Production-grade encrypted environment loader with AES-256-GCM, Zod validation, and profile merging for Bun.
Contributors
Changelog
Initial Release
June 30, 2026
A production-grade encrypted environment loader for the Bun runtime. Stop committing plaintext secrets — encrypt your `.env` files with AES-256-GCM and load them with full Zod type-safety on startup.
Features
- AES-256-GCM Encryption — Authenticated encryption with unique 12-byte IVs per run. Any tampering with the vault file is detected and rejected before decryption.
- Zod Schema Validation — Define your environment shape with Zod. Missing or invalid fields throw a typed `SchemaError` at startup, not at runtime.
- Environment Profiles — Supports `BUN_ENV`-based overlays (e.g. `.env.production.vault` overrides `.env.vault`), making multi-environment setups seamless.
- Zero Memory Footprint — Raw key bytes are immediately zero-filled after being imported into the WebCrypto engine, preventing key material from persisting in heap memory.
- Native Bun API — No Node.js shims. Built on `Bun.file`, `Bun.write`, and `crypto.subtle`.
Install
```bash
bun add bun-secure-env
```
Quick Start
```ts
import { createEnv, z } from "bun-secure-env";
export const env = await createEnv({
schema: {
PORT: z.coerce.number().default(3000),
DATABASE_URL: z.string().url(),
DEBUG: z.preprocess((v) => v === "true", z.boolean().default(false)),
},
});
```
Set `VAULT_KEY` in your environment and run `encryptEnv()` once to generate your `.env.vault` file. Commit the vault, never the plaintext.
Full Changelog
Initial release no previous versions.