EnvSeal is a decentralized, local-first, cloud-agnostic secret management tool. Unlike traditional solutions, it does not store your secrets on a central server. Instead, it uses asymmetric cryptography to store encrypted secrets directly in your Git repository (Single Source of Truth) and uses a P2P protocol for the secure distribution of access keys among developers.
- Decentralized Storage: Secrets are stored in your Git repository, eliminating the need for a central server.
- Local-First: Work with your secrets offline and sync changes when you're back online.
- Asymmetric Cryptography: Securely encrypt and decrypt secrets using public/private key pairs.
- P2P Key Distribution: Share access keys securely among team members without relying on a central authority.
- Git Integration: Seamlessly integrates with Git workflows, making it easy to manage secrets alongside your code.
- Cross-Platform: Available on Windows, macOS, and Linux.
You can install EnvSeal CLI using Go:
go install github.com/flootic/envseal/cmd/envseal-cli@latestAlternatively, you can download pre-built binaries from the releases page.
-
Initialize EnvSeal in your Git repository:
cd my-project envseal-cli init -
Set a new secret:
envseal-cli set DATABASE_URL=postgres://user:password@localhost:5432/mydb -
Add a user with their public key:
envseal-cli users add alice <public_key>
-
Rekey the secrets to update access permissions:
envseal-cli rekey --rotate
-
Print all secrets (for debugging purposes):
envseal-cli exec -- printenv | grep SECRET_
After installation, you can start using EnvSeal CLI with the following commands:
envseal-cli init # Initialize EnvSeal in your Git repository
envseal-cli set <key>=<value> # Set a new secret
envseal-cli unset <key> # Remove a secret
envseal-cli users add <user> <public_key> # Add a user with their public key
envseal-cli users remove <user> # Remove a user
envseal-cli join # Request access to a project using p2p (mDNS) and 6-digit code.
envseal-cli rekey [--rotate] # Encrypt secrets and update access permissions
envseal-cli exec -- <command> # Execute a command with secrets injected into the environment
envseal-cli doctor # Check the integrity of your EnvSeal setup
envseal-cli print # Print all secrets in plaintext (for debugging purposes)
envseal-cli whoami # Print the public key of the current identityPrint all commands with envseal-cli --help and get detailed help for each command with envseal-cli <command> --help.
Contributions are welcome! Please read the contributing guidelines for more information on how to get started.
This project is licensed under the Apache License 2.0. See the LICENSE file for details.