Skip to content

tusharkhatriofficial/envkeep

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
.github
.github
 
 
src
src
 
 
.DS_Store
.DS_Store
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 
install.ps1
install.ps1
 
 
install.sh
install.sh
 
 

Repository files navigation

envkeep

Your .env files, encrypted locally. No accounts. No cloud. Just works.

StatusQuick StartCommandsWhySecurity


You have 12 projects on your machine. Each has a .env file. Half the secrets are copy-pasted between them. You cannot search across them. You cannot diff them. You cannot back them up. One bad rm -rf and they are gone.

envkeep fixes this in 30 seconds:

envkeep init                                 # set a master password
cd ~/code/my-saas && envkeep add my-saas     # encrypt and store .env
cd ~/code/api && envkeep add api             # again
cd ~/code/landing && envkeep add landing     # and again

# later, new laptop, whatever:
envkeep use my-saas                          # .env restored

Every value is encrypted with AES-256-GCM, stored in an encrypted SQLCipher database, and unlocked with a single master password.

Quick Install

macOS/Linux

curl -fsSL https://raw.githubusercontent.com/tusharkhatriofficial/envkeep/main/install.sh | bash

Windows PowerShell

irm https://raw.githubusercontent.com/tusharkhatriofficial/envkeep/main/install.ps1 | iex

What it looks like

$ envkeep list

  envkeep projects (4)

┌─────────────────┬──────┬──────────┐
│ Project         │ Vars │ Modified │
├─────────────────┼──────┼──────────┤
│ my-saas         │ 28   │ 2h ago   │
│ api             │ 45   │ 3h ago   │
│ landing-page    │ 12   │ 1d ago   │
│ worker          │ 8    │ 2d ago   │
└─────────────────┴──────┴──────────┘

$ envkeep search DATABASE_URL

  Found DATABASE_URL in 3 projects:
  |-- my-saas: postgresql://localhost/saas_dev
  |-- api: postgresql://localhost/api_dev
  |-- worker: postgresql://localhost/worker_dev

$ envkeep inspect my-saas

  Project: my-saas (28 variables)

┌──────────────────┬──────────────────────────────┐
│ Key              │ Value                        │
├──────────────────┼──────────────────────────────┤
│ DATABASE_URL     │ postgresql://localhost/*****  │
│ REDIS_URL        │ redis://localhost:6379/*****  │
│ STRIPE_SECRET_KEY│ ********                     │
│ APP_PORT         │ 3000                         │
│ DEBUG            │ true                         │
└──────────────────┴──────────────────────────────┘

$ envkeep use my-saas
  Wrote 28 variables to .env

Status

envkeep is under active development (v0.2.0-alpha released).

To try it now, build from source:

git clone https://github.com/tusharkhatriofficial/envkeep.git
cd envkeep
cargo build --release
./target/release/envkeep --help

Requires Rust 1.70+ and a C compiler (for SQLCipher). Pre-built binaries and cargo install will be available at first stable release.

Quick start

1. Create your vault

$ envkeep init
  Creating a new vault. Choose a master password.
  Enter master password: --------
  Confirm master password: --------
  Vault created at ~/.envkeep/vault.db

2. Store a project

$ cd ~/code/my-saas
$ envkeep add my-saas
  Added project my-saas with 28 variables

3. Restore it anywhere

$ cd ~/code/my-saas
$ envkeep use my-saas
  Wrote 28 variables to .env

Commands

Core

Command Description
envkeep init Create encrypted vault, set master password
envkeep add <name> Read .env from current directory, encrypt, store
envkeep use <name> Write decrypted .env to current directory
envkeep list List all projects
envkeep remove <name> Delete a project from the vault

Inspect and compare

Command Description
envkeep inspect <name> Show variables with secrets masked
envkeep diff <a> <b> Compare variables between two projects
envkeep search <key> Find which projects use a given key
envkeep unused <name> Find variables not referenced in source code
envkeep validate <name> Check for common mistakes (bad ports, malformed URLs)
envkeep types <name> Infer variable types (string, number, boolean, URL)

