Simple library for encrypted secrets with shared key powered by TweetNaCl.js.

Use cases

  • Secrets are long (e.g. private keys).

  • Don’t want to add each secret individually in e.g. Heroku, Vercel or GitHub Actions, but rather store a single secret that encrypts all the other secrets.

This module trades security for convenience. Please exercise caution when using this module.

Generate a secret key

The most convenient way to generate a secret key is to generate it from TweetNaCl.js’ website.

Generated an encrypted secret using the CLI

The package provides a CLI script, encrypt-json, which generates a JavaScript code that is ready to be copied-and-pasted into your project.

# If input is valid JSON, then it encrypts the input as JSON object.
# If you want to encrypt it as raw string, convert the input to JSON string first.
$ echo '{"thing":"to encrypt"}' | npx -p @dtinth/encrypted encrypt-json

# If input is not valid JSON, then it encrypts the input as string.
$ echo 'string' | npx -p @dtinth/encrypted encrypt-json
The CLI is aware of .env files.

Using the secret in your project

Require the @dtinth/encrypted package and use the generated code. When the code is run, it will decrypted the secret using the key specified in the ENCRYPTION_SECRET environment variable.

const encrypted = require('@dtinth/encrypted')()

const decodedSecret = encrypted(

Generated an encrypted secret programmatically

const { encrypt } = require('@dtinth/encrypted')()
encrypt({ thing: 'to encrypt' })