envsecret

Your secrets deserve a safer place

AES-256-GCM encrypted vaults locked in the OS keychain — out of your shell history, off your filesystem as plaintext, and out of reach of AI coding agents.

The problem

.env files were never meant to be a security boundary.

They're plaintext. Any process running on your machine can read your filesystem. Every export KEY=value you type gets saved to shell history. Accidentally commit it once, paste it into a chat message once, and it's out.

You added .env to .gitignore. That stops Git. It doesn't change the fact that the file is sitting there, unencrypted, next to your source code — readable by any tool, script, or AI assistant with filesystem access.

The solution

Encrypted at rest. Invisible at runtime.

envsecret replaces .env files with per-project encrypted vaults. The master key lives in the OS keychain — not on disk. Secrets are never written as plaintext anywhere.

When you run your app with envs run, secrets are injected directly into that process's environment. Your shell is never modified. Your project folder stays clean — no plaintext credentials for anything to find.

Before

shell
# plaintext file sitting next to your source code
source .env && node server.js

After

shell
# encrypted vault, shell untouched, nothing exposed on disk
envs run -- node server.js
Coverage

Three surfaces. All covered.

Secrets can leak through three places. envsecret closes all of them.

01

Files on disk

The vault is AES-256-GCM encrypted. Anyone — or any tool — browsing your project finds vault.enc, a binary blob indistinguishable from random noise without the master key. The master key is in the OS keychain, not on the filesystem.

02

Shell environment

envs run uses syscall.Exec to replace itself with your process. Secrets are injected directly into the child's environment. The parent shell is never modified — printenv before and after sees nothing new.

03

Shell history

There is no export KEY=value command to type. The secret never appears in a command. ~/.bash_history and ~/.zsh_history have nothing to give.

How it works

Three commands. That's it.

1

Initialize a vault

Generates a 256-bit master key, stores it in macOS Keychain or Linux libsecret, creates an encrypted vault at ~/.envsecret/<project>/vault.enc

terminal
envs init
2

Store secrets

Each write re-encrypts the vault with a fresh random salt and IV.

terminal
envs set DATABASE_URL "postgres://user:pass@host/db"
envs set STRIPE_SECRET "sk_live_..."
3

Run your app

envsecret replaces itself with your process. Secrets live only in that process's environment, for the lifetime of that process. Nothing persists in the shell.

terminal
envs run -- node server.js
Features

Everything you need. Nothing you don't.

Safe from AI agents

The vault is encrypted binary on disk. The shell environment is never modified. There is no plaintext file in your project for any agent, script, or MCP tool to stumble upon.

Per-project isolation

Each project gets its own vault and its own master key. Secrets for api-service are completely separate from frontend — different file, different keychain entry, different derived keys.

AES-256-GCM encryption

Authenticated encryption with scrypt key derivation. Fresh salt and IV on every write. Any tampering is detected on load.

OS keychain storage

macOS Keychain and Linux libsecret. The master key is never written to disk, a config file, or an environment variable.

Zero shell pollution

Process replacement via syscall.Exec. No export. No parent process holding secrets. Nothing in history.

Drop-in for dotenv

No application code changes. Replace node -r dotenv/config server.js with envs run -- node server.js.

Bulk import

Migrate an existing project in one command, then delete the plaintext file.

terminal
envs import .env
Who it's for

Built for developers who care about security.

  • You work with AI coding assistants, MCP tools, or automated scripts as part of your day-to-day — and want to make sure your credentials are never sitting as plaintext where they could be picked up.
  • You work on multiple projects and are tired of managing separate .env files, accidentally committing them, or sharing them over Slack.
  • You want a dotenv replacement that requires zero changes to your application code.
Threat model

What's protected. What's not.

envsecret eliminates ambient exposure — plaintext files, shell environment, shell history. It does not protect a compromised runtime.

ThreatProtected
.env files readable on diskYes
Secrets in shell historyYes
printenv / env in sibling processesYes
Secrets leaking between projectsYes — isolated vaults and keys
Accidental .env commit to gitYes
AI agent or script finding plaintext credentials on diskYes
Agent calling os.Getenv inside your running appNo
Root-level /proc inspection or ptraceNo
Compromised OS keychainNo
Quick reference

All commands at a glance.

terminal
envs init                        # create vault, store key in keychain
envs set KEY "value"             # encrypt and store a secret
envs get KEY                     # print a single value to stdout
envs list                        # list key names (values never shown)
envs run -- <command>            # run a command with secrets in its env
envs run --clean -- <command>    # run with only vault vars + PATH
envs import .env                 # bulk import from a .env file
envs rename OLD NEW              # rename a key
envs copy SRC DST                # copy a key to a new name
envs delete KEY                  # remove a key
envs destroy                     # permanently delete a project vault
envs projects                    # list all initialized projects
envs status                      # vault diagnostics, no secrets exposed
Install

Up and running in seconds.

macOS & Linux — one-liner

terminal
curl -fsSL https://raw.githubusercontent.com/julianofirme/envsecret/main/install.sh | bash

From source

terminal
git clone https://github.com/julianofirme/envsecret.git
cd envsecret
go build -o envs .
sudo mv envs /usr/local/bin/

Linux prerequisite: libsecret (libsecret-1-dev on Debian/Ubuntu, libsecret-devel on Fedora).