@ankastudio/envar
v0.3.2
Published
Encrypted environment variable manager for Cloudflare Workers
Maintainers
Readme
@ankastudio/envar
Encrypted environment variable manager for Cloudflare Workers.
Installation
npm install -g @ankastudio/envarQuick Start
# 1. Create a project (requires master key)
envar --api-url=https://your-worker.workers.dev \
--master-key=your-master-key \
project create myproject
# 2. Create an environment
envar --api-url=https://your-worker.workers.dev \
--api-key=sk_xxx \
--prj=myproject \
env create uat
# 3. Set secrets (encrypted client-side)
envar --api-url=https://your-worker.workers.dev \
--api-key=sk_xxx \
--enc-key=your-encryption-key \
--prj=myproject \
--env=uat \
set DB_URL=postgres://localhost/mydb \
API_KEY=abc123
# 4. Run command with secrets as env vars
envar --api-url=https://your-worker.workers.dev \
--api-key=sk_xxx \
--enc-key=your-encryption-key \
--prj=myproject \
--env=uat \
run -- npm run deploy:uat
# 5. Or write a .env file
envar --api-url=https://your-worker.workers.dev \
--api-key=sk_xxx \
--enc-key=your-encryption-key \
--prj=myproject \
--env=uat \
--as=.envCommands
| Command | Description |
|---------|-------------|
| envar project create <name> | Create a new project |
| envar env create <name> | Create a new environment |
| envar set KEY=VALUE | Set a secret (encrypted) |
| envar get KEY | Get a secret (decrypted) |
| envar run -- <command> | Run command with secrets as env vars |
| envar --as=.env | Write secrets to .env file |
Global Options
| Option | Env Var | Description |
|--------|---------|-------------|
| --api-url | ENVAR_API_URL | Server URL (required) |
| --api-key | ENVAR_API_KEY | Project API key |
| --master-key | ENVAR_MASTER_KEY | Master key (for project creation) |
| --enc-key | ENVAR_ENCRYPTION_KEY | Encryption key |
| --prj | ENVAR_PROJECT | Project name |
| --env | ENVAR_ENV | Environment name |
| --as | — | Write to .env file instead of running |
Configuration
You can set defaults in ~/.config/envar/config.toml:
[default]
api_url = "https://your-worker.workers.dev"
master_key = "your-master-key"
api_key = "sk_xxx"
encryption_key = "your-encryption-key"Or use environment variables:
export ENVAR_API_URL="https://your-worker.workers.dev"
export ENVAR_API_KEY="sk_xxx"
export ENVAR_MASTER_KEY="your-master-key"
export ENVAR_ENCRYPTION_KEY="your-encryption-key"Priority order: flag > environment variable > config file
CI/CD Usage
# GitLab CI example
deploy:
script:
- npm install -g @ankastudio/envar
- envar --prj=myproject --env=prod run -- npm run deploy
variables:
ENVAR_API_URL: $ENVAR_API_URL
ENVAR_API_KEY: $ENVAR_API_KEY
ENVAR_ENCRYPTION_KEY: $ENVAR_ENCRYPTION_KEYSecurity
- Secrets are encrypted client-side with ChaCha20-Poly1305
- Server never sees plaintext secrets
- Each project has its own API key
- Master key is required for project creation only
