   }
 }
 
-function searchKeysFile (privateKeyName, envFilepath) {
-  const directory = path.dirname(envFilepath)
-  const envKeysFilepath = path.resolve(directory, '.env.keys')
+function searchKeysFile (privateKeyName, envFilepath, envKeysFilepath = null) {
+  let keysFilepath = path.resolve(path.dirname(envFilepath), '.env.keys') // typical scenario
+  if (envKeysFilepath) { // user specified -fk flag
+    keysFilepath = path.resolve(envKeysFilepath)
+  }
 
-  if (fsx.existsSync(envKeysFilepath)) {
-    const keysSrc = fsx.readFileX(envKeysFilepath)
+  if (fsx.existsSync(keysFilepath)) {
+    const keysSrc = fsx.readFileX(keysFilepath)
     const keysParsed = dotenv.parse(keysSrc)
 
     if (keysParsed[privateKeyName] && keysParsed[privateKeyName].length > 0) {
@@ -49,7 +51,7 @@ function invertForPrivateKeyName (envFilepath) {
   return null
 }
 
-function smartDotenvPrivateKey (envFilepath) {
+function smartDotenvPrivateKey (envFilepath, envKeysFilepath = null) {
   let privateKey = null
   let privateKeyName = guessPrivateKeyName(envFilepath) // DOTENV_PRIVATE_KEY_${ENVIRONMENT}
 
@@ -60,7 +62,7 @@ function smartDotenvPrivateKey (envFilepath) {
   }
 
   // 2. attempt .env.keys second (path/to/.env.keys)
-  privateKey = searchKeysFile(privateKeyName, envFilepath)
+  privateKey = searchKeysFile(privateKeyName, envFilepath, envKeysFilepath)
   if (privateKey) {
     return privateKey
   }
@@ -75,7 +77,7 @@ function smartDotenvPrivateKey (envFilepath) {
     }
 
     // 3.2. attempt .env.keys second (path/to/.env.keys)
-    privateKey = searchKeysFile(privateKeyName, envFilepath)
+    privateKey = searchKeysFile(privateKeyName, envFilepath, envKeysFilepath)
     if (privateKey) {
       return privateKey
     }

package/src/lib/main.js

@@ -34,6 +34,9 @@ const config = function (options = {}) {
   // strict
   const strict = options.strict
 
+  // envKeysFile
+  const envKeysFile = options.envKeysFile
+
   // DOTENV_KEY (DEPRECATED)
   let DOTENV_KEY = process.env.DOTENV_KEY
   if (options && options.DOTENV_KEY) {
@@ -70,7 +73,7 @@ const config = function (options = {}) {
       processedEnvs,
       readableFilepaths,
       uniqueInjectedKeys
-    } = new Run(envs, overload, DOTENV_KEY, processEnv).run()
+    } = new Run(envs, overload, DOTENV_KEY, processEnv, envKeysFile).run()
 
     let lastError
     /** @type {Record<string, string>} */
@@ -190,8 +193,13 @@ const genexample = function (directory, envFile) {
 }
 
 /** @type {import('./main').keypair} */
-const keypair = function (envFile, key) {
-  return new Keypair(envFile, key).run()
+const keypair = function (envFile, key, envKeysFile = null) {
+  const keypairs = new Keypair(envFile, envKeysFile).run()
+  if (key) {
+    return keypairs[key]
+  } else {
+    return keypairs
+  }
 }
 
 module.exports = {

package/src/lib/services/decrypt.js

@@ -15,10 +15,11 @@ const detectEncoding = require('./../helpers/detectEncoding')
 const determineEnvs = require('./../helpers/determineEnvs')
 
 class Decrypt {
-  constructor (envs = [], key = [], excludeKey = []) {
+  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null) {
     this.envs = determineEnvs(envs, process.env)
     this.key = key
     this.excludeKey = excludeKey
+    this.envKeysFilepath = envKeysFilepath
 
     this.processedEnvs = []
     this.changedFilepaths = new Set()
@@ -64,7 +65,7 @@ class Decrypt {
       let envSrc = fsx.readFileX(filepath, { encoding })
       const envParsed = dotenv.parse(envSrc)
 
