Skip to content
Hush

Getting Started

Get up and running with Hush in just a few minutes.

Prerequisites

Hush uses SOPS with age encryption. Install them first:

Terminal window
brew install sops age

Installation

Terminal window
pnpm add -D @chriscode/hush

Setup

  1. Generate an age key

    Create a key pair for encrypting your secrets:

    Terminal window
    mkdir -p ~/.config/sops/age
    age-keygen -o ~/.config/sops/age/key.txt

    This creates a private key at ~/.config/sops/age/key.txt. The public key is printed to the console.

  2. Create .sops.yaml

    In your repository root, create a SOPS configuration file:

    .sops.yaml
    creation_rules:
      - encrypted_regex: '.*'
        age: age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Replace the age: value with your public key from step 1.

  3. Initialize Hush

    Run the init command to create hush.yaml:

    Terminal window
    npx hush init

    This auto-detects packages in your monorepo and creates a configuration file.

  4. Create your env files

    Terminal window
    # .env (shared across environments)
    DATABASE_URL=postgres://localhost/mydb
    STRIPE_SECRET_KEY=sk_test_xxx
    EXPO_PUBLIC_API_URL=${API_BASE}/v1
    

    # .env.development
    API_BASE=http://localhost:8787
    

    # .env.production
    API_BASE=https://api.example.com

  5. Encrypt

    Terminal window
    npx hush encrypt

    This creates encrypted versions of your env files (.env.encrypted, etc.) that are safe to commit.

  6. Decrypt for development

    Terminal window
    npx hush decrypt

    This decrypts and distributes secrets to all configured targets.

Verify Your Setup

Check that everything is configured correctly:

Terminal window
npx hush status

This shows your configuration, encrypted files, and target distribution.

Next Steps