Git-native encrypted
environments powered by
your SSH keys

Encrypt environment variables directly in your Git repository. No external services, no vendor lock-in, no extra key management.

$ curl -fsSL https://dotenc.org/install.sh | sh
Get Started View on GitHub
terminal
$ dotenc init
✔ Found SSH key: ~/.ssh/id_ed25519
✔ Username: alice
✔ Created .dotenc/alice.pub
✔ Created .env.alice.enc
$ dotenc env edit alice
✔ Decrypted → editor opened → re-encrypted
$ dotenc dev npm start
✔ Loaded 12 env vars from alice + development
🚀 Server running on http://localhost:3000

Features

Everything you need, nothing you don't.

🔒

AES-256-GCM

Battle-tested authenticated encryption for your secrets.

🔑

SSH Key Identity

Uses your existing SSH keys. No extra key management needed.

🚀

On-the-fly Decryption

Run commands with decrypted env vars injected automatically.

✍️

Secure Editing

Edit secrets in your preferred editor. Re-encrypted on save.

🌍

Multiple Environments

Development, staging, production. As many as you need.

👤

Personal Environments

Each developer gets their own encrypted env file.

🔄

Auto Key Rotation

Data keys are automatically rotated on every edit.

🛡️

RSA & Ed25519

Supports both key types. Use whatever you already have.

Why dotenc?

Most secret managers rely on third-party services and web dashboards. dotenc keeps everything in your repo.

No Vendor Lock-In

Your secrets live in your repository. Never tied to a third-party provider.

Improved Security

All encryption happens locally. Private keys never leave your machine.

Zero Key Management

You already have SSH keys. dotenc uses them directly.

Seamless Collaboration

Onboard or revoke team members with a single command.

Fully Auditable

Every grant and revoke is tracked in your Git history.

PR-Safe Changes

Env updates live in the same PR as your feature code.

How It Works

Simple, transparent, secure.

1

Detect SSH Keys

dotenc scans ~/.ssh/ for your Ed25519 or RSA keys.

2

Store Public Key

Your public key is derived and stored in .dotenc/.

3

Generate Data Key

A unique 256-bit data key is generated for each environment.

4

Encrypt Data Key

The data key is encrypted per-user with each authorized public key.

5

Encrypt Variables

Environment variables are encrypted with AES-256-GCM.

6

Commit to Git

Encrypted .env.*.enc files are committed to your repository.

7

Decrypt On-the-fly

When running commands, variables are decrypted using your SSH private key. Keys never leave ~/.ssh/.

Installation

Pick your favorite method.

Universal install (macOS / Linux)

curl -fsSL https://dotenc.org/install.sh | sh

macOS / Linux

$ brew tap ivanfilhoz/dotenc
$ brew install dotenc

Team Collaboration

Onboard and offboard team members with simple commands. Git tracks every change.

Granting Access

$ dotenc key add alice \
--from-file alice.pub
$ dotenc auth grant dev alice
$ dotenc auth grant test alice
$ git add . && git commit -m \
"Grant alice access"

Revoking Access

$ dotenc key remove john
✔ Removed key and re-encrypted envs
$ git add . && git commit -m \
"Revoke john's access"
Tip: Rotate external secrets after offboarding.

CI/CD Integration

Give your CI runners their own identity. Same workflow as local development.

GitHub Actions example:

.github/workflows/test.yml 
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-node@v6
        with:
          node-version: 24
      - run: npm ci
      - run: npm install -g @dotenc/cli
      - run: dotenc run -e test npm test
        env:
          DOTENC_PRIVATE_KEY: ${{ secrets.DOTENC_PRIVATE_KEY }}

How dotenc Compares

dotenc is a Git-native encryption layer. It doesn't replace centralized secret managers — it serves a different operational model.

Capability dotenc SOPS Vault Doppler
Git-native encrypted files
Uses existing SSH identity
No external service required
Envs versioned with code
Centralized runtime API
Dynamic / short-lived secrets
Built-in org policy engine
Requires running infrastructure