-      const privateKey = findPrivateKey(envFilepath)
+      const privateKey = findPrivateKey(envFilepath, this.envKeysFilepath)
       const privateKeyName = guessPrivateKeyName(envFilepath)
 
       row.privateKey = privateKey

package/src/lib/services/encrypt.js

@@ -15,15 +15,16 @@ const detectEncoding = require('./../helpers/detectEncoding')
 const determineEnvs = require('./../helpers/determineEnvs')
 const findPrivateKey = require('./../helpers/findPrivateKey')
 const findPublicKey = require('./../helpers/findPublicKey')
-const keyPair = require('./../helpers/keyPair')
+const keypair = require('./../helpers/keypair')
 const truncate = require('./../helpers/truncate')
 const isPublicKey = require('./../helpers/isPublicKey')
 
 class Encrypt {
-  constructor (envs = [], key = [], excludeKey = []) {
+  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null) {
     this.envs = determineEnvs(envs, process.env)
     this.key = key
     this.excludeKey = excludeKey
+    this.envKeysFilepath = envKeysFilepath
 
     this.processedEnvs = []
     this.changedFilepaths = new Set()
@@ -75,11 +76,17 @@ class Encrypt {
 
       const publicKeyName = guessPublicKeyName(envFilepath)
       const privateKeyName = guessPrivateKeyName(envFilepath)
-      const existingPrivateKey = findPrivateKey(envFilepath)
+      const existingPrivateKey = findPrivateKey(envFilepath, this.envKeysFilepath)
       const existingPublicKey = findPublicKey(envFilepath)
 
+      let envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
+      if (this.envKeysFilepath) {
+        envKeysFilepath = path.resolve(this.envKeysFilepath)
+      }
+      const relativeFilepath = path.relative(path.dirname(filepath), envKeysFilepath)
+
       if (existingPrivateKey) {
-        const kp = keyPair(existingPrivateKey)
+        const kp = keypair(existingPrivateKey)
         publicKey = kp.publicKey
         privateKey = kp.privateKey
 
@@ -90,38 +97,36 @@ class Encrypt {
           error.help = `debug info: ${privateKeyName}=${truncate(existingPrivateKey)} (derived ${publicKeyName}=${truncate(publicKey)} vs existing ${publicKeyName}=${truncate(existingPublicKey)})`
           throw error
         }
+
+        // typical scenario when encrypting a monorepo second .env file from a prior generated -fk .env.keys file
+        if (!existingPublicKey) {
+          const ps = this._preserveShebang(envSrc)
+          const firstLinePreserved = ps.firstLinePreserved
+          envSrc = ps.envSrc
+
+          const prependPublicKey = this._prependPublicKey(publicKeyName, publicKey, filename, relativeFilepath)
+
+          envSrc = `${firstLinePreserved}${prependPublicKey}\n${envSrc}`
+        }
       } else if (existingPublicKey) {
         publicKey = existingPublicKey
       } else {
         // .env.keys
         let keysSrc = ''
-        const envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
+
         if (fsx.existsSync(envKeysFilepath)) {
           keysSrc = fsx.readFileX(envKeysFilepath)
         }
 
-        // preserve shebang
-        const [firstLine, ...remainingLines] = envSrc.split('\n')
-        let firstLinePreserved = ''
-        if (firstLine.startsWith('#!')) {
-          firstLinePreserved = firstLine + '\n'
-          envSrc = remainingLines.join('\n')
-        }
+        const ps = this._preserveShebang(envSrc)
+        const firstLinePreserved = ps.firstLinePreserved
+        envSrc = ps.envSrc
 
-        const kp = keyPair() // generates a fresh keypair in memory
+        const kp = keypair() // generates a fresh keypair in memory
         publicKey = kp.publicKey
         privateKey = kp.privateKey
 
-        // publicKey
-        const prependPublicKey = [
-          '#/-------------------[DOTENV_PUBLIC_KEY]--------------------/',
-          '#/            public-key encryption for .env files          /',
-          '#/       [how it works](https://dotenvx.com/encryption)     /',
-          '#/----------------------------------------------------------/',
-          `${publicKeyName}="${publicKey}"`,
-          '',
-          `# ${filename}`
-        ].join('\n')
+        const prependPublicKey = this._prependPublicKey(publicKeyName, publicKey, filename, relativeFilepath)
 
         // privateKey
         const firstTimeKeysSrc = [
@@ -144,6 +149,7 @@ class Encrypt {
         fsx.writeFileX(envKeysFilepath, keysSrc)
 
         row.privateKeyAdded = true
+        row.envKeysFilepath = this.envKeysFilepath || path.join(path.dirname(envFilepath), path.basename(envKeysFilepath))
       }
 
       row.publicKey = publicKey
@@ -210,6 +216,36 @@ class Encrypt {
   _detectEncoding (filepath) {
     return detectEncoding(filepath)
   }
+
+  _prependPublicKey (publicKeyName, publicKey, filename, relativeFilepath = '') {
+    const comment = relativeFilepath === '.env.keys' ? '' : ` # ${relativeFilepath}`
+
+    return [
+      '#/-------------------[DOTENV_PUBLIC_KEY]--------------------/',
+      '#/            public-key encryption for .env files          /',
+      '#/       [how it works](https://dotenvx.com/encryption)     /',
+      '#/----------------------------------------------------------/',
+      `${publicKeyName}="${publicKey}"${comment}`,
+      '',
+      `# ${filename}`
+    ].join('\n')
+  }
+
+  _preserveShebang (envSrc) {
+    // preserve shebang
+    const [firstLine, ...remainingLines] = envSrc.split('\n')
+    let firstLinePreserved = ''
+
+    if (firstLine.startsWith('#!')) {
+      firstLinePreserved = firstLine + '\n'
+      envSrc = remainingLines.join('\n')
+    }
+
+    return {
+      firstLinePreserved,
+      envSrc
+    }
+  }
 }
 
