Your secrets, encrypted, everywhere. One tool for all .env management.
Install • Quick Start • Features • Commands • Config • Contributing
Managing environment variables and secrets across projects, teams, and environments is a persistent source of friction and risk:
- Scattered .env files -- secrets live in plaintext files spread across machines with no central management, no versioning, and no consistency.
- Accidental commits -- a single mistake pushes credentials to version control, exposing them permanently in git history.
- Insecure sharing -- teams pass secrets through Slack, email, or shared documents with no encryption and no audit trail.
- Environment switching pain -- juggling dev, staging, and production configurations means manually copying and renaming files, leading to misconfigurations and outages.
- No unified tool -- existing solutions each solve one piece of the puzzle, forcing teams to stitch together multiple tools, plugins, and workflows.
EnvSafe replaces all of that with a single, fast, cross-platform binary:
envsafe init
envsafe set DATABASE_URL "postgres://..."
envsafe set API_KEY "sk-..." --secret
envsafe run -- npm startSecrets are encrypted at rest, never written as plaintext, injected directly into processes, and shareable through git-safe vault files. One tool, zero leaks.
curl -sSL https://github.com/aymenhmaidiwastaken/envsafe/releases/latest/download/envsafe-x86_64-unknown-linux-gnu.tar.gz \
| tar xz -C /usr/local/binPre-built binaries for Linux, macOS (arm64/amd64), and Windows are available on the GitHub Releases page.
cargo install envsafegit clone https://github.com/aymenhmaidiwastaken/envsafe.git
cd envsafe
cargo build --release
# Binary is at target/release/envsafenpx envsafe# Initialize envsafe in your project
envsafe init
# Store some variables
envsafe set DATABASE_URL "postgres://user:pass@localhost/mydb"
envsafe set API_KEY "sk-abc123" --secret
# Run your application with secrets injected
envsafe run -- npm start
# Export as a dotenv file
envsafe export --format dotenv > .env
# Lock the vault for git-safe sharing
envsafe lock| Feature | Description |
|---|---|
| Encrypted Vault | All secrets stored in AES-256-GCM encrypted vaults. No plaintext on disk, ever. |
| Environment Profiles | Manage separate dev, staging, and prod configurations side by side. |
| Process Injection | Run any command with secrets injected as environment variables, without touching the shell. |
| Git-Safe Sharing | Lock secrets into an encrypted vault file safe for version control. Team members decrypt with a shared key. |
| Secret Scanning | Detect leaked API keys, tokens, and credentials in staged files before they reach your repository. |
| Cloud Sync | Pull and push secrets from AWS SSM, HashiCorp Vault, 1Password, and Google Cloud Secret Manager. |
| Schema Validation | Define required variables, types, and patterns in .envsafe.yaml. Catch misconfigurations before deployment. |
| Interactive TUI | Browse, search, and edit secrets in a full terminal user interface (envsafe ui). |
| Shell Integration | Auto-inject secrets when entering a project directory with eval "$(envsafe hook-shell bash)". |
| Plugin System | Extend EnvSafe with external plugins. Any executable named envsafe-plugin-<name> in your PATH is discovered automatically. |
| Command | Description |
|---|---|
init |
Initialize envsafe in the current project directory |
set KEY VALUE |
Set an environment variable (supports --secret, --env, --expires) |
get KEY |
Retrieve an environment variable value |
rm KEY |
Remove an environment variable |
ls |
List all environment variables (values masked by default, use --show) |
run -- CMD |
Run a command with secrets injected as environment variables |
export |
Export variables in shell, dotenv, json, docker, or kubernetes format |
import FILE |
Import variables from an existing .env file |
envs |
List all configured environments |
diff ENV1 ENV2 |
Compare variables across two environments with color diff |
lock |
Encrypt vault into a git-safe .env.vault file |
unlock |
Decrypt vault from .env.vault file |
key export |
Export the project encryption key for sharing |
key import KEY |
Import a project encryption key from a team member |
validate |
Validate environment against .envsafe.yaml schema |
hook install |
Install git pre-commit hook to prevent secret leaks |
hook uninstall |
Remove the git pre-commit hook |
scan |
Scan repository for accidentally committed secrets |
pull PROVIDER |
Pull secrets from a cloud provider into the local vault |
push PROVIDER |
Push secrets from the local vault to a cloud provider |
template |
Generate a .env.example template file with placeholder values |
ui |
Open interactive TUI mode for browsing and editing secrets |
rotate-key |
Rotate the project encryption key (backs up old key) |
audit |
View the audit log of all vault operations |
completions SHELL |
Generate shell completions (bash, zsh, fish, powershell) |
hook-shell SHELL |
Print shell hook for automatic directory-based injection |
man-page |
Print the envsafe man page |
telemetry enable |
Enable anonymous usage telemetry |
telemetry disable |
Disable anonymous usage telemetry |
telemetry status |
Show current telemetry status |
plugin NAME |
Run an installed plugin by name |
plugins |
List all discovered plugins |
All commands support --verbose and --debug global flags.
