Skip to content

Partial Encryption Feature

Overview

Partial encryption allows you to separate cleartext (non-sensitive) variables from encrypted (sensitive) variables while maintaining a single combined file for apps.

File Structure

  • Source files (you edit):
  • .env.production.clear - Cleartext variables (committed)

  • .env.production.secret - Sensitive variables (committed, encrypted)

  • Generated file (for apps):

  • .env.production - Combined output with warning header (committed)

Configuration

Add to your envdrift.toml:

[partial_encryption]
enabled = true

[[partial_encryption.environments]]
name = "production"
clear_file = ".env.production.clear"
secret_file = ".env.production.secret"
combined_file = ".env.production"

[[partial_encryption.environments]]
name = "staging"
clear_file = ".env.staging.clear"
secret_file = ".env.staging.secret"
combined_file = ".env.staging"

Workflow

1. Setup (Initial)

Create your source files:

# Create cleartext file
cat > .env.production.clear <<EOF
DEBUG=false
LOG_LEVEL=info
PORT=8080
APP_NAME=myapp
EOF

# Create secret file (will be encrypted)
cat > .env.production.secret <<EOF
DATABASE_URL=postgres://user:pass@localhost/db
JWT_SECRET=super-secret-key
STRIPE_API_KEY=sk_live_abc123
EOF

# Push (encrypt + combine)
envdrift push

# Commit all three files
git add .env.production.clear .env.production.secret .env.production
git commit -m "Add environment configuration"

2. Daily Development

# Pull (decrypt secret file for editing)
envdrift pull-partial

# Edit source files
vim .env.production.clear    # Non-sensitive changes
vim .env.production.secret   # Sensitive changes (now decrypted)

# Push (re-encrypt + regenerate combined)
envdrift push

# Commit
git add .env.production.clear .env.production.secret .env.production
git commit -m "Update configuration"

Commands

envdrift push

Encrypt secret files and combine with clear files:

# All environments
envdrift push

# Specific environment
envdrift push --env production

What it does:

  1. Encrypts .env.{env}.secret using dotenvx
  2. Combines .clear + encrypted .secret.{env}
  3. Adds warning header to generated file

envdrift pull-partial

Decrypt secret files for editing:

# All environments
envdrift pull-partial

# Specific environment
envdrift pull-partial --env production

What it does:

  1. Decrypts .env.{env}.secret in-place
  2. Makes it available for editing

Git Setup

Add to .gitignore:

# Ignore backup files, but commit all env files
*.bak
*.tmp

Note: With partial encryption, you commit all three files:

  • .env.production.clear (cleartext)
  • .env.production.secret (encrypted)
  • .env.production (generated, mixed)

Benefits

  1. Git-friendly - Cleartext vars visible in diffs
  2. Simple workflow - Edit source files directly
  3. One file for apps - Applications read .env.production
  4. Clear separation - Know exactly what's sensitive
  5. Warning header - Generated file clearly marked

Example Generated File

#/---------------------------------------------------/
#/ WARNING: AUTO-GENERATED FILE                      /
#/ DO NOT EDIT THIS FILE DIRECTLY                    /
#/                                                   /
#/ To make changes:                                  /
#/   1. Edit: .env.production.clear                  /
#/   2. Edit: .env.production.secret                 /
#/   3. Run:  envdrift pull-partial                  /
#/   4. Run:  envdrift push                          /
#/---------------------------------------------------/

# From .env.production.clear
DEBUG=false
LOG_LEVEL=info
PORT=8080

# From .env.production.secret (encrypted)
DATABASE_URL="encrypted:BD7HQzbvYWcHPy8jGI..."
JWT_SECRET="encrypted:BD9XKwmZvYWcHPz9kHJ..."
STRIPE_API_KEY="encrypted:BDaLMxznvYWcHPy8lKL..."

Migration from Full Encryption

If you have existing encrypted .env files:

# 1. Decrypt existing file
envdrift decrypt .env.production

# 2. Manually split into clear and secret
# Copy non-sensitive vars to .env.production.clear
# Copy sensitive vars to .env.production.secret

# 3. Enable partial encryption in config
# Add [partial_encryption] section to envdrift.toml

# 4. Generate combined file
envdrift push

# 5. Commit new structure
git add .env.production.clear .env.production.secret .env.production
git commit -m "Migrate to partial encryption"

Tips

  • Always edit source files (.clear and .secret), never the combined file
  • Run push before committing to ensure combined file is up-to-date
  • Run pull-partial after pulling to decrypt secret files
  • Use version control to track changes to cleartext vars

Alternative: Using lock --all

If you prefer to use envdrift lock for all encryption (including partial encryption files), you can use the --all flag:

# Lock everything, including partial encryption files
envdrift lock -f --all

This will:

  1. Encrypt all regular .env.* files
  2. Encrypt all .secret files
  3. Delete the combined files (since they're generated)

This is useful when you want a single command to lock all files before committing, rather than using separate push and lock commands.