How secure is your environment file in Node.JS ?

October 7, 2017

I bet dotenv is the easiest way out. You create a .env file and include this sing==le li==ne of code within your project :


And BAM !! You are done and good to go. But wait how secure is it ?

Recently many fake Malicious NPM packages were found which work the same way as the real ones, but they fetch your process environment files and send them to a third-party server when you install them.

Oscar B on X: "@kentcdodds Hi Kent, it looks like this npm package is stealing env variables on install, using your cross-env package as bait:" / X (

This could be extremely dangerous as the your process environments could contain secret keys, tokens, DB strings and what not.

Solution ?

Try secure-env

The only problem here is that you write a few more lines of code.

# on your terminal/cmd
$ npm install -g secure-env
$ secure-env .env -s mySecretPassword

// in your node.js file
global.env =  require('secure-env')({secret:'mySecretPassword'});

This packages helps you generate a env.enc,which is then decrypted later in the code and can be assigned to any variable. The variable now contains the key value pair in the env file as an Object, which could be later used anywhere in your project. As you see, here we can decide where to assign the values in decrypted environment file and it doesn’t get assigned toprocess.envby default.

You may download and deep dive into other options that are available in secure-env to know more. Feel free to contribute to the code.

Other solutions

Reposted from: