feat: add GPG and YubiKey encryption support #712
Conversation
Add support for encrypting .env files using GPG keys, enabling hardware
security module (HSM) support via YubiKey. This provides an alternative
to the existing ECIES encryption for users who prefer GPG-based workflows.
New features:
- `--gpg` flag for encrypt, decrypt, and set commands
- `--gpg-key <recipient>` to specify GPG key ID or email
- `DOTENVX_CRYPTO=gpg` environment variable for persistent config
- Environment-specific GPG keys (DOTENV_GPG_KEY_PRODUCTION, etc.)
- Auto-detection of gpg:encrypted: prefix during decryption
- 60-second timeout for YubiKey PIN entry
New helpers:
- gpgAvailable.js - detect GPG CLI installation
- gpgEncryptValue.js - encrypt values via GPG
- gpgDecryptValue.js - decrypt values via GPG
- isGpgEncrypted.js - detect GPG-encrypted values
- getCryptoProvider.js - determine ECIES vs GPG mode
- getGpgRecipient.js - resolve GPG recipient from options/env
Usage:
dotenvx encrypt --gpg --gpg-key [email protected]
dotenvx set KEY "value" --gpg --gpg-key [email protected]
dotenvx run -- node app.js # auto-decrypts, prompts for YubiKey PIN
|
Hi Alex, do you need this for an enterprise you work at? This will likely be a feature rolled into dotenvx.com/ops. I find GPG keys unwieldy though there are good historical and enterprise reasons for their use. But my goal with dotenvx is to keep its feature-set sharp. I think this would dull it somewhat. Others' thoughts? |
|
Hi Mot, thanks for the fast answer. For now I need it in some personal projects and in the future possible introducing a working solution at work. Considering the recent supply chain attacks I don't want to keep the .env files in clear text anymore. dotenvx is a nice option but still the private key is on disk and attackers can read it. So I thought of using my GPG key stored on my YubiKey for decryption since the private key cannot be extracted from it. So I let Claude Code Opus 4.5 extend dotenvx with GPG support so that I can use my yubikey. I can understand if you don't want to increase the complexity of dotenvx by integrating this, I can use my fork going forward or look for other alternative solutions to the problem. I think https://dotenvx.com/ops looks promising and for sure has a good future, especially if you add support for encryption providers like Azure Keyvault, AWS KMS, GPG, YubiKeys etc. |
2 participants
Add support for encrypting .env files using GPG keys, enabling hardware
security module (HSM) support via YubiKey. This provides an alternative
to the existing ECIES encryption for users who prefer GPG-based workflows.
New features:
--gpgflag for encrypt, decrypt, and set commands--gpg-key <recipient>to specify GPG key ID or emailDOTENVX_CRYPTO=gpgenvironment variable for persistent configNew helpers:
Usage:
dotenvx encrypt --gpg --gpg-key [email protected] dotenvx set KEY "value" --gpg --gpg-key [email protected] dotenvx run -- node app.js # auto-decrypts, prompts for YubiKey PIN
Demo:
dotenvx-gpg-yubikey-demo.mov