 module.exports = Encrypt

package/src/lib/services/get.js

@@ -2,18 +2,18 @@ const Run = require('./run')
 const Errors = require('./../helpers/errors')
 
 class Get {
-  constructor (key, envs = [], overload = false, DOTENV_KEY = '', all = false, strict = false) {
+  constructor (key, envs = [], overload = false, DOTENV_KEY = '', all = false, envKeysFilepath = null) {
     this.key = key
     this.envs = envs
     this.overload = overload
     this.DOTENV_KEY = DOTENV_KEY
     this.all = all
-    this.strict = strict
+    this.envKeysFilepath = envKeysFilepath
   }
 
   run () {
     const processEnv = { ...process.env }
-    const { processedEnvs } = new Run(this.envs, this.overload, this.DOTENV_KEY, processEnv).run()
+    const { processedEnvs } = new Run(this.envs, this.overload, this.DOTENV_KEY, processEnv, this.envKeysFilepath).run()
 
     const errors = []
     for (const processedEnv of processedEnvs) {

package/src/lib/services/keypair.js

@@ -4,9 +4,9 @@ const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
 const smartDotenvPrivateKey = require('./../helpers/smartDotenvPrivateKey')
 
 class Keypair {
-  constructor (envFile = '.env', key = undefined) {
+  constructor (envFile = '.env', envKeysFilepath = null) {
     this.envFile = envFile
-    this.key = key
+    this.envKeysFilepath = envKeysFilepath
   }
 
   run () {
@@ -21,16 +21,12 @@ class Keypair {
 
       // private key
       const privateKeyName = guessPrivateKeyName(envFilepath)
-      const privateKeyValue = smartDotenvPrivateKey(envFilepath)
+      const privateKeyValue = smartDotenvPrivateKey(envFilepath, this.envKeysFilepath)
 
       out[privateKeyName] = privateKeyValue
     }
 
-    if (this.key) {
-      return out[this.key]
-    } else {
-      return out
-    }
+    return out
   }
 
   _envFilepaths () {

package/src/lib/services/run.js

@@ -16,11 +16,12 @@ const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
 const determineEnvs = require('./../helpers/determineEnvs')
 
 class Run {
-  constructor (envs = [], overload = false, DOTENV_KEY = '', processEnv = process.env) {
+  constructor (envs = [], overload = false, DOTENV_KEY = '', processEnv = process.env, envKeysFilepath = null) {
     this.envs = determineEnvs(envs, processEnv, DOTENV_KEY)
     this.overload = overload
     this.DOTENV_KEY = DOTENV_KEY
     this.processEnv = processEnv
+    this.envKeysFilepath = envKeysFilepath
 
     this.processedEnvs = []
     this.readableFilepaths = new Set()
@@ -92,7 +93,7 @@ class Run {
       const src = fsx.readFileX(filepath, { encoding })
       this.readableFilepaths.add(envFilepath)
 
-      const privateKey = findPrivateKey(envFilepath)
+      const privateKey = findPrivateKey(envFilepath, this.envKeysFilepath)
       const privateKeyName = guessPrivateKeyName(envFilepath)
       const { parsed, errors, injected, preExisted } = new Parse(src, privateKey, this.processEnv, this.overload, privateKeyName).run()
 

package/src/lib/services/sets.js

@@ -14,16 +14,17 @@ const detectEncoding = require('./../helpers/detectEncoding')
 const determineEnvs = require('./../helpers/determineEnvs')
 const findPrivateKey = require('./../helpers/findPrivateKey')
 const findPublicKey = require('./../helpers/findPublicKey')
-const keyPair = require('./../helpers/keyPair')
+const keypair = require('./../helpers/keypair')
 const truncate = require('./../helpers/truncate')
 const isEncrypted = require('./../helpers/isEncrypted')
 
 class Sets {
-  constructor (key, value, envs = [], encrypt = true) {
+  constructor (key, value, envs = [], encrypt = true, envKeysFilepath = null) {
     this.envs = determineEnvs(envs, process.env)
     this.key = key
     this.value = value
     this.encrypt = encrypt
+    this.envKeysFilepath = envKeysFilepath
 
     this.processedEnvs = []
     this.changedFilepaths = new Set()
@@ -76,11 +77,17 @@ class Sets {
 
         const publicKeyName = guessPublicKeyName(envFilepath)
         const privateKeyName = guessPrivateKeyName(envFilepath)
-        const existingPrivateKey = findPrivateKey(envFilepath)
+        const existingPrivateKey = findPrivateKey(envFilepath, this.envKeysFilepath)
         const existingPublicKey = findPublicKey(envFilepath)
 
