Skip to content

Initial Release

Latest

Choose a tag to compare

@BronzonTech-Cloud BronzonTech-Cloud released this 30 Jun 21:55
45e7159

A production-grade encrypted environment loader for the Bun runtime. Stop committing plaintext secrets — encrypt your .env files with AES-256-GCM and load them with full Zod type-safety on startup.


Features

  • AES-256-GCM Encryption — Authenticated encryption with unique 12-byte IVs per run. Any tampering with the vault file is detected and rejected before decryption.
  • Zod Schema Validation — Define your environment shape with Zod. Missing or invalid fields throw a typed SchemaError at startup, not at runtime.
  • Environment Profiles — Supports BUN_ENV-based overlays (e.g. .env.production.vault overrides .env.vault), making multi-environment setups seamless.
  • Zero Memory Footprint — Raw key bytes are immediately zero-filled after being imported into the WebCrypto engine, preventing key material from persisting in heap memory.
  • Native Bun API — No Node.js shims. Built on Bun.file, Bun.write, and crypto.subtle.

Install

bun add bun-secure-env

Quick Start

import { createEnv, z } from "bun-secure-env";

export const env = await createEnv({
  schema: {
    PORT: z.coerce.number().default(3000),
    DATABASE_URL: z.string().url(),
    DEBUG: z.preprocess((v) => v === "true", z.boolean().default(false)),
  },
});

Set VAULT_KEY in your environment and run encryptEnv() once to generate your .env.vault file. Commit the vault, never the plaintext.


Full Changelog

Initial release no previous versions.