Secure, centralized environment variable management for the AI coding era
๐ Website ยท ๐ฆ PyPI ยท ๐ค AI agent guide
The reality of AI-powered development: project explosion
Working with Claude Code, Cursor, Gemini CLI, or Windsurf? You know the drill:
- ๐ Today: 3 new demos
- ๐ฏ Tomorrow: 5 more repos
- ๐ Each one:
.env,.env.dev,.env.prod
Then what happens?
- ๐ Migration Pain: Switching machines? The hardest part isn't codeโit's "where are all those .env files?"
- ๐ Sync Chaos: Updated
DATABASE_URLin project A, forgot about project B โ ๏ธ Leakage Risk: AI screenshots, logs, and shares easily expose secrets- ๐ซ Onboarding Nightmare: New developer clones in 30 seconds, spends 3 hours hunting for credentials
EnvSeal's Solution:
Scan repos โ Normalize .env โ Encrypt with SOPS โ Unified Git vault โ One-command recovery
EnvSeal is a CLI tool that helps you manage .env files across multiple repositories with end-to-end encryption. It scans your projects, normalizes environment files, and syncs them to a Git-backed vault using SOPS encryption.
Key Benefits:
- ๐ Secure: SOPS + age encryption (modern, battle-tested)
- ๐ฆ Centralized: One vault for all secrets across unlimited projects
- ๐ Safe Diffs: Key-only diffs never expose values
- ๐ Version Control: Full Git history for audit and rollback
- ๐ Simple: One command to sync everything
- ๐ป Multi-Device: Restore entire dev environment in minutes
graph LR
Dev((Developer))
CLI[EnvSeal CLI]
Repos[[Projects<br/>.env* files]]
Vault[(Private secrets-vault<br/>Git repo)]
Dev -->|init / push / pull| CLI
CLI -->|scan & normalize .env*| Repos
CLI -->|encrypt via SOPS+age| Vault
Vault -->|pull decrypt| CLI
CLI -->|write .env to temp or project| Dev
- ๐ค AI Coding / Vibe Coding: Using Claude Code/Cursor? Manage 10+ projects without env chaos
- ๐ป Multi-Device Development: Work laptop โ Home desktop โ GitHub Codespaces
- ๐ Environment Migration: New machine? One command restores all project secrets
- ๐ฅ Team Collaboration: Share secrets securely via private vault (supports multiple age keys)
- ๐ Secret Rotation: Git history tracks "who changed what key and why"
Most encrypted-dotenv tools manage one repo or run as a hosted service. EnvSeal's niche is the opposite: many local repositories, one self-hosted Git vault, no server, no account.
| EnvSeal | dotenvx | SOPS (alone) | dotenv-vault | Doppler / Infisical | |
|---|---|---|---|---|---|
| Multi-repo, one central vault | โ scans N repos | โ per-repo | โ manual | โ per-repo | โ (hosted) |
| Encryption | SOPS + age | built-in | SOPS + age/KMS | proprietary | hosted service |
| Needs a server / account | โ no | โ no | โ no | โ yes | โ yes |
| Storage | your Git repo | your repo | your repo | their cloud | their cloud |
| Key-only diffs (no values) | โ | โ | โ | โ | โ |
| One-command machine restore | โ
pull |
โ | โ | โ | โ |
| Shareable key-only HTML report | โ
report |
โ | โ | โ | โ |
| Cost | free / OSS | free / OSS | free / OSS | freemium | paid tiers |
Pick EnvSeal if you have many small projects (the AI-coding reality) and want one encrypted, Git-versioned vault you fully own โ no SaaS, no lock-in.
EnvSeal is built for the AI-coding workflow โ so make your agent
EnvSeal-aware. Paste this into the project's agent-instructions file
(CLAUDE.md, AGENTS.md, .cursorrules, โฆ) and the agent will fetch
secrets itself instead of stalling or inventing fake keys:
## Secrets & environment variables
This project's `.env*` files are not committed โ they are managed with
EnvSeal (encrypted in a separate vault).
