@dotenvx/dotenvx 1.53.0 → 1.55.0

package/CHANGELOG.md

@@ -2,7 +2,29 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.53.0...main)
+[Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.55.0...main)
+
+## [1.55.0](https://github.com/dotenvx/dotenvx/compare/v1.54.1...v1.55.0) (2026-03-13)
+
+### Added
+
+* Add 'KEYS OFF COMPUTER' security feature when [dotenvx-ops](https://dotenvx.com/ops) installed ([#746](https://github.com/dotenvx/dotenvx/pull/746))
+
+### Removed
+
+* Remove `ProKeypair` logic
+
+## [1.54.1](https://github.com/dotenvx/dotenvx/compare/v1.54.0...v1.54.1) (2026-03-06)
+
+### Changed
+
+* Fix npm publish
+
+## [1.54.0](https://github.com/dotenvx/dotenvx/compare/v1.53.0...v1.54.0) (2026-03-06)
+
+### Removed
+
+* Remove `ops observe` (radar feature). If needed download [dotenvx-ops](https://dotenvx.com/ops) and reach out to me directly at mot@dotenvx.com. ([#745](https://github.com/dotenvx/dotenvx/pull/745))
 
 ## [1.53.0](https://github.com/dotenvx/dotenvx/compare/v1.52.0...v1.53.0) (2026-03-05)
 

package/README.md

@@ -2597,50 +2597,11 @@ This is known as *Decryption at Access* and is written about in [the whitepaper]
 
  
 
-## AS2 🔐
+## Ops 🛡️
 
-<a href="https://dotenvx.com/as2">
-  <img src="https://dotenvx.com/assets/img/as2/9.jpg" alt="dotenvx as2" height="400" align="right">
-</a>
+[![dotenvx-ops](https://dotenvx.com/dotenvx-ops-banner.png?v=3)](https://dotenvx.com/ops)
 
-*agentic secret storage*.
-
-> Secrets designed for agents. No logins. No consoles. Pure cryptography.
-
-### Quickstart
-
-Install [`vestauth`](https://github.com/vestauth/vestauth) and initialize your agent. (AS2 uses [vestauth](https://vestauth.com) to authenticate agents.)
-
-```sh
-npm i -g vestauth
-vestauth agent init
-```
-
-Your agent can `set` secrets.
-
-```
-vestauth agent curl -X POST https://as2.dotenvx.com/set '{"KEY": "value"}'
-```
-
-Your agent can `get` secrets.
-
-```
-vestauth agent curl https://as2.dotenvx.com/get?key=KEY
-```
-
-&nbsp;
-
-## Ops 🏰
-
-[![dotenvx-ops](https://dotenvx.com/dotenvx-ops-banner.png?v=2)](https://dotenvx.com/ops)
-
-*production grade dotenvx*–with operational primitives.
-
-> As dotenvx spreads inside companies, we're learning—through enterprise engagements—that dotenvx is missing an operations layer.
->
-> Dotenvx Ops is our answer.
->
-> It's production grade dotenvx–with operational primitives for teams, infrastructure, and agents. Private key management, access controls, and more.
+> KEYS OFF COMPUTER
 
 ### Quickstart
 
@@ -2648,23 +2609,12 @@ Install it and gain `ops` commands.
 
 ```sh
 $ curl -sfS https://dotenvx.sh/ops | sh
-$ dotenvx ops backup
-✔ backed up [username/project]
-⮕ next run [dotenvx-ops open] to view
+$ dotenvx ops login
+$ dotenvx encrypt
 ```
 
 ### CLI
 
-<details><summary>`ops backup`</summary><br>
-
-Back up .env.keys.
-
-```sh
-$ dotenvx-ops backup
-✔ backed up [username/project]
-```
-
-</details>
 <details><summary>`ops login`</summary><br>
 
