EnvSeal is designed to securely manage environment variables across multiple projects using SOPS encryption with age keys.
- Encrypts .env files using SOPS with age encryption
- Stores encrypted files in a Git repository
- Provides key-only diffs (values never exposed in output)
- Manages age keys securely with proper file permissions
- EnvSeal does not store secrets itself (stateless CLI)
- EnvSeal does not transmit secrets over the network (local operations only)
- EnvSeal does not provide access control (use Git repository permissions)
- Backup your age key:
~/Library/Application Support/sops/age/keys.txt(macOS),~/.config/sops/age/keys.txt(Linux),~/AppData/Local/sops/age/keys.txt(Windows) - Store backup in a secure location (password manager, encrypted USB, etc.)
- Never commit age keys to Git
- Use different age keys for different trust boundaries if sharing vault
- Keep vault repository private on GitHub/GitLab
- Enable branch protection on main branch
- Require pull request reviews for changes
- Enable GitHub Secret Scanning push protection
When syncing to a new device:
- Copy age key to new device:
~/Library/Application Support/sops/age/keys.txt(macOS),~/.config/sops/age/keys.txt(Linux),~/AppData/Local/sops/age/keys.txt(Windows) - Set permissions:
chmod 600 <key-file> - Clone vault repository
- Run
envseal pullto restore secrets
To share vault with team members:
- Each member generates their own age key
- Add all public keys to
.sops.yaml:creation_rules: - path_regex: ^secrets/.*\.env$ input_type: dotenv age: >- age1abc..., age1def..., age1ghi...
- Re-encrypt all files:
sops updatekeys secrets/**/*.env
- Temporary decrypted files are created in
/tmpwith random names - Files are automatically cleaned up on process exit
- Never commit temporary files to Git
- ✅ Vault repository leak (files are encrypted)
- ✅ Accidental secret exposure in Git diffs (key-only diffs)
- ✅ Unauthorized access to vault (age encryption)
- ❌ Age key compromise (protect your key!)
- ❌ Malicious code with filesystem access (use trusted code only)
- ❌ Physical access to unlocked computer (lock your screen)
If you discover a security vulnerability, please email: security@example.com
Do not open public GitHub issues for security vulnerabilities.
EnvSeal relies on:
- SOPS (maintained by Mozilla, now community)
- age (maintained by Filippo Valsorda)
Keep these tools updated:
brew upgrade sops age- EnvSeal does not transmit data to external services
- All encryption happens locally
- Vault storage is user-controlled (your Git repository)
- No telemetry or usage tracking