Open Standard · MIT License · Zero Dependencies

.env is Dead.
Enter `CrowEnv` 🐦‍⬛

Smart secrets. Like a crow. AES-256-GCM encrypted `.cenv` files
you can safely commit to Git — in every language.

bash

# Install CrowEnv
npm install -g crowenv
# Generate your master key (store this in 1Password!)
crowenv generate-key
🔑 a3f8...c901  ← 256-bit random key
# Encrypt your .env
crowenv encrypt
✅ .cenv created (5 secrets encrypted, AES-256-GCM)
# Commit it safely
git add .cenv && git commit -m "Add encrypted secrets"
✅ Your secrets are now in Git — and still private.

12M+exposed .env files online (2026)

$2.3Mavg. cost of a secrets breach

AES-256military-grade encryption

0runtime dependencies (Node.js)

⚠️ The Problem

Plain .env is a Ticking Time Bomb

Real attacks. Real money lost. Happening right now.

🌐

Public Web Exposure

Misconfigured Nginx/Apache serves /.env directly. 110,000+ domains scanned in one operation. 7,000+ cloud credentials stolen. Mass extortion followed.

— Palo Alto Unit 42, Aug 2024

📁

Git History Leaks

One accidental git add . = permanent exposure. Even after deletion, secrets remain in git history. GitGuardian bots find them in seconds.

— GitGuardian State of Secrets 2025

🖥️

Plain Text on Disk

Stolen laptop. Shared server. Malware. Backup systems. Docker inspect. cat .env = game over. Plain text has zero protection.

📋

Logs & Crash Dumps

console.log(process.env) by mistake. Crash dumps. AI coding assistants sometimes read your env vars. Side-channels everywhere.

🔧

Server Misconfigs

Laravel .env in public folder. One bug bounty hunter in 2025: exposed .env → PostgreSQL creds → full RCE. Happens daily.

→

🚀

The .cenv Solution

Encrypted by default. Commit it. The encrypted blob is useless without your master key. Game changed.

Get .cenv →

⚙️ How It Works

Military-Grade Encryption. Simple API.

🔑

Your Master Key

256-bit random key stored in 1Password / GitHub Secrets / Vault

🧂

Random Salt

16-byte cryptographic salt generated fresh on every encrypt

→

🔒

PBKDF2 (600k iter)

Key derivation — brute force takes millions of years

→

🛡️

AES-256-GCM

Authentication + Encryption. Tamper detection built in.

→

📄
.cenv
Encrypted JSON blob. Safe to commit.

❌ Plain .env (hackable)

DB_PASSWORD=supersecret123
API_KEY=sk_live_abc123xyz
JWT_SECRET=very_long_string
STRIPE_KEY=sk_live_xxxxx

→

✅ .cenv (encrypted, git-safe)

{
"v": "1.0",
"s": "dGhpcyBpcyBh...",
"d": "aGVsbG8gd29y..."
}

📦 Install

One Command. Every Language.

# Install globally
npm install -g crowenv

# Or use without installing
npx crowenv encrypt

# Quick start
crowenv init
crowenv generate-key
echo "DB_PASS=secret" > .env
crowenv encrypt
rm .env
git add .cenv

# Install
pip install crowenv

# In your app
import cenv
cenv.load()   # loads .cenv into os.environ

import os
print(os.getenv("DB_PASS"))

# CLI
python -m cenv encrypt
python -m cenv load

# Install
go install github.com/cenv/cenv-go@latest

# Or build from source
git clone https://github.com/cenv/cenv
cd cenv/packages/cenv-go
go build -o cenv .

# Usage
cenv init
cenv generate-key
cenv encrypt
cenv verify

# Install
cargo install crowenv

# Or from source
cd crowenv/packages/cenv-rs
cargo install --path .

# Usage
crowenv init
crowenv generate-key
crowenv encrypt
crowenv load

# Dockerfile
FROM node:20-slim
RUN npm install -g crowenv
COPY .cenv /app/.cenv
CMD ["sh", "-c", "crowenv load && node app.js"]

# Run with master key from secret manager
docker run \
-e CENV_MASTER_KEY="$(vault kv get -field=key secret/app)" \
myapp

📋 The Spec

.cenv Format v1.0

Property	Value
Encryption	AES-256-GCM
Key derivation	PBKDF2-HMAC-SHA256 (600,000 iterations)
Nonce	12 bytes, random per encryption
Auth tag	16 bytes (tamper detection)
Salt	16 bytes, random per encryption
File format	JSON `{"v","s","d"}`
Git safety	✅ Safe to commit
Brute-force cost	~2²⁵⁶ key guesses

Read Full Spec →

Stop the leaks. Ship .cenv today.

Join developers who chose security over convenience myths.

Install Now →⭐ Star on GitHub

.env is Dead.Enter CrowEnv 🐦‍⬛