Secrets and sharing

Command Description
envkeep secrets set KEY=VALUE Store an encrypted shared secret
envkeep secrets list List all secrets (values masked)
envkeep secrets link <key> <project> Link a shared secret to a project
envkeep sync <from> <to> Copy common variables between projects
envkeep export <name> Export project as encrypted .envvault file
envkeep import <file> Import from .envvault file

Backup and ops

Command Description
envkeep backup Full vault backup (encrypted)
envkeep restore <file> Restore vault from backup
envkeep status Show active project
envkeep recent Switch to recently used project

Terminal UI

$ envkeep tui

Full-screen terminal interface. Navigate projects, edit variables, search across the vault.

+-  envkeep  -----------------------------------+
|  Projects (4)                                  |
|                                                |
|  > my-saas       28 vars    2h ago             |
|    api           45 vars    3h ago             |
|    landing-page  12 vars    1d ago             |
|    worker         8 vars    2d ago             |
|  ------------------------------------------   |
|  /  Search    e  Edit    s  Sync    q  Quit    |
+------------------------------------------------+

Why

Every developer has this problem:

~/code/
  my-saas/.env          # 28 vars, half copy-pasted from api/
  api/.env              # 45 vars, STRIPE_KEY duplicated in 3 places
  landing/.env          # forgot to update DATABASE_URL after migration
  worker/.env           # is this the right REDIS_URL?
  side-project/.env     # what is even in here?

No search. No diff. No backup. Just scattered plaintext files with production credentials in them.

envkeep replaces all of that with one encrypted file:

~/.envkeep/vault.db

Comparison

envkeep Doppler Infisical direnv
Cost Free $20+/mo $10+/mo Free
Storage Local Cloud Cloud .envrc files
Encryption AES-256-GCM + SQLCipher Server-side Server-side None
Account required No Yes Yes No
Cross-project search Yes Limited Limited No
Dead variable detection Yes No No No
Terminal UI Yes No No No

Security

Master Password
      |
      v  PBKDF2-HMAC-SHA256 (100,000 iterations) + random salt
      |
 Derived Key (32 bytes)
      |
      +---> SQLCipher (encrypts entire database file)
      |
      +---> AES-256-GCM (encrypts each variable value individually)
  • Master password is never stored. Only a verification hash derived via PBKDF2.
  • Double encryption. The database file is encrypted with SQLCipher. Each value inside is encrypted separately with AES-256-GCM and a unique nonce.
  • Zero plaintext on disk. Nothing in the vault is ever stored unencrypted.
  • Tamper detection. GCM mode provides authenticated encryption. Any modification to ciphertext is detected and rejected.
  • Cryptography by ring -- the same library behind rustls, Cloudflare, and Fastly.

How it works

envkeep add my-saas:
  1. Read .env from current directory
  2. Parse KEY=VALUE pairs (handles quotes, comments, inline comments)
  3. Encrypt each value individually with AES-256-GCM
  4. Store in ~/.envkeep/vault.db (SQLCipher-encrypted database)

envkeep use my-saas:
  1. Unlock vault with master password
  2. Decrypt each variable
  3. Write .env to current directory

Built with
clap CLI argument parsing
ring AES-256-GCM encryption, PBKDF2 key derivation
rusqlite + SQLCipher Encrypted database
ratatui Terminal UI
rpassword Hidden password input

Contributing

git clone https://github.com/tusharkhatriofficial/envkeep.git
cd envkeep
cargo build
cargo test
cargo run -- init

License

MIT

About

envkeep is a local-first, encrypted CLI + TUI tool for managing .env files across multiple projects. No cloud, no accounts, no SaaS. Just a single encrypted vault on your machine.

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 4

v0.4.0-alpha Latest
Mar 6, 2026
+ 3 releases

Packages

 
 
 

Contributors

Languages