Replace plaintext .env files with AES-256-GCM encrypted vault files. No cloud, no infrastructure, no vendor lock-in — just a single Rust binary and a password.
Plaintext .env files are the weakest link in every codebase. And AI tools are making it worse.
cat .env freely.
— AI Security Research, 2025
Your secret values become encrypted at rest. Key names stay readable for easy management.
A complete secrets lifecycle in a single binary. No accounts, no servers, no subscriptions.
--last or --since for compliance.Four commands cover your entire workflow.
Creates an encrypted vault. Auto-imports .env files if found.
Interactive prompt hides input. Each secret gets a unique encryption key.
Decrypt and display. HMAC integrity check runs automatically.
Inject all secrets as env vars into any command. Never touch disk.
The security of Vault. The simplicity of dotenv. The price of open source.
| Feature | .env | SOPS | dotenvx | Infisical | Doppler | EnvVault |
|---|---|---|---|---|---|---|
| Encryption at rest | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Works fully offline | ✓ | Partial | ✓ | ✗ | ✗ | ✓ |
| Audit trail | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ |
| Multiple auth | ✗ | GPG/KMS | Keypair | SSO | SSO | 3 methods |
| Per-env vaults | Manual | Manual | ✓ | ✓ | ✓ | ✓ |
| Key rotation | ✗ | Manual | ✗ | ✓ | ✓ | ✓ |
| Diff environments | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ |
| Infrastructure | None | KMS opt. | None | Server | Cloud | None |
| Price | Free | Free | Free | $72/mo | $230/mo | Free forever |
| Open source | N/A | MPL | BSD | MIT | ✗ | MIT/Apache |
Choose your method. All install the same envvault binary.
# Install from crates.io
cargo install envvault-cli
# With optional features
cargo install envvault-cli --features keyring-store,version-check
# Add the tap and install
brew install whynaidu/tap/envvault
# Auto-detects platform, verifies SHA256
curl -fsSL https://raw.githubusercontent.com/whynaidu/envvault/main/install.sh | sh
# Download pre-built binaries for your platform
Linux x86_64 · Linux ARM64 · macOS x86_64 · macOS ARM64 · Windows x86_64
→ github.com/whynaidu/envvault/releases
Run envvault init in your project. Existing .env files are auto-detected and imported.
Interactive prompt hides input by default. Nothing in your terminal or shell history.
Secrets decrypt in memory and inject as env vars. They never touch disk as plaintext.
Use -e for different environments. Clone, diff, and switch freely.
View the audit log. Rotate your master password — all secrets re-encrypt atomically.
Zero unsafe code. Every decision prioritizes security over convenience.
One install. One command. Zero infrastructure. Your .env files deserve better.