Encrypt, decrypt, and load .env files with authenticated AES-256-GCM encryption.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for swiftbird07 from gravatar.com swiftbird07

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: swiftbird07
  • Tags aes-gcm , dotenv , encryption , env , secrets
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

dotenv-encrypt

Encrypt, decrypt, edit, and load .env files from Python without committing plaintext secrets.

dotenv-encrypt uses AES-256-GCM for authenticated encryption and derives keys from a passphrase with scrypt. New files include a random salt, a random nonce, and authenticated encryption metadata.

Install

pip install dotenv-encrypt

For local development:

python -m pip install -e ".[dev]"
pytest

Python Usage

from dotenv_encrypt import load_enc_env, unload_enc_env

load_enc_env(".env.enc", passphrase="your passphrase")

# os.environ now contains the variables from .env.enc

unload_enc_env()

Read and write encrypted dotenv files directly:

from dotenv_encrypt import read_encrypted_env, write_encrypted_env

write_encrypted_env(
    {"API_KEY": "secret", "DEBUG": "false"},
    ".env.enc",
    passphrase="your passphrase",
)

env = read_encrypted_env(".env.enc", passphrase="your passphrase")

CLI Usage

The CLI intentionally avoids passphrase command-line flags, because command-line arguments can leak through shell history and process listings. Set DOTENV_ENCRYPT_KEY for automation, or let the CLI prompt securely.

dotenv-encrypt encrypt .env -o .env.enc
dotenv-encrypt show .env.enc
dotenv-encrypt show .env.enc --values
dotenv-encrypt set API_KEY "secret" .env.enc
dotenv-encrypt unset API_KEY .env.enc
dotenv-encrypt merge .env.add .env.enc
dotenv-encrypt decrypt .env.enc -o .env.local

Security Notes

  • Encryption is AES-256-GCM with a fresh 96-bit nonce for every write.
  • Passphrases are stretched with scrypt and a fresh 128-bit salt per file.
  • File metadata is authenticated with AES-GCM additional authenticated data.
  • Output files are written with 0600 permissions where the platform supports POSIX modes.
  • Secret values are not printed by default. Use show --values only when you explicitly need plaintext output.
  • The original script format is supported for decryption so existing nonce || ciphertext || tag files can be migrated.

Publishing

Update the version in pyproject.toml, then build and check the package:

python -m build
python -m twine check dist/*

Upload with:

python -m twine upload dist/*

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for swiftbird07 from gravatar.com swiftbird07

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: swiftbird07
  • Tags aes-gcm , dotenv , encryption , env , secrets
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.5.0

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dotenv_encrypt-0.1.0.tar.gz (12.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dotenv_encrypt-0.1.0-py3-none-any.whl (10.2 kB view details)

Uploaded Python 3

File details

Details for the file dotenv_encrypt-0.1.0.tar.gz.

File metadata

  • Download URL: dotenv_encrypt-0.1.0.tar.gz
  • Upload date:
  • Size: 12.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dotenv_encrypt-0.1.0.tar.gz
Algorithm Hash digest
SHA256 031b564bb6a679594d5afd8b8467c1352b63c8493f06aab2e997fa61e0992d62
MD5 e647c0112d4a8111a26a5b2755d2432f
BLAKE2b-256 153e37fe640dd60172d958ab040708c5126f550ae327d9bac3f47fa4bba4dee8

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenv_encrypt-0.1.0.tar.gz:

Publisher: python-publish.yml on swiftbird07/dotenv-encrypt

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dotenv_encrypt-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: dotenv_encrypt-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 10.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dotenv_encrypt-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 feee0cd7c7cc8764a2eecf2587db0af9a5b27aa077122a981c371418e026c731
MD5 13a58b8ed6aded999661d9691e6d10da
BLAKE2b-256 9f29fa2c99bc2a0236265df802c5b84f0cb1292941bc1577affea9dca60b16ca

See more details on using hashes here.

Provenance

The following attestation bundles were made for dotenv_encrypt-0.1.0-py3-none-any.whl:

Publisher: python-publish.yml on swiftbird07/dotenv-encrypt

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page