+        let envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
+        if (this.envKeysFilepath) {
+          envKeysFilepath = path.resolve(this.envKeysFilepath)
+        }
+        const relativeFilepath = path.relative(path.dirname(filepath), envKeysFilepath)
+
         if (existingPrivateKey) {
-          const kp = keyPair(existingPrivateKey)
+          const kp = keypair(existingPrivateKey)
           publicKey = kp.publicKey
           privateKey = kp.privateKey
 
@@ -95,38 +102,35 @@ class Sets {
             error.help = `debug info: ${privateKeyName}=${truncate(existingPrivateKey)} (derived ${publicKeyName}=${truncate(publicKey)} vs existing ${publicKeyName}=${truncate(existingPublicKey)})`
             throw error
           }
+
+          // typical scenario when encrypting a monorepo second .env file from a prior generated -fk .env.keys file
+          if (!existingPublicKey) {
+            const ps = this._preserveShebang(envSrc)
+            const firstLinePreserved = ps.firstLinePreserved
+            envSrc = ps.envSrc
+
+            const prependPublicKey = this._prependPublicKey(publicKeyName, publicKey, filename, relativeFilepath)
+
+            envSrc = `${firstLinePreserved}${prependPublicKey}\n${envSrc}`
+          }
         } else if (existingPublicKey) {
           publicKey = existingPublicKey
         } else {
           // .env.keys
           let keysSrc = ''
-          const envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
           if (fsx.existsSync(envKeysFilepath)) {
             keysSrc = fsx.readFileX(envKeysFilepath)
           }
 
-          // preserve shebang
-          const [firstLine, ...remainingLines] = envSrc.split('\n')
-          let firstLinePreserved = ''
-          if (firstLine.startsWith('#!')) {
-            firstLinePreserved = firstLine + '\n'
-            envSrc = remainingLines.join('\n')
-          }
+          const ps = this._preserveShebang(envSrc)
+          const firstLinePreserved = ps.firstLinePreserved
+          envSrc = ps.envSrc
 
-          const kp = keyPair() // generates a fresh keypair in memory
+          const kp = keypair() // generates a fresh keypair in memory
           publicKey = kp.publicKey
           privateKey = kp.privateKey
 
-          // publicKey
-          const prependPublicKey = [
-            '#/-------------------[DOTENV_PUBLIC_KEY]--------------------/',
-            '#/            public-key encryption for .env files          /',
-            '#/       [how it works](https://dotenvx.com/encryption)     /',
-            '#/----------------------------------------------------------/',
-            `${publicKeyName}="${publicKey}"`,
-            '',
-            `# ${filename}`
-          ].join('\n')
+          const prependPublicKey = this._prependPublicKey(publicKeyName, publicKey, filename, relativeFilepath)
 
           // privateKey
           const firstTimeKeysSrc = [
@@ -149,6 +153,7 @@ class Sets {
           fsx.writeFileX(envKeysFilepath, keysSrc)
 
           row.privateKeyAdded = true
+          row.envKeysFilepath = this.envKeysFilepath || path.join(path.dirname(envFilepath), path.basename(envKeysFilepath))
         }
 
         row.publicKey = publicKey
@@ -182,6 +187,36 @@ class Sets {
   _detectEncoding (filepath) {
     return detectEncoding(filepath)
   }
+
+  _prependPublicKey (publicKeyName, publicKey, filename, relativeFilepath = '.env.keys') {
+    const comment = relativeFilepath === '.env.keys' ? '' : ` # -fk ${relativeFilepath}`
+
+    return [
+      '#/-------------------[DOTENV_PUBLIC_KEY]--------------------/',
+      '#/            public-key encryption for .env files          /',
+      '#/       [how it works](https://dotenvx.com/encryption)     /',
+      '#/----------------------------------------------------------/',
+      `${publicKeyName}="${publicKey}"${comment}`,
+      '',
+      `# ${filename}`
+    ].join('\n')
+  }
+
+  _preserveShebang (envSrc) {
+    // preserve shebang
+    const [firstLine, ...remainingLines] = envSrc.split('\n')
+    let firstLinePreserved = ''
+
+    if (firstLine.startsWith('#!')) {
+      firstLinePreserved = firstLine + '\n'
+      envSrc = remainingLines.join('\n')
+    }
+
+    return {
+      firstLinePreserved,
+      envSrc
+    }
+  }
 }
 
 module.exports = Sets