v0.4.0 Released — Cross-platform builds

Your secrets
deserve a vault.

Replace plaintext .env files with AES-256-GCM encrypted vault files. No cloud, no infrastructure, no vendor lock-in — just a single Rust binary and a password.

envvault — zsh
The Problem

Your secrets are exposed.

Plaintext .env files are the weakest link in every codebase. And AI tools are making it worse.

0
Secrets leaked on public GitHub in 2024. 70% remain active today. — GitGuardian 2024 Report
0
Of organizations have plaintext secrets committed in their repositories. — 2025 State of Cloud Security
0
Increase in leak rates from AI coding tools. Agents run cat .env freely. — AI Security Research, 2025
The Fix

One command. Total encryption.

Your secret values become encrypted at rest. Key names stay readable for easy management.

.env Exposed
DATABASE_URL=postgres://admin:s3cret@db:5432/app
API_KEY=sk-live-a1b2c3d4e5f6g7h8i9j0
JWT_SECRET=my-super-secret-jwt-key-2024
STRIPE_KEY=sk_test_EXAMPLE_DO_NOT_USE_1234
AWS_SECRET=wJalrXUtnFEMI/K7MDENG/bPxRfi
dev.vault Encrypted
DATABASE_URL=ENC[AES256:p3x8Kv...mDf2w=]
API_KEY=ENC[AES256:mN7vRq...kQ9sE=]
JWT_SECRET=ENC[AES256:hB4tYn...wL6nA=]
STRIPE_KEY=ENC[AES256:jR2mXp...cV8bK=]
AWS_SECRET=ENC[AES256:qW5eZs...yT3gN=]
Features

Everything you need.
Nothing you don't.

A complete secrets lifecycle in a single binary. No accounts, no servers, no subscriptions.

AES-256-GCM Encryption
Each secret encrypted individually with a unique key derived via HKDF-SHA256 and a random 12-byte nonce. Military-grade authenticated encryption.
// Per-secret key derivation
master_key = Argon2id(password, salt)
secret_key = HKDF(master_key, name)
ciphertext = AES-GCM(secret_key, value)
Triple Auth Methods
Password, keyfile two-factor, or OS keyring auto-unlock. Use one or combine them for layered security.
Zero Infrastructure
No server, no cloud, no Docker. A single binary that works fully offline. Forever.
Per-Environment Vaults
Separate encrypted vault files for dev, staging, and prod. Clone environments, diff between them, and manage each independently with its own password.
$ envvault -e staging set API_KEY
$ envvault diff staging # compare dev vs staging
$ envvault env clone prod # clone to new environment
SQLite Audit Trail
Every vault mutation logged with timestamps. Query with --last or --since for compliance.
Key Rotation
Rotate your master password atomically. All secrets re-encrypted in a single operation.
Import & Export
Import from .env or JSON. Export to any format. Migrate in seconds. No lock-in.
Diff & Compare
Side-by-side comparison between environments. See what's added, removed, or changed.
Cross-Platform
Linux, macOS, Windows. x86_64 and ARM64. Pre-built binaries for every major platform.
How It Works

Productive in 60 seconds.

Four commands cover your entire workflow.

1
envvault init
Initialize

Creates an encrypted vault. Auto-imports .env files if found.

2
envvault set KEY
Store

Interactive prompt hides input. Each secret gets a unique encryption key.

3
envvault get KEY
Retrieve

Decrypt and display. HMAC integrity check runs automatically.

4
envvault run -- cmd
Inject & Run

Inject all secrets as env vars into any command. Never touch disk.

Comparison

More than file tools.
Simpler than platforms.

The security of Vault. The simplicity of dotenv. The price of open source.

Feature .env SOPS dotenvx Infisical Doppler EnvVault
Encryption at rest
Works fully offline Partial
Audit trail
Multiple auth GPG/KMS Keypair SSO SSO 3 methods
Per-env vaults Manual Manual
Key rotation Manual
Diff environments
Infrastructure None KMS opt. None Server Cloud None
Price Free Free Free $72/mo $230/mo Free forever
Open source N/A MPL BSD MIT MIT/Apache
Installation

Install in 10 seconds.

Choose your method. All install the same envvault binary.

# Install from crates.io cargo install envvault-cli # With optional features cargo install envvault-cli --features keyring-store,version-check
# Add the tap and install brew install whynaidu/tap/envvault
# Auto-detects platform, verifies SHA256 curl -fsSL https://raw.githubusercontent.com/whynaidu/envvault/main/install.sh | sh
# Download pre-built binaries for your platform Linux x86_64 · Linux ARM64 · macOS x86_64 · macOS ARM64 · Windows x86_64 → github.com/whynaidu/envvault/releases
Quick Start

Zero to encrypted in 5 minutes.

Initialize your vault

Run envvault init in your project. Existing .env files are auto-detected and imported.

$ envvault init
Vault initialized at .envvault/dev.vault
i Detected .env — imported 4 secrets

Add secrets securely

Interactive prompt hides input by default. Nothing in your terminal or shell history.

$ envvault set DATABASE_URL
Enter value: ••••••••••••
Stored (AES-256-GCM encrypted)

Run with injected secrets

Secrets decrypt in memory and inject as env vars. They never touch disk as plaintext.

$ envvault run -- node server.js
i Injecting 5 secrets...
Server running on :3000

Manage environments

Use -e for different environments. Clone, diff, and switch freely.

$ envvault -e staging set API_KEY
$ envvault diff staging
$ envvault env clone prod

Audit & rotate

View the audit log. Rotate your master password — all secrets re-encrypt atomically.

$ envvault audit --last 10
$ envvault rotate-key
Key rotated, 5 secrets re-encrypted
Security

Built on proven primitives.

Zero unsafe code. Every decision prioritizes security over convenience.

AES-256-GCM
Authenticated encryption with random 12-byte nonces. Per-secret keys via HKDF-SHA256 for defense in depth.
Argon2id KDF
Memory-hard key derivation (64 MB, 3 iterations, 4 lanes). GPU-resistant by design. Prevents brute-force.
HMAC-SHA256 Integrity
Full vault integrity check detects tampering. Constant-time comparison prevents timing side-channels.
Memory Safety
All keys zeroized after use. Zero unsafe blocks. Written in Rust with full memory safety guarantees.
Atomic Writes
Temp file + rename pattern. Your vault is never in a partially-written state, even on crash.
Git Hook Scanning
Pre-commit hook detects leaked secrets before they reach your repository. Defense at the source.

Stop leaking secrets.
Start encrypting today.

One install. One command. Zero infrastructure. Your .env files deserve better.