Skip to content

feat: encrypt env blob with _VARLOCK_ENV_KEY#656

Open
theoephraim wants to merge 1 commit intomainfrom
feat/encrypted-env-blob
Open

feat: encrypt env blob with _VARLOCK_ENV_KEY#656
theoephraim wants to merge 1 commit intomainfrom
feat/encrypted-env-blob

Conversation

@theoephraim
Copy link
Copy Markdown
Member

@theoephraim theoephraim commented Apr 24, 2026
edited
Loading

Summary

Adds opt-in encryption for the resolved env blob (__VARLOCK_ENV) that gets injected into build output by the Next.js and Vite integrations.

  • When _VARLOCK_ENV_KEY (64-char hex) is set at build time, the JSON blob is encrypted with AES-256-GCM before injection
  • At runtime, init bundles detect the varlock:v1: prefix and decrypt using the same key from the runtime environment
  • The key is never baked into the build — it must come from the deployment platform's env vars (e.g., a single Vercel env var)
  • New varlock generate-key CLI command with --plain flag for piping to platform CLIs
  • _VARLOCK_ENV_KEY can be defined in .env.schema for validation — it's automatically excluded from the injected blob and type generation

NOTE — Ideally we'd reinject vars back into the platform's native secret storage, but doing this atomically with a deployment is not always possible.

Quick setup (Vercel)

varlock generate-key --plain | vercel env add _VARLOCK_ENV_KEY production preview development --sensitive

Changes

Area What
varlock New runtime/crypto.ts with sync (node:crypto) + async (Web Crypto) encrypt/decrypt
varlock init-server.ts / init-edge.ts decrypt before initVarlockEnv()
varlock env.ts handles encrypted strings on globalThis.__varlockLoadedEnv
varlock New generate-key CLI command with --plain flag
varlock New ./encrypt-env subpath export
@varlock/nextjs-integration webpack + turbopack injection encrypts when key present
@varlock/vite-integration resolved-env SSR mode encrypts when key present

Docs

  • Next.js and Vite integration docs updated with "Encrypting the env blob" section
  • CLI reference updated with generate-key command

Test plan

  • Unit tests for crypto round-trip (sync, async, cross-compat, error cases)
  • Typecheck passes across all packages
  • Framework tests: Next.js build with _VARLOCK_ENV_KEY, verify varlock:v1: prefix in output, verify runtime decryption
  • Framework tests: Vite resolved-env mode with encryption

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Apr 24, 2026
edited
Loading

Open in StackBlitz

varlock

npm i https://pkg.pr.new/varlock@656

@varlock/astro-integration

npm i https://pkg.pr.new/@varlock/astro-integration@656

@varlock/cloudflare-integration

npm i https://pkg.pr.new/@varlock/cloudflare-integration@656

@varlock/expo-integration

npm i https://pkg.pr.new/@varlock/expo-integration@656

@varlock/nextjs-integration

npm i https://pkg.pr.new/@varlock/nextjs-integration@656

@varlock/vite-integration

npm i https://pkg.pr.new/@varlock/vite-integration@656

@varlock/1password-plugin

npm i https://pkg.pr.new/@varlock/1password-plugin@656

@varlock/akeyless-plugin

npm i https://pkg.pr.new/@varlock/akeyless-plugin@656

@varlock/aws-secrets-plugin

npm i https://pkg.pr.new/@varlock/aws-secrets-plugin@656

@varlock/azure-key-vault-plugin

npm i https://pkg.pr.new/@varlock/azure-key-vault-plugin@656

@varlock/bitwarden-plugin

npm i https://pkg.pr.new/@varlock/bitwarden-plugin@656

@varlock/dashlane-plugin

npm i https://pkg.pr.new/@varlock/dashlane-plugin@656

@varlock/doppler-plugin

npm i https://pkg.pr.new/@varlock/doppler-plugin@656

@varlock/google-secret-manager-plugin

npm i https://pkg.pr.new/@varlock/google-secret-manager-plugin@656

@varlock/hashicorp-vault-plugin

npm i https://pkg.pr.new/@varlock/hashicorp-vault-plugin@656

@varlock/infisical-plugin

npm i https://pkg.pr.new/@varlock/infisical-plugin@656

@varlock/keepass-plugin

npm i https://pkg.pr.new/@varlock/keepass-plugin@656

@varlock/keeper-plugin

npm i https://pkg.pr.new/@varlock/keeper-plugin@656

@varlock/pass-plugin

npm i https://pkg.pr.new/@varlock/pass-plugin@656

@varlock/passbolt-plugin

npm i https://pkg.pr.new/@varlock/passbolt-plugin@656

@varlock/proton-pass-plugin

npm i https://pkg.pr.new/@varlock/proton-pass-plugin@656

commit: 93ac514

@theoephraim theoephraim changed the title feat: encrypt env blob with VARLOCK_ENV_KEY feat: encrypt env blob with _VARLOCK_ENV_KEY Apr 25, 2026
@theoephraim
feat: encrypt env blob with _VARLOCK_ENV_KEY for secure deployments
93ac514 
When _VARLOCK_ENV_KEY (64-char hex) is set at build time, the resolved
env blob injected into build output is encrypted with AES-256-GCM.
At runtime, the init bundles detect the varlock:v1: prefix and decrypt
using the same key from the runtime environment.

This lets Vercel users set a single env var and have all other config
travel encrypted inside the deployment artifact.

- New crypto module with sync (node:crypto) and async (Web Crypto) paths
- All integration injection points (Next.js, Vite) encrypt when key is present
- _VARLOCK_ENV_KEY auto-excluded from injected blob and type generation
- varlock generate-key CLI command with --plain flag for piping
- Docs for Next.js and Vite integrations
- Framework tests for encrypted blob flow
@theoephraim theoephraim force-pushed the feat/encrypted-env-blob branch from d467143 to 93ac514 Compare April 25, 2026 08:35
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Apr 25, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 varlock-website 93ac514 Commit Preview URL

Branch Preview URL		 Apr 25 2026, 08:37 AM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

core:varlock core:website integration:nextjs integration:vite maintainer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theoephraim