 Log in.
@@ -2687,7 +2637,7 @@ $ dotenvx ops logout
 ```
 
 </details>
-<details><summary>`settings`</summary><br>
+<details><summary>`ops settings`</summary><br>
 
 Check and configure various settings for [Ops](https://dotenvx.com/ops) - `username`, `token`, and more.
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.53.0",
+  "version": "1.55.0",
   "name": "@dotenvx/dotenvx",
   "description": "a secure dotenv–from the creator of `dotenv`",
   "author": "@motdotla",

package/src/cli/actions/decrypt.js

@@ -10,6 +10,7 @@ function decrypt () {
   logger.debug(`options: ${JSON.stringify(options)}`)
 
   const envs = this.envs
+  const opsOn = options.opsOff !== true
 
   let errorCount = 0
 
@@ -17,7 +18,7 @@ function decrypt () {
   if (options.stdout) {
     const {
       processedEnvs
-    } = new Decrypt(envs, options.key, options.excludeKey, options.envKeysFile).run()
+    } = new Decrypt(envs, options.key, options.excludeKey, options.envKeysFile, opsOn).run()
 
     for (const processedEnv of processedEnvs) {
       if (processedEnv.error) {
@@ -42,7 +43,7 @@ function decrypt () {
         processedEnvs,
         changedFilepaths,
         unchangedFilepaths
-      } = new Decrypt(envs, options.key, options.excludeKey, options.envKeysFile).run()
+      } = new Decrypt(envs, options.key, options.excludeKey, options.envKeysFile, opsOn).run()
 
       for (const processedEnv of processedEnvs) {
         logger.verbose(`decrypting ${processedEnv.envFilepath} (${processedEnv.filepath})`)

package/src/cli/actions/encrypt.js

@@ -11,12 +11,13 @@ function encrypt () {
   logger.debug(`options: ${JSON.stringify(options)}`)
 
   const envs = this.envs
+  const opsOn = options.opsOff !== true
 
   // stdout - should not have a try so that exit codes can surface to stdout
   if (options.stdout) {
     const {
       processedEnvs
-    } = new Encrypt(envs, options.key, options.excludeKey, options.envKeysFile).run()
+    } = new Encrypt(envs, options.key, options.excludeKey, options.envKeysFile, opsOn).run()
 
     for (const processedEnv of processedEnvs) {
       console.log(processedEnv.envSrc)
@@ -28,7 +29,7 @@ function encrypt () {
         processedEnvs,
         changedFilepaths,
         unchangedFilepaths
-      } = new Encrypt(envs, options.key, options.excludeKey, options.envKeysFile).run()
+      } = new Encrypt(envs, options.key, options.excludeKey, options.envKeysFile, opsOn).run()
 
       for (const processedEnv of processedEnvs) {
         logger.verbose(`encrypting ${processedEnv.envFilepath} (${processedEnv.filepath})`)
@@ -61,8 +62,11 @@ function encrypt () {
 
       for (const processedEnv of processedEnvs) {
         if (processedEnv.privateKeyAdded) {
+          // Ops hook point (first-time key created for this env file):
+          // gate with `opsOn` and an Ops-installed check before calling your
+          // Ops service (for example: backup/register processedEnv.privateKey).
           logger.success(`✔ key added to .env.keys (${processedEnv.privateKeyName})`)
-          logger.help('⮕  optional: [dotenvx ops backup] to securely backup private key')
+          // logger.help('⮕  optional: [dotenvx ops backup] to securely backup private key')
 
           if (!isIgnoringDotenvKeys()) {
             logger.help('⮕  next run: [dotenvx ext gitignore --pattern .env.keys] to gitignore .env.keys')

package/src/cli/actions/rotate.js

@@ -65,7 +65,7 @@ function rotate () {
       for (const processedEnv of processedEnvs) {
         if (processedEnv.privateKeyAdded) {
           logger.success(`✔ key added to .env.keys (${processedEnv.privateKeyName})`)
-          logger.help('⮕  optional: [dotenvx ops backup] to securely backup private key')
+          // logger.help('⮕  optional: [dotenvx ops backup] to securely backup private key')
 
           if (!isIgnoringDotenvKeys()) {
             logger.help('⮕  next run: [dotenvx ext gitignore --pattern .env.keys] to gitignore .env.keys')