# Shell (default) -- source directly or use with eval
eval $(envsafe export --format shell)
# Dotenv -- standard KEY=VALUE format
envsafe export --format dotenv > .env
# JSON -- structured output for programmatic use
envsafe export --format json
# Docker -- generates --env flags for docker run
docker run $(envsafe export --format docker) myimage
# Kubernetes -- generates a Kubernetes Secret manifest
envsafe export --format kubernetes > k8s-secret.yamlEnvSafe supports bidirectional sync with major cloud secret managers. Use pull to import secrets into your local vault and push to deploy them.
envsafe pull aws-ssm --prefix /myapp/prod --env prod
envsafe push aws-ssm --prefix /myapp/prod --env prodRequires configured AWS credentials (~/.aws/credentials, environment variables, or IAM role).
export VAULT_ADDR="https://vault.example.com"
export VAULT_TOKEN="s.xxxxxxxx"
envsafe pull vault --path secret/data/myapp
envsafe push vault --path secret/data/myappenvsafe pull 1password --vault-name "Development"
envsafe push 1password --vault-name "Development"Requires the 1Password CLI installed and authenticated.
envsafe pull gcp --path projects/my-project/secrets
envsafe push gcp --path projects/my-project/secretsAuthenticate via gcloud auth application-default login or a service account key.
EnvSafe uses an optional .envsafe.yaml file for project-level configuration and schema validation. This file is safe and recommended to commit to version control.
# .envsafe.yaml
required:
- name: DATABASE_URL
pattern: "^postgres://"
description: "PostgreSQL connection string"
- name: API_KEY
pattern: "^sk-"
description: "API key starting with sk-"
- name: PORT
type: integer
default: 3000
- name: LOG_LEVEL
description: "Application log level"
default: "info"
- name: REDIS_URL
pattern: "^redis://"
description: "Redis connection URL"Run envsafe validate to check your environment against this schema:
ERROR: DATABASE_URL does not match pattern "^postgres://"
ERROR: API_KEY is missing
WARNING: PORT is not set, using default: 3000
| Layer | Detail |
|---|---|
| Encryption | AES-256-GCM with a unique random nonce for every encryption operation |
| Key Derivation | Argon2id -- resistant to GPU and ASIC brute-force attacks |
| Key Storage | Master keys stored in ~/.config/envsafe/keys/, never inside the project directory |
| Memory Safety | Written in Rust -- no buffer overflows, no use-after-free, no data races |
| Zeroize | Secret values are zeroized from memory immediately after use |
| At Rest | Vault files are always encrypted on disk. No plaintext storage. |
| In Transit | Cloud sync uses provider-native TLS. No secrets pass through EnvSafe servers. |
| No Server | Everything runs locally or communicates directly with your chosen cloud provider. There is no EnvSafe server. |
| Feature | EnvSafe | dotenvx | direnv | chamber | doppler | 1password-cli |
|---|---|---|---|---|---|---|
| Encrypted local vault | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ |
| Environment profiles | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ |
| Process injection | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Git-safe sharing | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ |
| Pre-commit hook | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Secret scanning | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Multi-cloud sync | ✓ | ✗ | ✗ | ✓ | ✗ | ✗ |
| Schema validation | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Interactive TUI | ✓ | ✗ | ✗ | ✗ | ✓ | ✗ |
| Plugin system | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Cross-platform binary | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ |
| No external service | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
Contributions are welcome. Please see CONTRIBUTING.md for guidelines on how to get started, submit pull requests, and report issues.
MIT License. See LICENSE for details.