secretenv is an offline-first CLI for development teams that want to share API tokens, database passwords, certificates, .env values, and other development secrets without passing them around in plaintext.
It fits teams that already use Git and pull-request review as their daily workflow. Secrets, member changes, removals, and key rotation are represented as encrypted repository changes, so the team can review secret-sharing decisions through the same process they already use for code.
No dedicated cloud service, SaaS secret platform, or always-on server is required. Encryption, decryption, verification, and recipient updates work locally and offline, while Git remains the shared transport and review layer.
This project is currently in alpha. Feedback from trials, design reviews, and realistic team workflows is welcome before production adoption.
SecretEnv lets you move these workflows into Git review:
- encrypt an existing
.envfile and share it without committing plaintext - decrypt encrypted secrets just in time to run normal development commands
- sync future recipients after a member is removed
# Encrypt an existing .env file into Git-managed storage
secretenv init --member-handle alice@example.com
secretenv import .env
# Run the app without distributing a plaintext .env file
secretenv run -- npm start
# Remove a member from future sharing
secretenv member remove old-member@example.com
secretenv rewrapEven if secret files are encrypted, teams still need to decide:
- when a new member should receive each secret
- whether a removed member has been excluded from future sharing
- whether values a removed member could previously read need to be updated
SecretEnv records removed-member history and shows entry-level signals that help teams decide which .env values may need updates. Secret updates and membership changes are stored as files, so teams can review them in normal pull requests. For the broader positioning, see the Product Brief.
secretenv encrypts values that should stay private, such as access tokens, API keys, and certificates, so each member uses their own key material to decrypt. Teams do not need to distribute one shared encryption key; only members included as recipients can read the encrypted content.
The design is built around five ideas:
- encrypt secrets before they are stored in the repository, so a repository shared by many members can still carry sensitive values safely
- use public-key encryption to share the information needed for decryption separately with each recipient
- use proven, standards-based cryptographic schemes including HPKE, Ed25519 signatures, XChaCha20-Poly1305, and HKDF-SHA256
- require no dedicated server or SaaS; encryption, decryption, verification, and recipient updates are designed to work offline, even without network access
- verify signatures and recipient information before decrypting or updating encrypted artifacts
brew tap ebisawa/secretenv
brew install secretenvcurl -fsSL https://raw.githubusercontent.com/ebisawa/secretenv/main/install.sh | shgit clone <secretenv-repo>
cd secretenv
cargo install --path .cd /path/to/your-git-repo
secretenv init --member-handle alice@example.comThis creates a .secretenv/ directory, generates your key pair, and registers you as the first member.
If the workspace already exists, init does nothing. Use secretenv join to submit a key to an existing workspace.
# Add individual entries
secretenv set DATABASE_URL "postgres://user:pass@localhost/mydb"
secretenv set API_KEY "sk-your-api-key"
# Or import an existing .env file
secretenv import .envgit add .secretenv/
git commit -m "Initialize secretenv workspace"# Retrieve a single value
secretenv get DATABASE_URL
# Run a command with all secrets injected as environment variables
secretenv run -- ./my-appCheck workspace health before onboarding, CI setup, or release work:
secretenv doctorFor detailed setup and operational guidance, see the User Guide.
If you want the high-level overview first:
If you want setup and operational guidance:
If you want the security model and design details:
This project is currently in alpha. Specification work and implementation are still evolving together.
Apache-2.0. See LICENSE.