package/src/cli/actions/run.js

@@ -3,7 +3,6 @@ const { logger } = require('./../../shared/logger')
 
 const executeCommand = require('./../../lib/helpers/executeCommand')
 const Run = require('./../../lib/services/run')
-const Ops = require('./../../lib/services/ops')
 
 const conventions = require('./../../lib/helpers/conventions')
 const DeprecationNotice = require('./../../lib/helpers/deprecationNotice')
@@ -45,8 +44,6 @@ async function run () {
     new DeprecationNotice().dotenvKey() // DEPRECATION NOTICE
 
     const {
-      beforeEnv,
-      afterEnv,
       processedEnvs,
       readableStrings,
       readableFilepaths,
@@ -54,7 +51,8 @@ async function run () {
     } = new Run(envs, options.overload, process.env.DOTENV_KEY, process.env, options.envKeysFile, opsOn).run()
 
     if (opsOn) {
-      try { new Ops().observe({ beforeEnv, processedEnvs, afterEnv }) } catch {}
+      // removed radar feature for now. contact me at mot@dotenvx.com if still needed for your organization.
+      // try { new Ops().observe({ beforeEnv, processedEnvs, afterEnv }) } catch {}
     }
 
     for (const processedEnv of processedEnvs) {

package/src/cli/actions/set.js

@@ -67,7 +67,7 @@ function set (key, value) {
     for (const processedEnv of processedEnvs) {
       if (processedEnv.privateKeyAdded) {
         logger.success(`✔ key added to ${processedEnv.envKeysFilepath} (${processedEnv.privateKeyName})`)
-        logger.help('⮕  optional: [dotenvx ops backup] to securely backup private key')
+        // logger.help('⮕  optional: [dotenvx ops backup] to securely backup private key')
 
         if (!isIgnoringDotenvKeys()) {
           logger.help('⮕  next run: [dotenvx ext gitignore --pattern .env.keys] to gitignore .env.keys')

package/src/cli/dotenvx.js

@@ -96,6 +96,7 @@ program.command('get')
   .option('-a, --all', 'include all machine envs as well')
   .option('-pp, --pretty-print', 'pretty print output')
   .option('--format <type>', 'format of the output (json, shell, eval)', 'json')
+  .option('--ops-off', 'disable dotenvx-ops features', false)
   .action(function (...args) {
     this.envs = envs
     getAction.apply(this, args)
@@ -114,6 +115,7 @@ program.command('set')
   .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
   .option('-c, --encrypt', 'encrypt value', true)
   .option('-p, --plain', 'store value as plain text', false)
+  .option('--ops-off', 'disable dotenvx-ops features', false)
   .action(function (...args) {
     this.envs = envs
     setAction.apply(this, args)
@@ -127,6 +129,7 @@ program.command('encrypt')
   .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
   .option('-k, --key <keys...>', 'keys(s) to encrypt (default: all keys in file)')
   .option('-ek, --exclude-key <excludeKeys...>', 'keys(s) to exclude from encryption (default: none)')
+  .option('--ops-off', 'disable dotenvx-ops features', false)
   .option('--stdout', 'send to stdout')
   .action(function (...args) {
     this.envs = envs
@@ -141,6 +144,7 @@ program.command('decrypt')
   .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
   .option('-k, --key <keys...>', 'keys(s) to decrypt (default: all keys in file)')
   .option('-ek, --exclude-key <excludeKeys...>', 'keys(s) to exclude from decryption (default: none)')
+  .option('--ops-off', 'disable dotenvx-ops features', false)
   .option('--stdout', 'send to stdout')
   .action(function (...args) {
     this.envs = envs
@@ -155,6 +159,7 @@ program.command('keypair')
   .argument('[KEY]', 'environment variable key name')
   .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
   .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
+  .option('--ops-off', 'disable dotenvx-ops features', false)
   .option('-pp, --pretty-print', 'pretty print output')
   .option('--format <type>', 'format of the output (json, shell)', 'json')
   .action(keypairAction)