- Create the local `.env`: `envseal pull <PROJECT> --env local --replace`
- After editing a secret, sync it back: `envseal push --commit`
- See which keys exist without decrypting: `envseal list`
- Never commit `.env*`, never print secret values into chat or logs.More ready-to-paste prompts โ onboarding a machine, restoring on a new laptop, browsing keys โ are in docs/ai-agents.md.
Step 1: Create Your Secrets Vault Repository
-
Go to GitHub and create a new private repository
- Repository name suggestions:
secrets-vaultormy-secrets โ ๏ธ Must be Private- Don't add README, .gitignore, etc. (create empty repo)
- Repository name suggestions:
-
Clone it locally:
# Replace USERNAME with your GitHub username # Replace secrets-vault with your repository name cd ~/Github # Or wherever you keep your code git clone git@github.com:USERNAME/secrets-vault.git
Step 2: Locate Your "Projects Root Directory"
This is the folder that contains all your projects, for example:
~/Github/ โ This is your "root directory"
โโโ my-api/ โ Project 1 (has .env files)
โโโ my-web/ โ Project 2 (has .env files)
โโโ my-worker/ โ Project 3 (has .env files)
โโโ secrets-vault/ โ Your vault repo you just created
Step 3: Install and Initialize EnvSeal
Continue with the steps below ๐
# macOS
brew install age sops
# Verify installation
age-keygen --version
sops --version# Install with pipx (recommended)
pipx install envseal-vault
# Or with pip
pip install envseal-vault
# Verify
envseal --version# Navigate to your "projects root directory" (the folder containing all your projects)
cd ~/Github # Replace with your actual directory, e.g., ~/projects or ~/code
# Run initialization
envseal initDuring initialization, it will:
- โ Generate an age encryption key
- ๐ Scan current directory for all Git repositories (finds my-api, my-web, etc.)
- ๐ Create configuration at
~/.config/envseal/config.yaml - ๐๏ธ Ask for your vault path (enter:
~/Github/secrets-vault)
# Push all .env files to vault (encrypted)
envseal push
# Commit to YOUR secrets vault (the private repo you created)
cd ~/Github/secrets-vault # Your vault repo, NOT the envseal tool repo
git add .
git commit -m "Add encrypted secrets"
git pushenvseal statusOutput:
๐ Checking secrets status...
my-project
โ .env - up to date
โ .env.prod - 3 keys changed
api-service
+ .env - new file (not in vault)
โ .env.prod - up to date
# Interactively select and update changed secrets
envseal update
# Only show changes for specific environment
envseal update --env prodThe update command will:
- Scan all repositories for changed .env files
- Show an interactive selection menu
- Let you choose which repos to update
- Push selected changes to the vault
- Show next steps for git commit/push
Get an overview of every project's secrets โ key names only, decrypted values are never shown, kept, or written anywhere.
# Terminal overview โ every project, every env file, every key name
envseal list
# Static HTML dashboard โ safe to share, opens with no server
envseal report # writes ./envseal-report.html
envseal report -o ~/envseal-report.htmlThe HTML report is a single self-contained file (no network, no server):
- Stat cards โ project / key / env-file / environment counts
- Sticky search that filters by project name or key name
- One collapsible card per project, with environment badges and key chips
- Click-to-copy
envseal pullcommands for restoring each environment - Light / dark theme toggle
Because it contains key names only โ never values โ the report is safe to commit, share with teammates, or drop into a wiki.
