envdrift push

Encrypt secret files for partial encryption workflows.

Synopsis

envdrift push [OPTIONS]

Description

The push command is part of the partial encryption workflow. Its exact behaviour depends on the mode configured for each environment:

Combine mode (default):

1. Encrypts .secret files using the configured encryption backend
2. Combines .clear and encrypted .secret files into a single output file
3. Adds a warning header to the generated file

Secrets-only mode (secrets_only = true):

1. Encrypts every file matching pattern inside secrets_dir in place
2. Does not read or write any configs directory
3. Produces no combined output file

The pattern glob is non-recursive by default; use **/.env* for nested subdirectories. secrets_dir is required — pushing with secrets_only = true but no secrets_dir is rejected at config-load time.

The summary panel labels secrets-only counts as "Total encrypted files" and combine-mode counts as "Total encrypted vars" (and shows both when an envdrift run mixes the two modes).

This command requires partial encryption to be configured in envdrift.toml.

Options

--env, -e

Process only a specific environment instead of all configured environments.

envdrift push --env production

--backend, -b

Select the encryption backend (dotenvx or sops). Defaults to config or dotenvx.

envdrift push --backend sops

Configuration

Partial encryption must be enabled in envdrift.toml:

[partial_encryption]
enabled = true

# Combine mode
[[partial_encryption.environments]]
name = "staging"
clear_file = ".env.staging.clear"
secret_file = ".env.staging.secret"
combined_file = ".env.staging"

# Secrets-only mode
[[partial_encryption.environments]]
name = "production"
secrets_only = true
secrets_dir = "secrets/production/"
pattern = ".env*"

Examples

Push All Environments

envdrift push

Encrypts and combines files for all configured environments.

Push Specific Environment

envdrift push --env production

Only processes the production environment.

Typical Workflow

# 1. Edit source files
vim .env.production.clear    # Non-sensitive changes
vim .env.production.secret   # Sensitive changes (decrypted)

# 2. Encrypt and combine
envdrift push

# 3. Commit all three files
git add .env.production.clear .env.production.secret .env.production
git commit -m "Update configuration"

Output

The combined file includes a warning header:

#/---------------------------------------------------/
#/ WARNING: AUTO-GENERATED FILE                      /
#/ DO NOT EDIT THIS FILE DIRECTLY                    /
#/                                                   /
#/ To make changes:                                  /
#/   1. Edit: .env.production.clear                  /
#/   2. Edit: .env.production.secret                 /
#/   3. Run:  envdrift pull-partial                  /
#/   4. Run:  envdrift push                          /
#/---------------------------------------------------/

# From .env.production.clear
DEBUG=false
LOG_LEVEL=info

# From .env.production.secret (encrypted)
DATABASE_URL="encrypted:BD7HQzbvYWcHPy8jGI..."

Exit Codes

Code	Meaning
0	Push completed successfully
1	Error (missing config, file not found, encryption failed)

See Also

• pull-partial - Decrypt secret files for editing
• Partial Encryption Guide - Full workflow documentation
• encrypt - Standard encryption command