@@ -176,6 +181,7 @@ program.command('rotate')
   .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
   .option('-k, --key <keys...>', 'keys(s) to encrypt (default: all keys in file)')
   .option('-ek, --exclude-key <excludeKeys...>', 'keys(s) to exclude from encryption (default: none)')
+  .option('--ops-off', 'disable dotenvx-ops features', false)
   .option('--stdout', 'send to stdout')
   .action(function (...args) {
     this.envs = envs
@@ -201,7 +207,7 @@ program.command('help [command]')
 // dotenvx pro
 program.addHelpText('after', ' ')
 program.addHelpText('after', 'Advanced: ')
-program.addHelpText('after', '  ops                          🏰 ops')
+program.addHelpText('after', '  ops                          🛡️  ops')
 program.addHelpText('after', '  ext                          🔌 extensions')
 
 // dotenvx ext

package/src/lib/helpers/executeDynamic.js

@@ -40,7 +40,7 @@ function executeDynamic (program, command, rawArgs) {
 
       console.log(ops)
       console.log('')
-      logger.warn(`[INSTALLATION_NEEDED] install dotenvx-${command} to use [dotenvx ${command}] 🏰`)
+      logger.warn(`[INSTALLATION_NEEDED] install dotenvx-${command} to use [dotenvx ${command}] 🛡️`)
       logger.help('⮕  next run: [curl -sfS https://dotenvx.sh/ops | sh]')
       logger.help('⮕  see more: [https://dotenvx.com/ops]')
     } else {

package/src/lib/helpers/findPrivateKey.js

@@ -1,22 +1,25 @@
 // helpers
 const guessPrivateKeyName = require('./guessPrivateKeyName')
-const ProKeypair = require('./proKeypair')
+const findPublicKey = require('./findPublicKey')
 
 // services
 const Keypair = require('./../services/keypair')
+const Ops = require('./../services/ops')
 
-function findPrivateKey (envFilepath, envKeysFilepath = null, opsOn = true) {
+function findPrivateKey (envFilepath, envKeysFilepath = null, opsOn = false, publicKey = null) {
   // use path/to/.env.${environment} to generate privateKeyName
   const privateKeyName = guessPrivateKeyName(envFilepath)
 
-  let proKeypairs = {}
   if (opsOn) {
-    proKeypairs = new ProKeypair(envFilepath).run() // TODO: implement custom envKeysFilepath
+    const resolvedPublicKey = publicKey || findPublicKey(envFilepath)
+    const opsPrivateKey = new Ops().keypair(resolvedPublicKey)
+    if (opsPrivateKey) {
+      return opsPrivateKey
+    }
   }
 
   const keypairs = new Keypair(envFilepath, envKeysFilepath).run()
-
-  return proKeypairs[privateKeyName] || keypairs[privateKeyName]
+  return keypairs[privateKeyName]
 }
 
 module.exports = { findPrivateKey }

package/src/lib/helpers/findPublicKey.js

@@ -1,21 +1,15 @@
 // helpers
 const guessPublicKeyName = require('./guessPublicKeyName')
-const ProKeypair = require('./proKeypair')
 
 // services
 const Keypair = require('./../services/keypair')
 
-function findPublicKey (envFilepath, opsOn = true) {
+function findPublicKey (envFilepath) {
   const publicKeyName = guessPublicKeyName(envFilepath)
 
-  let proKeypairs = {}
-  if (opsOn) {
-    proKeypairs = new ProKeypair(envFilepath).run()
-  }
-
   const keypairs = new Keypair(envFilepath).run()
 
-  return proKeypairs[publicKeyName] || keypairs[publicKeyName]
+  return keypairs[publicKeyName]
 }
 
 module.exports = findPublicKey

package/src/lib/main.js

@@ -12,7 +12,6 @@ const Sets = require('./services/sets')
 const Get = require('./services/get')
 const Keypair = require('./services/keypair')
 const Genexample = require('./services/genexample')
-const Ops = require('./services/ops')
 
 // helpers
 const buildEnvs = require('./helpers/buildEnvs')
@@ -58,15 +57,14 @@ const config = function (options = {}) {
   try {
     const envs = buildEnvs(options, DOTENV_KEY)
     const {
-      beforeEnv,
-      afterEnv,
       processedEnvs,
       readableFilepaths,
       uniqueInjectedKeys
     } = new Run(envs, overload, DOTENV_KEY, processEnv, envKeysFile, opsOn).run()
 
     if (opsOn) {
-      try { new Ops().observe({ beforeEnv, processedEnvs, afterEnv }) } catch {}