| Command | Description | Options |
|---|---|---|
envseal init |
Initialize configuration and generate keys | --root DIR |
envseal push [repos...] |
Encrypt and push secrets to vault | --env ENV, --commit, --push |
envseal status |
Show sync status for all repos | - |
envseal update |
Interactively update changed secrets to vault | --env ENV, --commit, --push |
envseal diff REPO |
Show key-only changes | --env ENV |
envseal pull REPO |
Decrypt and pull from vault | --env ENV, --replace, --stdout |
envseal list |
Browse every project's secrets in the terminal (key names only) | - |
envseal report |
Write a shareable static HTML overview (key names only) | --output PATH |
sequenceDiagram
participant Dev
participant CLI as EnvSeal CLI
participant SOPS
participant Vault as secrets-vault repo
Dev->>CLI: envseal push
CLI->>CLI: scan repos & map env files
CLI->>SOPS: normalize .env* and encrypt (age)
SOPS-->>CLI: encrypted files
CLI->>Vault: write secrets/<repo>/<env>.env
Dev->>Vault: git add/commit/push (manual)
Just 4 steps:
- ๐ Copy age private key (from password manager)
- ๐ฆ Clone your secrets vault repository
- ๐ง Install EnvSeal:
pipx install envseal-vault - โฌ๏ธ Pull secrets:
envseal pull <project> --env <environment> --replace
See detailed steps in the "Multi-Device Setup" section below ๐
Age Key Management:
- Private key:
~/Library/Application Support/sops/age/keys.txt(macOS),~/.config/sops/age/keys.txt(Linux),~/AppData/Local/sops/age/keys.txt(Windows) (NEVER commit!) - Public key: Stored in
vault/.sops.yaml(safe to commit)
Backup Your Private Key:
# Display full key file
cat ~/Library/Application\ Support/sops/age/keys.txt
# Save to password manager (1Password, Bitwarden, etc.)Linux/Windows users: use the OS-specific key path listed in Age Key Management.
Vault Repository Best Practices:
- โ Keep vault repository private (even though files are encrypted)
- โ Enable branch protection and require PR reviews
- โ Use GitHub's secret scanning push protection
- โ Backup private key in password manager
See SECURITY.md for complete security model.
Two repositories you need to know:
- ๐ฆ EnvSeal tool:
chicogong/envseal(this repo - install via PyPI, no need to clone) - ๐ Your secrets vault:
USERNAME/my-secrets-vault(your private repo for encrypted .env files)
On a new machine:
-
Copy your age key from backup:
mkdir -p ~/Library/Application\ Support/sops/age/ nano ~/Library/Application\ Support/sops/age/keys.txt # Paste the 3-line key file (created, public key, private key) chmod 600 ~/Library/Application\ Support/sops/age/keys.txt
Linux/Windows users: use the OS-specific key path listed in Security.
-
Clone YOUR secrets vault and install EnvSeal tool:
# Clone YOUR vault (NOT the envseal tool repo) git clone git@github.com:USERNAME/my-secrets-vault.git ~/Github/secrets-vault # Install EnvSeal tool from PyPI pipx install envseal-vault envseal init
-
Pull secrets:
envseal pull my-project --env prod --replace
Location: ~/.config/envseal/config.yaml
vault_path: /path/to/secrets-vault
repos:
- name: my-api
path: /Users/you/projects/my-api
- name: web-app
path: /Users/you/projects/web-app
env_mapping:
".env": "local"
".env.dev": "dev"
".env.prod": "prod"
".env.staging": "staging"
scan:
include_patterns:
- ".env"
- ".env.*"
exclude_patterns:
- ".env.example"
- ".env.sample"
ignore_dirs:
- ".git"
- "node_modules"
- "venv"Only for contributing to EnvSeal tool itself:
# Clone the EnvSeal TOOL repository (for development)
git clone https://github.com/chicogong/envseal.git
cd envseal
# Install with dev dependencies
pip install -e ".[dev]"
# Run tests
pytest
# Lint and format
make lint
make format
# Type check
make type-checkNote: Regular users don't need to clone this repo - just pipx install envseal-vault
- USAGE.en.md - Complete usage guide (English)
- USAGE.md - ๅฎๆดไฝฟ็จๆๅ๏ผไธญๆ๏ผ
- SECURITY.md - Security model and best practices
- PUBLISHING.md - Guide for publishing to PyPI
Contributions welcome! Please feel free to submit a Pull Request.
Apache-2.0 License - see LICENSE for details.
Built for developers navigating the AI coding era
PyPI ยท Report Bug ยท Request Feature