Encrypt your .env
Commit with confidence
A blazing-fast CLI that encrypts environment variables with AES-256-GCMand injects them in-memory — so you can commit secrets to Git without a cloud service.
$ npm install -g xenvsync
or npx xenvsync · go install github.com/nasimstg/xenvsync@latest
How it works
Three commands. Zero cloud accounts.
From setup to production in under 60 seconds.
Initialize
Generate a 256-bit key. Automatically added to .gitignore.
xenvsync initEncrypt & Commit
Encrypt your .env into .env.vault — safe to push to any repo.
xenvsync pushInject & Run
Secrets live only in process memory. Plaintext never touches disk.
xenvsync run -- npm startFeatures
Security without complexity
AES-256-GCM Encryption
Uses Go's standard crypto/aes with authenticated encryption. Every push generates a fresh random nonce, so identical plaintext always produces different ciphertext. Tamper detection is built into the GCM auth tag.
In-Memory Only
The 'run' command decrypts secrets into the child process environment. Plaintext never hits disk.
Single Binary
Zero runtime dependencies. One binary for Linux, macOS, and Windows on both amd64 and arm64.
Git-Friendly Vaults
Base64 with header/footer markers and 76-char line wrapping. Vault diffs stay readable.
Diff & Status
Preview what changed before pushing or pulling. See timestamps, permissions, and sync direction.
Comparison
How it compares
xenvsync vs existing tools for managing .env secrets
| Feature | xenvsync | dotenv-vault | git-crypt | sops |
|---|---|---|---|---|
| No cloud account | ✓ | ✕ | ✓ | ✓ |
| Encrypts only .env | ✓ | ✓ | ✕ | ✓ |
| In-memory injection | ✓ | ✕ | ✕ | ✕ |
| Single binary, zero deps | ✓ | ✕ | ✕ | ✕ |
| Diff / status preview | ✓ | ✕ | ✕ | ✓ |
| Standard crypto (AES-256) | ✓ | ✓ | ✓ | ✓ |
Quick start
Up and running in seconds
# 1. Initialize — generates key + updates .gitignore
$ xenvsync init
# 2. Encrypt your .env (safe to commit)
$ xenvsync push
$ git add .env.vault && git commit -m "add encrypted env"
# 3. On another machine — decrypt the vault
$ xenvsync pull
# 4. Or inject secrets in-memory (no .env written)
$ xenvsync run -- npm start
FAQ
Common questions
How is this different from dotenv-vault?
xenvsync works 100% offline. No cloud account, no third-party service. Your key never leaves your machine. It also supports in-memory injection with the `run` command, which dotenv-vault doesn't offer.
Is it safe to commit .env.vault to Git?
Yes. The vault is encrypted with AES-256-GCM. Without the key file (.xenvsync.key), the ciphertext is cryptographically indistinguishable from random data. The key is auto-added to .gitignore.
How do I share the key with teammates?
In V1, share the .xenvsync.key file through a secure channel (password manager, encrypted message, etc.). V2 will introduce public-key cryptography so teammates can decrypt with their own private keys.
Does it work with Docker?
Yes. Use `xenvsync run -- docker compose up` to inject secrets into Docker processes. The secrets exist only in the process environment, not in any file.
What happens if someone tampers with the vault?
GCM provides authenticated encryption. Any modification to the ciphertext — even a single bit flip — will cause decryption to fail with an authentication error. You'll know immediately.
Ready to secure your .env?
Get started in under a minute. No sign-ups, no cloud accounts, no configuration files.