+      // removed radar feature for now. contact me at mot@dotenvx.com if still needed for your organization.
+      // try { new Ops().observe({ beforeEnv, processedEnvs, afterEnv }) } catch {}
     }
 
     let lastError
@@ -239,7 +237,7 @@ const set = function (key, value, options = {}) {
   for (const processedEnv of processedEnvs) {
     if (processedEnv.privateKeyAdded) {
       logger.success(`✔ key added to ${processedEnv.envKeysFilepath} (${processedEnv.privateKeyName})`)
-      logger.help('⮕  optional: [dotenvx ops backup] to securely backup private key')
+      // logger.help('⮕  optional: [dotenvx ops backup] to securely backup private key')
 
       if (!isIgnoringDotenvKeys()) {
         logger.help('⮕  next run: [dotenvx ext gitignore --pattern .env.keys] to gitignore .env.keys')

package/src/lib/services/decrypt.js

@@ -7,6 +7,7 @@ const TYPE_ENV_FILE = 'envFile'
 const Errors = require('./../helpers/errors')
 const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
 const { findPrivateKey } = require('./../helpers/findPrivateKey')
+const findPublicKey = require('./../helpers/findPublicKey')
 const decryptKeyValue = require('./../helpers/decryptKeyValue')
 const isEncrypted = require('./../helpers/isEncrypted')
 const dotenvParse = require('./../helpers/dotenvParse')
@@ -15,11 +16,12 @@ const detectEncoding = require('./../helpers/detectEncoding')
 const determineEnvs = require('./../helpers/determineEnvs')
 
 class Decrypt {
-  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null) {
+  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null, opsOn = true) {
     this.envs = determineEnvs(envs, process.env)
     this.key = key
     this.excludeKey = excludeKey
     this.envKeysFilepath = envKeysFilepath
+    this.opsOn = opsOn
 
     this.processedEnvs = []
     this.changedFilepaths = new Set()
@@ -65,7 +67,8 @@ class Decrypt {
       let envSrc = fsx.readFileX(filepath, { encoding })
       const envParsed = dotenvParse(envSrc)
 
-      const privateKey = findPrivateKey(envFilepath, this.envKeysFilepath)
+      const publicKey = findPublicKey(envFilepath)
+      const privateKey = findPrivateKey(envFilepath, this.envKeysFilepath, this.opsOn, publicKey)
       const privateKeyName = guessPrivateKeyName(envFilepath)
 
       row.privateKey = privateKey

package/src/lib/services/encrypt.js

@@ -20,11 +20,12 @@ const truncate = require('./../helpers/truncate')
 const isPublicKey = require('./../helpers/isPublicKey')
 
 class Encrypt {
-  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null) {
+  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null, opsOn = true) {
     this.envs = determineEnvs(envs, process.env)
     this.key = key
     this.excludeKey = excludeKey
     this.envKeysFilepath = envKeysFilepath
+    this.opsOn = opsOn
 
     this.processedEnvs = []
     this.changedFilepaths = new Set()
@@ -76,8 +77,8 @@ class Encrypt {
 
       const publicKeyName = guessPublicKeyName(envFilepath)
       const privateKeyName = guessPrivateKeyName(envFilepath)
-      const existingPrivateKey = findPrivateKey(envFilepath, this.envKeysFilepath)
       const existingPublicKey = findPublicKey(envFilepath)
+      const existingPrivateKey = findPrivateKey(envFilepath, this.envKeysFilepath, this.opsOn, existingPublicKey)
 
       let envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
       if (this.envKeysFilepath) {
@@ -86,6 +87,7 @@ class Encrypt {
       const relativeFilepath = path.relative(path.dirname(filepath), envKeysFilepath)
 
       if (existingPrivateKey) {
+        // throw new Error('implement for remote Ops existingPrivateKey')
         const kp = keypair(existingPrivateKey)
         publicKey = kp.publicKey
         privateKey = kp.privateKey
@@ -109,6 +111,7 @@ class Encrypt {
           envSrc = `${firstLinePreserved}${prependPublicKey}\n${envSrc}`
         }
