README
¶
EnvCrypt CLI
Secure, end-to-end encrypted environment variable management for modern teams.
EnvCrypt CLI is the client-side tool for the EnvCrypt platform. It implements a Zero-Trust architecture where all secrets are encrypted locally on your machine before they are ever sent to the server. This ensures that the server—and anyone with access to it—can never see your raw environment variables.
Features
- End-to-End Encryption: Secrets are encrypted locally using AES-256-GCM. The server only sees ciphertext.
- Zero-Trust Model: Your private key is stored only on your device (in the system keyring).
- Immutable Versioning: Every
pushcreates a new, immutable version. Rollback to any previous state instantly. - Granular Access Control: Manage access for team members and robustly handle user revocation.
- Service Roles: Securely inject secrets into CI/CD pipelines using dedicated machine identities.
- Cross-Platform: Works on Linux, macOS, and Windows.
Installation
Automated Install (Recommended)
Run the following command to install the latest version:
curl -fsSL https://raw.githubusercontent.com/envcrypts/envcrypt-cli/main/install.sh | bash
Prebuilt Binaries
Download the latest release for your platform from the Releases page.
Building From Source
Requires Go 1.22+:
go install github.com/envcrypts/envcrypt-cli@latest
Ensure your $GOPATH/bin is in your system $PATH.
Quick Start
1. Account Setup
Create an account. This generates a local X25519 keypair and securely stores the private key in your OS keyring.
envcrypt register
envcrypt login
2. Create a Project
Initialize a project. You become the admin and the Project Master Key (PMK) is generated and wrapped for you.
envcrypt create my-app
3. Push Secrets
Encrypt and upload your local .env file.
# Push to 'dev' environment
envcrypt push my-app --env dev --env-file .env
4. Pull Secrets
Decrypt and retrieve secrets on another machine or in production.
# Pull 'dev' secrets to a local .env file
envcrypt pull my-app --env dev
Advanced Usage
Team Management
Grant access to other users. The CLI handles the secure re-wrapping of the Project Master Key for the new user.
envcrypt grant my-app colleague@example.com
Service Roles (CI/CD)
Create restricted machine users for your deployment pipelines.
- Create Role:
envcrypt service-role create my-ci-role(Save the output private key!) - Delegate Access:
envcrypt service-role grant my-ci-role my-app dev - In CI: Use
envcrypt ci loginwith the private key to authenticate.
Rollbacks
Mistake in production? Revert instantly.
envcrypt rollback
Security Architecture
EnvCrypt uses a hybrid cryptosystem:
- Symmetric Encryption: Environment variables are encrypted with a per-project AES-256 key (PMK).
- Key Wrapping: The PMK is encrypted ("wrapped") for each user using their public X25519 key.
- Authentication: All requests are signed and authenticated.
- Local Storage: Private keys never leave your device unencrypted.
Documentation
¶
Overview ¶
Copyright © 2026 rhul
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Source Files
Directories