ββββββββββββ ββββββ ββββββ βββ
βββββββββββββ ββββββ βββββββ ββββ
ββββββ ββββββ ββββββ βββ βββββββ
ββββββ ββββββββββββββ ββββ βββββ
βββββββββββ ββββββ βββββββ βββ
βββββββββββ βββββ βββββ βββ
Smart .env manager for developers
Every developer has been here:
- π
Accidentally committed
.envto GitHub - π° Sent API keys over Slack "just this once"
- π€ Lost track of which secrets are in dev vs production
- π€¦
.env.exampleis 3 months out of date
envy fixes all of this. One CLI tool. AES-256 encryption. Zero config.
- π AES-256-GCM encryption β military-grade, password-derived keys
- π Multi-environment β dev, staging, prod, any custom environment
- π Git audit β scan your entire git history for leaked secrets
- π Smart diff β compare environments to spot missing/mismatched keys
- π₯ Import/Export β seamlessly convert from/to plain
.envfiles - π Single binary β no runtime, no Docker, no dependencies
- β‘ Fast β written in Go, instant startup
macOS / Linux (one line):
curl -fsSL https://raw.githubusercontent.com/anastanveer653/envy/main/install.sh | bashHomebrew:
brew install user/tap/envyGo:
go install github.com/anastanveer653/envy@latestWindows: Download from releases page
# 1. Initialize in your project
cd my-project
envy init
# 2. Add your secrets
envy set DATABASE_URL postgres://localhost/mydb
envy set API_KEY sk-abc123 --env production
# 3. List secrets (values safely masked)
envy list
envy list --env production
# 4. Get a secret
envy get DATABASE_URL
# 5. Export to .env file when needed
envy export --env production --output .env| Command | Description |
|---|---|
envy init |
Initialize envy in your project |
envy set KEY value |
Store an encrypted secret |
envy get KEY |
Retrieve a secret value |
envy list |
List all keys (values masked) |
envy delete KEY |
Delete a secret |
envy diff dev prod |
Compare two environments |
envy push <env> |
Export secrets to .env.<env> file |
envy pull <env> |
Import from .env.<env> file |
envy import |
Import from existing .env file |
envy export |
Export to plain .env file |
envy audit |
Scan git history for leaked secrets |
Your Secret β PBKDF2 Key Derivation β AES-256-GCM Encryption β .envy/store.enc
β
Master Password
(never stored)
- Your master password is never stored β only a hash for verification
- Each secret is encrypted using a unique salt + PBKDF2 key derivation
- AES-256-GCM provides both encryption and authentication
- The store file is safe to commit to version control (optional)
| Feature | envy | dotenv | direnv | 1Password CLI |
|---|---|---|---|---|
| Encryption | β AES-256 | β | β | β |
| Multi-environment | β | β | β | β |
| Git audit | β | β | β | β |
| Env diff | β | β | β | β |
| Single binary | β | β | β | β |
| Free & open source | β | β | β | β |
| No cloud required | β | β | β | β |
- AES-256-GCM β authenticated encryption, detects tampering
- PBKDF2 β 100,000 iterations, makes brute force infeasible
- Unique salt per store β prevents rainbow table attacks
- Zero network requests β everything stays on your machine
- File permissions β store written as
0600(owner read/write only)
To report a security vulnerability, please email security@example.com (do not open a public issue).
Contributions are welcome! Please read CONTRIBUTING.md first.
git clone https://github.com/anastanveer653/envy
cd envy
go mod download
go build .
./envy --helpMIT Β© Anas Tanveer
If envy saves you from a secret leak, consider giving it a β