npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@gwardo420/envvault

v1.0.1

Published

Encrypted environment variable vault for teams. Local-first, zero cloud, pure crypto.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

gwardo420gwardo420

Keywords

envenvironmentsecretsvaultencryptionteamclidotenvvariablessecure

Readme

envvault

encrypted environment variables for teams. local-first, zero cloud, pure crypto.

npm license node

npm install -g @gwardo420/envvault

why

your .env files are a mess. they're in slack dms, in notion pages, in random gists. someone always has the wrong version. someone always pushes one to git by accident.

envvault encrypts your secrets locally with AES-256-GCM. the encrypted vault file lives in your repo — safe to commit. your team shares a password to decrypt. no cloud, no accounts, no vendor lock-in.

features

  • AES-256-GCM encryption with scrypt key derivation
  • local-first — your secrets never leave your machine unencrypted
  • team sharing via encrypted envvault.shared file (commit it to git)
  • zero dependencies beyond commander (3 packages total)
  • .env import/export — drop-in compatible with existing workflows
  • envvault run — inject secrets into any command's environment
  • password rotation without re-creating secrets
  • git-safe — auto-updates .gitignore to prevent leaks

quickstart

# install
npm install -g @gwardo420/envvault

# initialize vault in your project
cd my-project
envvault init

# add secrets
envvault set API_KEY=sk-xxx DATABASE_URL=postgres://...
envvault set STRIPE_KEY=sk_live_xxx REDIS_URL=redis://localhost

# list secrets (values are masked)
envvault list

# export to .env file
envvault export > .env

# run your app with secrets injected
envvault run -- npm start
envvault run -- node server.js

team sharing

the whole point. one person sets up the vault, shares it with the team.

# team lead: create encrypted shared vault
envvault share

# this creates envvault.shared — commit it to git
git add envvault.shared
git commit -m "add shared vault"
git push

# teammate: clone repo and pull secrets
git pull
envvault pull
# enter team password when prompted
# create a personal password for your local copy

the team password is shared separately — signal, 1password, in-person. never in git.

commands

| command | description | |---------|-------------| | envvault init | initialize a new vault | | envvault set KEY=VALUE | set one or more secrets | | envvault get KEY | get a secret (masked by default) | | envvault get KEY --show | get a secret (revealed) | | envvault list | list all secret keys with metadata | | envvault delete KEY | delete a secret | | envvault export | export secrets as .env format | | envvault import .env | import secrets from a .env file | | envvault share | create encrypted shared vault for team | | envvault pull | pull secrets from shared vault | | envvault rotate | change vault password | | envvault run -- <cmd> | run command with secrets injected |

how it works

┌─────────────────────────────────────────────────┐
│                  your machine                    │
│                                                  │
│  ┌──────────────┐      ┌───────────────────┐    │
│  │  .envvault/  │      │  envvault.shared  │    │
│  │  vault.enc   │      │  (encrypted with  │    │
│  │  config.json │      │   team password)  │    │
│  └──────────────┘      └───────────────────┘    │
│        │                        │                │
│        │ AES-256-GCM            │ AES-256-GCM   │
│        │ personal password      │ team password  │
│        ▼                        ▼                │
│  ┌─────────────────────────────────────────┐    │
│  │           plaintext secrets             │    │
│  │  API_KEY=sk-xxx                         │    │
│  │  DATABASE_URL=postgres://...            │    │
│  └─────────────────────────────────────────┘    │
└─────────────────────────────────────────────────┘

encryption details:

  • algorithm: AES-256-GCM
  • key derivation: scrypt (N=16384, r=8, p=1)
  • salt: 32 bytes random per encryption
  • IV: 16 bytes random per encryption
  • auth tag: 16 bytes

file structure

my-project/
├── .envvault/           # gitignored — local encrypted vault
│   ├── vault.enc        # encrypted secrets
│   └── config.json      # project config + password hash
├── envvault.shared      # commit this — encrypted team vault
├── .gitignore           # auto-updated by envvault
└── ...

workflow examples

solo developer

envvault init
envvault set API_KEY=sk-xxx
envvault export > .env
# .env is gitignored, vault is safe

team project

# lead sets up vault
envvault init
envvault set API_KEY=sk-xxx DB_URL=postgres://...
envvault share  # creates envvault.shared
git add envvault.shared && git push

# teammate joins
git pull
envvault pull  # enter team password
envvault run -- npm start

ci/cd

# in your CI pipeline
envvault export --password "$VAULT_PASSWORD" > .env
# or inject directly
envvault run --password "$VAULT_PASSWORD" -- npm test

security model

  • vault password never stored — only a hash for verification
  • team password shared out-of-band (signal, 1password, etc.)
  • .envvault/ directory is gitignored (local secrets stay local)
  • envvault.shared is safe to commit (encrypted)
  • no telemetry — envvault doesn't phone home
  • no cloud — everything stays on your machine and your git repo

comparison

| | envvault | doppler | infisical | 1password | plain .env | |---|---|---|---|---|---| | cloud required | no | yes | optional | yes | no | | account required | no | yes | yes | yes | no | | free tier | always | limited | limited | limited | n/a | | team sharing | git | web | web | web | slack dm | | encryption | AES-256 | their infra | their infra | their infra | none | | vendor lock-in | none | high | medium | high | none |

requirements

  • node.js >= 18

license

MIT