Cookbook

Secrets Management (dotenvx & Infisical)

How to configure encrypted secrets for Neexo projects using dotenvx or Infisical, replacing manual .env file sharing.

AuthorNeexoCore
Updated
secretssecuritydotenvxinfisical

Overview

Neexo projects use encrypted secrets instead of sharing raw .env files. Two approaches are supported depending on the project.

Option 1: dotenvx (Encrypted .env in Git)

Used by: neexo-configurator, neexo-internal

Secrets are encrypted and committed to git. A separate .env.keys file (shared securely between devs) decrypts them at runtime.

Setup

# Install dotenvx
npm install -g @dotenvx/dotenvx

# Encrypt an .env file
dotenvx encrypt .env.development

# Start dev server with decryption
dotenvx run -- next dev

How It Works

  1. .env.development and .env.production are encrypted and committed to git
  2. .env.keys contains the decryption keys — never commit this file
  3. dotenvx run decrypts and injects env vars at runtime
  4. Fallback: .env.local still works if .env.keys is unavailable

First-Time Developer Setup

  1. Get the .env.keys file from a team member (share via secure channel)
  2. Place it in the repo root
  3. Run pnpm dev — the predev hook uses dotenvx automatically

Option 2: Infisical (Cloud Secrets Manager)

Used by: neexo-homepage

Secrets are stored in Infisical cloud (EU region) and injected at runtime via CLI.

Setup

# Install Infisical CLI
winget install infisical

# Authenticate (opens browser)
infisical login --domain https://eu.infisical.com/api

# Start dev server with secrets injection
npm run dev:infisical
# Equivalent to: infisical run --domain ... --env=dev -- next dev

How It Works

  1. .infisical.json in repo root links to the correct Infisical project
  2. infisical run injects env vars from the cloud at runtime
  3. Fallback: copy .env.example to .env.local and fill in values manually

Rules

  • Never commit .env.keys or .env.local to git
  • Never share secrets via Slack, email, or other unencrypted channels
  • Use dotenvx encrypt after adding new env vars to encrypted files
  • Use Infisical's dashboard to manage rotation and access control
  • Always provide .env.example with placeholder values for documentation

Package.json Scripts

{
  "scripts": {
    "dev": "dotenvx run -- next dev",
    "dev:infisical": "infisical run --domain https://eu.infisical.com/api --env=dev -- next dev"
  }
}

Raw content

Copy this into your project — e.g. .instructions.md, .agent.md, or SKILL.md

## Overview

Neexo projects use encrypted secrets instead of sharing raw `.env` files. Two approaches are supported depending on the project.

## Option 1: dotenvx (Encrypted .env in Git)

Used by: neexo-configurator, neexo-internal

Secrets are encrypted and committed to git. A separate `.env.keys` file (shared securely between devs) decrypts them at runtime.

### Setup

```bash
# Install dotenvx
npm install -g @dotenvx/dotenvx

# Encrypt an .env file
dotenvx encrypt .env.development

# Start dev server with decryption
dotenvx run -- next dev
```

### How It Works

1. `.env.development` and `.env.production` are encrypted and committed to git
2. `.env.keys` contains the decryption keys — **never commit this file**
3. `dotenvx run` decrypts and injects env vars at runtime
4. Fallback: `.env.local` still works if `.env.keys` is unavailable

### First-Time Developer Setup

1. Get the `.env.keys` file from a team member (share via secure channel)
2. Place it in the repo root
3. Run `pnpm dev` — the `predev` hook uses dotenvx automatically

## Option 2: Infisical (Cloud Secrets Manager)

Used by: neexo-homepage

Secrets are stored in Infisical cloud (EU region) and injected at runtime via CLI.

### Setup

```bash
# Install Infisical CLI
winget install infisical

# Authenticate (opens browser)
infisical login --domain https://eu.infisical.com/api

# Start dev server with secrets injection
npm run dev:infisical
# Equivalent to: infisical run --domain ... --env=dev -- next dev
```

### How It Works

1. `.infisical.json` in repo root links to the correct Infisical project
2. `infisical run` injects env vars from the cloud at runtime
3. Fallback: copy `.env.example` to `.env.local` and fill in values manually

## Rules

- Never commit `.env.keys` or `.env.local` to git
- Never share secrets via Slack, email, or other unencrypted channels
- Use `dotenvx encrypt` after adding new env vars to encrypted files
- Use Infisical's dashboard to manage rotation and access control
- Always provide `.env.example` with placeholder values for documentation

## Package.json Scripts

```json
{
  "scripts": {
    "dev": "dotenvx run -- next dev",
    "dev:infisical": "infisical run --domain https://eu.infisical.com/api --env=dev -- next dev"
  }
}
```