Skip to content

python

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

python

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
envcrypt
envcrypt
 
 
tests
tests
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 
setup.py
setup.py
 
 

README.md

envcrypt (Python)

Python library for loading encrypted .env files. Compatible with the Rust envcrypt CLI tool.

Installation

pip install -e .
# or
pip install envcrypt

Usage

Basic usage (from config file)

import envcrypt
import os

# Load key from ~/.envcrypt.yaml, decrypt .env, set env vars
envcrypt.load(".env")

# Access as normal
db_url = os.environ["DATABASE_URL"]

With explicit key

from envcrypt import EnvcryptLoader

# 64-char hex key (32 bytes)
loader = EnvcryptLoader.from_key("your-64-char-hex-key...")
loader.load(".env")

# Or with litcrypt-style obfuscation (your own implementation)
from myapp.secrets import get_key
loader = EnvcryptLoader.from_key(get_key())
loader.load(".env")

Encrypt/decrypt content

from envcrypt import EnvcryptLoader

loader = EnvcryptLoader.from_config()

# Encrypt
content = open(".env").read()
encrypted = loader.encrypt_content(content)
print(encrypted)

# Decrypt
decrypted = loader.decrypt_content(encrypted)
print(decrypted)

Single value encrypt/decrypt

from envcrypt import EnvcryptLoader

loader = EnvcryptLoader.from_config()

encrypted = loader.encrypt("my-secret")
print(encrypted)  # encrypted:base64...

decrypted = loader.decrypt(encrypted)
print(decrypted)  # my-secret

Compatibility

This library uses the same encryption format as the Rust envcrypt CLI:

  • Algorithm: AES-256-GCM
  • Key: 32 bytes (64 hex chars)
  • Nonce: 12 bytes (random, prepended to ciphertext)
  • Format: encrypted:<base64(nonce + ciphertext + tag)>

Files encrypted with the CLI can be loaded with Python and vice versa.

Config File

Default location: ~/.envcrypt.yaml

key: "64-character-hex-encoded-key..."

License

MIT