Skip to content

envdrift push

Encrypt secret files and combine with clear files for partial encryption workflows.

Synopsis

envdrift push [OPTIONS]

Description

The push command is part of the partial encryption workflow. It:

  1. Encrypts .secret files using the configured encryption backend
  2. Combines .clear and encrypted .secret files into a single output file
  3. Adds a warning header to the generated file

This command requires partial encryption to be configured in envdrift.toml.

Options

--env, -e

Process only a specific environment instead of all configured environments.

envdrift push --env production

--backend, -b

Select the encryption backend (dotenvx or sops). Defaults to config or dotenvx.

envdrift push --backend sops

Configuration

Partial encryption must be enabled in envdrift.toml:

[partial_encryption]
enabled = true

[[partial_encryption.environments]]
name = "production"
clear_file = ".env.production.clear"
secret_file = ".env.production.secret"
combined_file = ".env.production"

[[partial_encryption.environments]]
name = "staging"
clear_file = ".env.staging.clear"
secret_file = ".env.staging.secret"
combined_file = ".env.staging"

Examples

Push All Environments

envdrift push

Encrypts and combines files for all configured environments.

Push Specific Environment

envdrift push --env production

Only processes the production environment.

Typical Workflow

# 1. Edit source files
vim .env.production.clear    # Non-sensitive changes
vim .env.production.secret   # Sensitive changes (decrypted)

# 2. Encrypt and combine
envdrift push

# 3. Commit all three files
git add .env.production.clear .env.production.secret .env.production
git commit -m "Update configuration"

Output

The combined file includes a warning header:

#/---------------------------------------------------/
#/ WARNING: AUTO-GENERATED FILE                      /
#/ DO NOT EDIT THIS FILE DIRECTLY                    /
#/                                                   /
#/ To make changes:                                  /
#/   1. Edit: .env.production.clear                  /
#/   2. Edit: .env.production.secret                 /
#/   3. Run:  envdrift pull-partial                  /
#/   4. Run:  envdrift push                          /
#/---------------------------------------------------/

# From .env.production.clear
DEBUG=false
LOG_LEVEL=info

# From .env.production.secret (encrypted)
DATABASE_URL="encrypted:BD7HQzbvYWcHPy8jGI..."

Exit Codes

Code Meaning
0 Push completed successfully
1 Error (missing config, file not found, encryption failed)

See Also