v1.0 beta โ€” Now available

Secrets that never touch disk

Store environment secrets in your OS native credential store. Not in dotfiles. Not in plaintext. Not in the cloud. Just your Keychain, your rules.

Get startedRead the docs
Terminal
$

Features

Everything you need.
Nothing you don't.

OS-Native Encryption

Secrets live in macOS Keychain, GNOME Keyring, or Windows Credential Manager. Zero custom crypto.

Cross-Platform

Works on macOS, Linux, and Windows. The right backend is selected automatically.

Glob Search

Search contexts and secrets with glob patterns. Find what you need instantly.

.env Import/Export

Generate .env files or import from them. Bridge between envsec and your existing workflow.

Secret Interpolation

Run commands with {key} placeholders. Secrets are injected as env vars โ€” never in ps output.

Expiry & Audit

Set expiry durations on secrets. Audit across contexts to catch expired or expiring credentials.

GPG Sharing

Encrypt secrets for team members with GPG. Share securely without Slack or email.

Shell Completions

Tab completions for bash, zsh, fish, and PowerShell. Feels native in every shell.

Architecture

Your OS is the vault

envsec delegates encryption to battle-tested credential stores. Metadata (key names, timestamps) lives in a local SQLite database โ€” values never do.

envsec CLI
Metadata
SQLite (key names only)
Secret Values
OS Credential Store
OSBackendTool
๐ŸŽmacOSKeychainsecurity CLI
๐ŸงLinuxSecret Service (D-Bus)secret-tool
๐ŸชŸWindowsCredential Managercmdkey + PowerShell

Install

Ready in seconds

One command. No config. Node.js 18+ required.

$npm install -g envsec