@jawadboulmal/envault
v3.3.0
Published
Zero-cloud, git-native .env encryption for teams
Downloads
812
Maintainers
Readme
envault
Zero-cloud, git-native .env encryption for teams. Share secrets securely through your existing Git repository - no third-party services, no monthly fees, no DevOps overhead.
envault share⚡ envault | Encrypting .env for Team
──────────────────────────────────────────────────
✔ Found 3 registered peer(s)
· Read 12 variable(s) from .env
· Encrypting with AES-256-GCM + RSA-4096-OAEP...
✔ Target file: .env → Saved as: .env.enc
✔ Git status: Verified .env is securely in .gitignore
🚀 Ready to commit! Run: git add .env.enc .envault.json && git commitWhy envault?
Most teams share .env files over Slack, email, or DMs - which is a serious security risk. Cloud secret managers like Doppler or 1Password Teams solve this but add cost and infrastructure.
envault lives entirely on your machines. Your secrets never touch a server.
How it works
envault uses hybrid encryption:
- A random AES-256-GCM key encrypts your
.envfile content - That AES key is then encrypted separately with each teammate's RSA-4096 public key
- Everything is saved into
.env.enc- safe to commit to Git
To decrypt, a teammate uses their private key to unwrap the AES key, then decrypts the content. No private key ever leaves anyone's machine.
.env (plaintext)
│
▼
AES-256-GCM encryption ← random key generated per share
│
▼
.env.enc + [ RSA-encrypted key packet per teammate ]
│
▼
safe to commit to GitInstallation
The installer handles everything automatically - including Node.js if it is not already on your machine.
Windows (PowerShell)
irm https://jawadboulmal.com/envault/install.ps1 | iexmacOS / Linux
curl -fsSL https://jawadboulmal.com/envault/install.sh | shManual (if you already have Node.js v18+)
npm install -g @jawadboulmal/envaultQuick Start
1. Generate your key pair
envault initThis creates your private key at ~/.config/envault/key.pem and prints your public key. Share the public key with your teammates - keep the private key to yourself.
2. Register your teammates' public keys
envault add-peer alicePaste Alice's public key when prompted. No file needed - just copy and paste.
You can also pass a file path:
envault add-peer alice alice.pem3. Encrypt your .env
envault shareCreates .env.enc (encrypted, safe to commit) and automatically adds .env to .gitignore.
4. Commit the encrypted file
git add .env.enc .envault.json
git commit -m "chore: update encrypted env"5. Teammates decrypt after pulling
git pull
envault unlockGenerates a fresh .env on their machine from the encrypted file.
Commands
| Command | Description |
|---|---|
| envault init | Generate a new RSA-4096 key pair for this machine |
| envault add-peer <name> [file] | Register a teammate's public key |
| envault list-peers | Show all registered peers |
| envault remove-peer <name> | Remove a peer from the registry |
| envault share | Encrypt .env for all registered peers |
| envault unlock | Decrypt .env.enc into a local .env |
Workflow A to Z
One-time setup - each person does this once
1. Install
Windows:
irm https://jawadboulmal.com/envault/install.ps1 | iexmacOS / Linux:
curl -fsSL https://jawadboulmal.com/envault/install.sh | sh2. Generate your key pair
envault initCreates your private key at ~/.config/envault/key.pem - never share this.
Prints your public key in the terminal - this is what you share with teammates.
Setting up a project - the team lead does this
3. Add every teammate as a peer
envault add-peer alice
envault add-peer bob
envault add-peer jawadEach teammate sends you their public key (from their envault init output), you paste it when prompted.
4. Encrypt and commit
envault share
git add .env.enc .envault.json
git commit -m "chore: init encrypted env"
git pushA new teammate joins
# 1. They generate their key pair on their machine
envault init
# 2. They send you their public key
# 3. You add them as a peer
envault add-peer newguy
# 4. You re-encrypt so they get access
envault share
git add .env.enc .envault.json
git commit -m "chore: add newguy to envault"
git push
# 5. They pull and unlock
git pull
envault unlockDaily workflow - someone updates the .env
# Developer A updates their .env and shares it
envault share
git add .env.enc
git commit -m "chore: update env secrets"
git push
# Developer B pulls and unlocks
git pull
envault unlock
# → asked: ".env exists, overwrite? (a .env.backup will be saved first)"
# → .env.backup is created automatically, then .env is updatedIf something looks wrong after unlocking, your previous
.envis always saved as.env.backup.
Someone leaves the team
# Remove them from the registry
envault remove-peer alice
# Re-encrypt - they can no longer decrypt future .env.enc files
envault share
git add .env.enc .envault.json
git commit -m "chore: remove alice from envault"
git pushNote: They still have old versions of
.env.encin git history. If the secrets are sensitive, rotate the actual credentials too.
Quick reference
| Command | When to use |
|---|---|
| envault init | Once per machine |
| envault add-peer <name> | When onboarding someone |
| envault remove-peer <name> | When someone leaves |
| envault list-peers | To see who has access |
| envault share | After changing .env or the peer list |
| envault unlock | After git pull when .env.enc changed |
What goes where
Git repository Your machine only
────────────── ─────────────────
.env.enc ✅ .env ❌
.envault.json ✅ .env.backup ❌
~/.config/envault/key.pem ❌Files
| File | Committed? | Description |
|---|---|---|
| .env | ❌ Never | Your plaintext secrets |
| .env.enc | ✅ Yes | Encrypted secrets - safe to commit |
| .envault.json | ✅ Yes | Peer registry (public keys only) |
| ~/.config/envault/key.pem | ❌ Never | Your private key (lives on your machine only) |
Security
- Zero-knowledge - no server, API, or network request ever sees your secrets or private key
- AES-256-GCM - authenticated symmetric encryption for the
.envcontent - RSA-4096-OAEP - asymmetric encryption for the key exchange
- Private key is local-only - stored at
~/.config/envault/key.pemwith600permissions .envis gitignored automatically - envault enforces this on everyshare
License
MIT
