FAQ
How is this different from dotenvx?
Section titled “How is this different from dotenvx?”dotenvx encrypts the values inside your .env file — the file holds ciphertext, and the decryption key sits in a .env.keys file on disk. hushenv removes the secrets from the project entirely: the .env holds references, the values live in a separate vault, and the key is in your OS keychain with no key file. Different approach, built for a world where an agent is reading your files. dotenvx is mature and its public-key model has real strengths; hushenv trades that for keeping the project folder free of secrets.
Do I need hushenv in production?
Section titled “Do I need hushenv in production?”No. hushenv is a local-development tool. In production, set environment variables through your host or its secret manager.
What happens if I lose my machine?
Section titled “What happens if I lose my machine?”The vault is encrypted and the master key is in your keychain, so a stolen machine doesn’t expose your secrets without your login. But the vault is local — keep your own backup of the underlying secret values, the same way you would for any local credential.
Can I share a secret across two projects?
Section titled “Can I share a secret across two projects?”Yes. Store it once in the vault and reference it from each project’s .env. The single vault entry is resolved wherever it is referenced.
Is there any telemetry?
Section titled “Is there any telemetry?”None. hushenv sends no data anywhere. It is Apache-2.0 licensed — you can verify this in the source.
Which operating systems are supported?
Section titled “Which operating systems are supported?”macOS and Windows use their native keychains. On Linux and in CI, supply the master key through HUSHENV_MASTER_KEY.