       } else if (existingPublicKey) {
+        // throw new Error('implement for remote Ops existingPrivateKey')
         publicKey = existingPublicKey
       } else {
         // .env.keys
@@ -122,9 +125,13 @@ class Encrypt {
         const firstLinePreserved = ps.firstLinePreserved
         envSrc = ps.envSrc
 
+        // TODO: instead get this from API
         const kp = keypair() // generates a fresh keypair in memory
         publicKey = kp.publicKey
         privateKey = kp.privateKey
+        // Ops hook point (first-time key generation):
+        // if Ops is installed and opsOff is not set, send privateKey/privateKeyName/envFilepath
+        // to your Ops service before persisting or immediately after writing below.
 
         const prependPublicKey = this._prependPublicKey(publicKeyName, publicKey, filename, relativeFilepath)
 
@@ -133,7 +140,7 @@ class Encrypt {
           '#/------------------!DOTENV_PRIVATE_KEYS!-------------------/',
           '#/ private decryption keys. DO NOT commit to source control /',
           '#/     [how it works](https://dotenvx.com/encryption)       /',
-          '#/           backup with: `dotenvx ops backup`              /',
+          // '#/           backup with: `dotenvx ops backup`              /',
           '#/----------------------------------------------------------/'
         ].join('\n')
         const appendPrivateKey = [
@@ -148,6 +155,9 @@ class Encrypt {
 
         // write to .env.keys
         fsx.writeFileX(envKeysFilepath, keysSrc)
+        // Ops hook point (after persistence):
+        // if Ops is installed and opsOff is not set, trigger backup/registration now that
+        // .env.keys has been written and row.privateKeyAdded will be true for callers.
 
         row.privateKeyAdded = true
         row.envKeysFilepath = this.envKeysFilepath || path.join(path.dirname(envFilepath), path.basename(envKeysFilepath))

package/src/lib/services/ops.js

@@ -10,12 +10,12 @@ class Ops {
     // check npm lib
     try {
       this.opsLib = this._opsNpm()
-      logger.successv(`📡 radar: ${this.opsLib.status}`)
+      logger.successv(`🛡️ ops: ${this.opsLib.status}`)
     } catch (e) {
       // check binary cli
       try {
         this.opsLib = this._opsCli()
-        logger.successv(`📡 radar: ${this.opsLib.status}`)
+        logger.successv(`🛡️ ops: ${this.opsLib.status}`)
       } catch (_e2) {
         // noop
       }
@@ -30,6 +30,38 @@ class Ops {
     }
   }
 
+  keypair (publicKey) {
+    const args = ['keypair']
+    if (publicKey) {
+      args.push(publicKey)
+    }
+
+    const options = { stdio: ['pipe', 'pipe', 'ignore'] }
+    const fallbackBin = path.resolve(process.cwd(), 'node_modules/.bin/dotenvx-ops')
+
+    try {
+      const output = childProcess.execFileSync(fallbackBin, args, options)
+      const parsed = JSON.parse(output.toString())
+      if (parsed && parsed.private_key) {
+        return parsed.private_key
+      }
+    } catch (e) {
+      // noop
+    }
+
+    try {
+      const output = childProcess.execFileSync('dotenvx-ops', args, options)
+      const parsed = JSON.parse(output.toString())
+      if (parsed && parsed.private_key) {
+        return parsed.private_key
+      }
+    } catch (e) {
+      // noop
+    }
+
+    return null
+  }
+
   encode (payload) {
     return Buffer.from(JSON.stringify(payload)).toString('base64')
   }

package/src/lib/services/rotate.js

@@ -15,6 +15,7 @@ const append = require('./../helpers/append')
 const detectEncoding = require('./../helpers/detectEncoding')
 const determineEnvs = require('./../helpers/determineEnvs')
 const { findPrivateKey } = require('./../helpers/findPrivateKey')
+const findPublicKey = require('./../helpers/findPublicKey')
 const decryptKeyValue = require('./../helpers/decryptKeyValue')
 const keypair = require('./../helpers/keypair')
 
@@ -73,7 +74,8 @@ class Rotate {
 
       const publicKeyName = guessPublicKeyName(envFilepath)
