npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@jawadboulmal/envault

v3.3.0

Published

Zero-cloud, git-native .env encryption for teams

Downloads

812

Readme

envault

Zero-cloud, git-native .env encryption for teams. Share secrets securely through your existing Git repository - no third-party services, no monthly fees, no DevOps overhead.

envault share
⚡ envault | Encrypting .env for Team
──────────────────────────────────────────────────
  ✔ Found 3 registered peer(s)
  · Read 12 variable(s) from .env
  · Encrypting with AES-256-GCM + RSA-4096-OAEP...
  ✔ Target file: .env  →  Saved as: .env.enc
  ✔ Git status: Verified .env is securely in .gitignore

  🚀 Ready to commit! Run: git add .env.enc .envault.json && git commit

Why envault?

Most teams share .env files over Slack, email, or DMs - which is a serious security risk. Cloud secret managers like Doppler or 1Password Teams solve this but add cost and infrastructure.

envault lives entirely on your machines. Your secrets never touch a server.


How it works

envault uses hybrid encryption:

  1. A random AES-256-GCM key encrypts your .env file content
  2. That AES key is then encrypted separately with each teammate's RSA-4096 public key
  3. Everything is saved into .env.enc - safe to commit to Git

To decrypt, a teammate uses their private key to unwrap the AES key, then decrypts the content. No private key ever leaves anyone's machine.

.env (plaintext)
   │
   ▼
AES-256-GCM encryption  ←  random key generated per share
   │
   ▼
.env.enc  +  [ RSA-encrypted key packet per teammate ]
                │
                ▼
          safe to commit to Git

Installation

The installer handles everything automatically - including Node.js if it is not already on your machine.

Windows (PowerShell)

irm https://jawadboulmal.com/envault/install.ps1 | iex

macOS / Linux

curl -fsSL https://jawadboulmal.com/envault/install.sh | sh

Manual (if you already have Node.js v18+)

npm install -g @jawadboulmal/envault

Quick Start

1. Generate your key pair

envault init

This creates your private key at ~/.config/envault/key.pem and prints your public key. Share the public key with your teammates - keep the private key to yourself.

2. Register your teammates' public keys

envault add-peer alice

Paste Alice's public key when prompted. No file needed - just copy and paste.

You can also pass a file path:

envault add-peer alice alice.pem

3. Encrypt your .env

envault share

Creates .env.enc (encrypted, safe to commit) and automatically adds .env to .gitignore.

4. Commit the encrypted file

git add .env.enc .envault.json
git commit -m "chore: update encrypted env"

5. Teammates decrypt after pulling

git pull
envault unlock

Generates a fresh .env on their machine from the encrypted file.


Commands

| Command | Description | |---|---| | envault init | Generate a new RSA-4096 key pair for this machine | | envault add-peer <name> [file] | Register a teammate's public key | | envault list-peers | Show all registered peers | | envault remove-peer <name> | Remove a peer from the registry | | envault share | Encrypt .env for all registered peers | | envault unlock | Decrypt .env.enc into a local .env |


Workflow A to Z

One-time setup - each person does this once

1. Install

Windows:

irm https://jawadboulmal.com/envault/install.ps1 | iex

macOS / Linux:

curl -fsSL https://jawadboulmal.com/envault/install.sh | sh

2. Generate your key pair

envault init

Creates your private key at ~/.config/envault/key.pem - never share this. Prints your public key in the terminal - this is what you share with teammates.


Setting up a project - the team lead does this

3. Add every teammate as a peer

envault add-peer alice
envault add-peer bob
envault add-peer jawad

Each teammate sends you their public key (from their envault init output), you paste it when prompted.

4. Encrypt and commit

envault share
git add .env.enc .envault.json
git commit -m "chore: init encrypted env"
git push

A new teammate joins

# 1. They generate their key pair on their machine
envault init

# 2. They send you their public key

# 3. You add them as a peer
envault add-peer newguy

# 4. You re-encrypt so they get access
envault share
git add .env.enc .envault.json
git commit -m "chore: add newguy to envault"
git push

# 5. They pull and unlock
git pull
envault unlock

Daily workflow - someone updates the .env

# Developer A updates their .env and shares it
envault share
git add .env.enc
git commit -m "chore: update env secrets"
git push

# Developer B pulls and unlocks
git pull
envault unlock
# → asked: ".env exists, overwrite? (a .env.backup will be saved first)"
# → .env.backup is created automatically, then .env is updated

If something looks wrong after unlocking, your previous .env is always saved as .env.backup.


Someone leaves the team

# Remove them from the registry
envault remove-peer alice

# Re-encrypt - they can no longer decrypt future .env.enc files
envault share
git add .env.enc .envault.json
git commit -m "chore: remove alice from envault"
git push

Note: They still have old versions of .env.enc in git history. If the secrets are sensitive, rotate the actual credentials too.


Quick reference

| Command | When to use | |---|---| | envault init | Once per machine | | envault add-peer <name> | When onboarding someone | | envault remove-peer <name> | When someone leaves | | envault list-peers | To see who has access | | envault share | After changing .env or the peer list | | envault unlock | After git pull when .env.enc changed |


What goes where

Git repository        Your machine only
──────────────        ─────────────────
.env.enc        ✅    .env                          ❌
.envault.json   ✅    .env.backup                   ❌
                      ~/.config/envault/key.pem     ❌

Files

| File | Committed? | Description | |---|---|---| | .env | ❌ Never | Your plaintext secrets | | .env.enc | ✅ Yes | Encrypted secrets - safe to commit | | .envault.json | ✅ Yes | Peer registry (public keys only) | | ~/.config/envault/key.pem | ❌ Never | Your private key (lives on your machine only) |


Security

  • Zero-knowledge - no server, API, or network request ever sees your secrets or private key
  • AES-256-GCM - authenticated symmetric encryption for the .env content
  • RSA-4096-OAEP - asymmetric encryption for the key exchange
  • Private key is local-only - stored at ~/.config/envault/key.pem with 600 permissions
  • .env is gitignored automatically - envault enforces this on every share

License

MIT