logo

Production-grade encrypted environment loader with AES-256-GCM, Zod validation, and profile merging for Bun.

Documentation

Contributors

Changelog

Initial Release June 30, 2026

A production-grade encrypted environment loader for the Bun runtime. Stop committing plaintext secrets — encrypt your `.env` files with AES-256-GCM and load them with full Zod type-safety on startup.


Features

  • AES-256-GCM Encryption — Authenticated encryption with unique 12-byte IVs per run. Any tampering with the vault file is detected and rejected before decryption.
  • Zod Schema Validation — Define your environment shape with Zod. Missing or invalid fields throw a typed `SchemaError` at startup, not at runtime.
  • Environment Profiles — Supports `BUN_ENV`-based overlays (e.g. `.env.production.vault` overrides `.env.vault`), making multi-environment setups seamless.
  • Zero Memory Footprint — Raw key bytes are immediately zero-filled after being imported into the WebCrypto engine, preventing key material from persisting in heap memory.
  • Native Bun API — No Node.js shims. Built on `Bun.file`, `Bun.write`, and `crypto.subtle`.

Install

```bash
bun add bun-secure-env
```

Quick Start

```ts
import { createEnv, z } from "bun-secure-env";

export const env = await createEnv({
schema: {
PORT: z.coerce.number().default(3000),
DATABASE_URL: z.string().url(),
DEBUG: z.preprocess((v) => v === "true", z.boolean().default(false)),
},
});
```

Set `VAULT_KEY` in your environment and run `encryptEnv()` once to generate your `.env.vault` file. Commit the vault, never the plaintext.


Full Changelog

Initial release no previous versions.