       const privateKeyName = guessPrivateKeyName(envFilepath)
-      const existingPrivateKey = findPrivateKey(envFilepath, this.envKeysFilepath)
+      const existingPublicKey = findPublicKey(envFilepath)
+      const existingPrivateKey = findPrivateKey(envFilepath, this.envKeysFilepath, false, existingPublicKey)
 
       let envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
       if (this.envKeysFilepath) {

package/src/lib/services/run.js

@@ -12,6 +12,7 @@ const dotenvParse = require('./../helpers/dotenvParse')
 const parseEnvironmentFromDotenvKey = require('./../helpers/parseEnvironmentFromDotenvKey')
 const detectEncoding = require('./../helpers/detectEncoding')
 const { findPrivateKey } = require('./../helpers/findPrivateKey')
+const findPublicKey = require('./../helpers/findPublicKey')
 const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
 const determineEnvs = require('./../helpers/determineEnvs')
 
@@ -97,7 +98,8 @@ class Run {
       const src = fsx.readFileX(filepath, { encoding })
       this.readableFilepaths.add(envFilepath)
 
-      const privateKey = findPrivateKey(envFilepath, this.envKeysFilepath, this.opsOn)
+      const publicKey = findPublicKey(envFilepath)
+      const privateKey = findPrivateKey(envFilepath, this.envKeysFilepath, this.opsOn, publicKey)
       const privateKeyName = guessPrivateKeyName(envFilepath)
       const { parsed, errors, injected, preExisted } = new Parse(src, privateKey, this.processEnv, this.overload, privateKeyName).run()
 

package/src/lib/services/sets.js

@@ -77,8 +77,8 @@ class Sets {
 
         const publicKeyName = guessPublicKeyName(envFilepath)
         const privateKeyName = guessPrivateKeyName(envFilepath)
-        const existingPrivateKey = findPrivateKey(envFilepath, this.envKeysFilepath)
         const existingPublicKey = findPublicKey(envFilepath)
+        const existingPrivateKey = findPrivateKey(envFilepath, this.envKeysFilepath, false, existingPublicKey)
 
         let envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
         if (this.envKeysFilepath) {
@@ -137,7 +137,7 @@ class Sets {
             '#/------------------!DOTENV_PRIVATE_KEYS!-------------------/',
             '#/ private decryption keys. DO NOT commit to source control /',
             '#/     [how it works](https://dotenvx.com/encryption)       /',
-            '#/           backup with: `dotenvx ops backup`              /',
+            // '#/           backup with: `dotenvx ops backup`              /',
             '#/----------------------------------------------------------/'
           ].join('\n')
           const appendPrivateKey = [

package/src/lib/helpers/proKeypair.js

@@ -1,39 +0,0 @@
-const path = require('path')
-const childProcess = require('child_process')
-
-const guessPrivateKeyName = require('./guessPrivateKeyName')
-const guessPublicKeyName = require('./guessPublicKeyName')
-
-class ProKeypair {
-  constructor (envFilepath) {
-    this.envFilepath = envFilepath
-  }
-
-  run () {
-    let result = {}
-
-    try {
-      const fallbackBin = path.resolve(process.cwd(), 'node_modules/.bin/dotenvx-pro')
-      const output = childProcess.execSync(`${fallbackBin} keypair -f ${this.envFilepath}`, { stdio: ['pipe', 'pipe', 'ignore'] }).toString().trim()
-      result = JSON.parse(output)
-    } catch (_e) {
-      try {
-        // if installed as binary cli
-        const output = childProcess.execSync(`dotenvx-pro keypair -f ${this.envFilepath}`, { stdio: ['pipe', 'pipe', 'ignore'] }).toString().trim()
-
-        result = JSON.parse(output)
-      } catch (_e) {
-        const privateKeyName = guessPrivateKeyName(this.envFilepath)
-        const publicKeyName = guessPublicKeyName(this.envFilepath)
-
-        // match format of dotenvx-pro
-        result[privateKeyName] = null
-        result[publicKeyName] = null
-      }
-    }
-
-    return result
-  }
-}
-
-module.exports = ProKeypair