dtx is a small CLI for managing encrypted .env-style environments on your local machine.
It is built on top of the dotenvx CLI and gives you a narrow workflow:
- keep env files encrypted at rest
- select the env you want to use
- run commands through an explicit execution gate
The goal is not to replace your shell environment management. The goal is to make secret-backed command execution more deliberate and easier to reason about.
With dtx, you can:
- keep multiple local environments such as
dev,staging, andprod - avoid leaving plaintext env files around by default
- avoid accidentally running commands with the wrong secrets loaded
- keep the "current env" as lightweight state without storing secrets in it
The intended flow looks like this:
dtx edit dev
dtx use dev
dtx run -- npm start
dtx depends on the dotenvx CLI for encryption, decryption, and runtime env injection.
Install dotenvx first:
npm install -g @dotenvx/dotenvxThen install dtx:
go install github.com/yokawasa/dtx/cmd/dtx@latestOr download a prebuilt binary from GitHub Releases:
dtx_linux_amd64.tar.gzfor Linux on x86_64dtx_linux_arm64.tar.gzfor Linux on ARM64dtx_darwin_amd64.tar.gzfor macOS on Inteldtx_darwin_arm64.tar.gzfor macOS on Apple Silicondtx_windows_amd64.zipfor Windows on x86_64
For example, on macOS with Apple Silicon:
curl -fLo dtx_darwin_arm64.tar.gz https://github.com/yokawasa/dtx/releases/latest/download/dtx_darwin_arm64.tar.gz
tar -xzf dtx_darwin_arm64.tar.gz
install dtx /usr/local/bin/dtxYou can also verify the downloaded archive with checksums.txt from the same release.
Requirements:
- Go 1.21 or later to install from source with
go install dotenvxavailable onPATH
Create or edit an env named dev:
dtx edit devdtx edit uses $VISUAL first, then $EDITOR. If neither is set, it returns an error.
Select the current env:
dtx use devCheck the current env:
dtx currentRun a command with the selected env:
dtx run -- npm startRun a command with an explicit env instead of current:
dtx run prod -- npm startList available envs:
dtx lsdtx use <env> Set the current env
dtx current Print the current env
dtx ls List available envs
dtx run [env] [--verbose] -- <command> Run a command with an env
dtx edit <env> [--verbose] Create or edit an encrypted env
dtx completion <bash|zsh|fish> Generate shell completion
Notes:
dtx runonly interprets dtx options before--.- Everything after
--is passed to the target command unchanged. - If no env is passed to
dtx run,dtxuses the current env.
Generate completion for bash, zsh, or fish:
dtx completion bash
dtx completion zsh
dtx completion fishThe generated scripts complete:
- subcommands
- env names from
~/.dtx/envs/ dtx runoptions such as--verbose
Examples for shell setup:
# bash
echo 'source <(dtx completion bash)' >> ~/.bashrc
# zsh
echo 'source <(dtx completion zsh)' >> ~/.zshrc
# fish
dtx completion fish > ~/.config/fish/completions/dtx.fishBy default, dtx stores its state under ~/.dtx.
~/.dtx/
envs/
dev.enc
staging.enc
prod.enc
keys/
dev
staging
prod
current
current stores only the selected env name. It does not store secret values.
For isolated testing or automation, you can override the home directory with DTX_HOME:
DTX_HOME=/tmp/dtx-test dtx lsdtx is designed to reduce mistakes and limit plaintext exposure, not to provide perfect isolation from the same local user.
In practice, that means:
- env files are stored encrypted
- plaintext is exposed only during editing or command execution
dtx runis the explicit path for secret-backed execution- the selected env state is stored separately from the secret data
If you want the implementation details or design rationale: