Skip to content

sozenka/sealenv

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.github
.github
 
 
src
src
 
 
tests
tests
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

sealenv

Encrypt .env files and switch profiles. One binary, zero setup.

Crates.io License: MIT CI

The problem

Everyone leaks secrets eventually. .env files get committed. .env.example gets out of sync. Switching between dev/staging/prod means manually copying files. There's no standard, no tooling, and every team does it differently.

sealenv fixes this in one binary.

Install

Homebrew

brew tap sozenka/sealenv
brew install sealenv

Cargo

cargo install sealenv

Direct download

Grab the binary for your platform from Releases.

# Linux / macOS
curl -L https://github.com/sozenka/sealenv/releases/latest/download/sealenv-linux-x86_64.tar.gz | tar xz
sudo mv sealenv /usr/local/bin/

Quick start

# 1. Initialize sealenv in your project
sealenv init

# 2. Add your secrets
sealenv add DATABASE_URL=postgres://localhost/mydb
sealenv add API_KEY=sk-abc123

# 3. Encrypt .env — safe to commit
sealenv encrypt
git add .env.enc
git commit -m "chore: add encrypted env"

# 4. Run your app without ever writing .env to disk
sealenv run -- npm start

Commands

Command Description
sealenv init Initialize sealenv in a project, generate key, update .gitignore
sealenv encrypt Encrypt .env.env.enc (safe to commit)
sealenv decrypt Decrypt .env.enc.env
sealenv add KEY=VALUE Add a secret to the active profile
sealenv profile create <name> Create a new profile
sealenv profile use <name> Switch active profile
sealenv profile list List all profiles with active indicator
sealenv run -- <cmd> Run a command with env vars injected, no file written
sealenv diff <a> <b> Show differences between two profiles
sealenv key export Export your key (share with teammates)
sealenv key import <key> Import a key from a teammate

How it works

  • AES-256-GCM encryption — authenticated, tamper-proof
  • Keys stored in ~/.sealenv/keys/ — never in your repo
  • sealenv init auto-adds .env and key paths to .gitignore
  • Profiles stored in .sealenv/profiles/ — all plaintext locally, encrypted separately
  • sealenv run injects vars directly into the subprocess environment — nothing touches disk

Team workflow

# Person A: set up and share key
sealenv init
sealenv encrypt
sealenv key export   # → prints a base64 string

# Person B: import key and decrypt
sealenv key import <base64-string>
sealenv decrypt

Profiles example

sealenv profile create dev
sealenv profile create staging
sealenv profile create prod

sealenv profile use staging
sealenv diff dev staging   # see what changed
sealenv run -- node deploy.js

Contributing

Issues and PRs welcome. Please open an issue before working on large changes.

git clone https://github.com/sozenka/sealenv
cd sealenv
cargo build
cargo test

Sponsor

If sealenv saves you time or protects your secrets, consider sponsoring:

github.com/sponsors/sozenka

Company using sealenv in production? Reach out about priority support.

About

sealenv is a security-first CLI tool built in Rust that prevents sensitive API keys and database credentials from being leaked in plain-text .env files.

Topics

rust security encryption cybersecurity env decryption encryption-decryption security-tools devsecops cli-tool secrets-management env-management

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
Apr 23, 2026

Packages

 
 
 

Contributors

Languages