xenvsync
Open source — MIT Licensed

Encrypt your .env Commit with confidence

A blazing-fast CLI that encrypts environment variables with AES-256-GCM, shares them with your team via X25519 key exchange, and injects them in-memory — no cloud service required.

Get StartedStar on GitHub
Homebrew installbash
$ brew install nasimstg/tap/xenvsync

Pick the installer your team already uses. Each option installs the same xenvsync CLI.

~/my-project

How it works

Three commands. Zero cloud accounts.

From setup to production in under 60 seconds.

01

Initialize

Generate a 256-bit key. Automatically added to .gitignore.

xenvsync init
02

Encrypt & Commit

Encrypt your .env into .env.vault — safe to push to any repo.

xenvsync push
03

Inject & Run

Secrets live only in process memory. Plaintext never touches disk.

xenvsync run -- npm start

Features

Security without complexity

AES-256-GCM + X25519 Key Exchange

Uses Go's standard crypto/aes with authenticated encryption. Every push generates a fresh random nonce, so identical plaintext always produces different ciphertext. Team sharing uses X25519 ECDH with per-member ephemeral key slots — no shared symmetric key needed.

[nonce 12B] ‖ [ciphertext] ‖ [GCM tag 16B] → base64 → .env.vault

In-Memory Only

The 'run' command decrypts secrets into the child process environment. Plaintext never hits disk.

Team Sharing

X25519 keypairs let each member decrypt with their own private key. No shared secrets to distribute.

Multi-Environment

Push and pull named environments — staging, production, ci. Merge .env.shared < .env.staging < .env.local.

Key Rotation & Revoke

Rotate encryption keys and revoke team members atomically. Fresh ephemeral keys on every rotation.

Single Binary

Zero runtime dependencies. One binary for Linux, macOS, and Windows on both amd64 and arm64.

Audit Log & Diff

Track vault changes over time from Git history. Diff shows which keys changed without exposing values.

Doctor & Verify

Audit permissions, gitignore, key strength, and vault integrity. Pre-commit hook blocks stale vaults.

Comparison

How it compares

xenvsync vs existing tools for managing .env secrets

Featurexenvsyncdotenv-vaultgit-cryptsops
No cloud account
In-memory injection
Team sharing (asymmetric)
Multi-environment
Key rotation & revoke
Diff / audit log
Single binary, zero deps
Passphrase-protected keys

Migration guides available for dotenv-vault, sops, and git-crypt.

Quick start

Up and running in seconds

Solo workflowbash
# 1. Initialize — generates key + updates .gitignore
$ xenvsync init

# 2. Encrypt your .env (safe to commit)
$ xenvsync push
$ git add .env.vault && git commit -m "add encrypted env"

# 3. On another machine — decrypt the vault
$ xenvsync pull

# 4. Or inject secrets in-memory (no .env written)
$ xenvsync run -- npm start
Team workflow (V2 vault)bash
# Each member generates their identity once
$ xenvsync keygen

# Project lead adds team members
$ xenvsync team add alice <alice-public-key>
$ xenvsync team add bob <bob-public-key>

# Push auto-encrypts for all team members
$ xenvsync push    # creates V2 vault with per-member key slots

# Each member decrypts with their own private key
$ xenvsync pull    # uses ~/.xenvsync/identity

FAQ

Common questions

How is this different from dotenv-vault?

xenvsync works 100% offline. No cloud account, no third-party service. Your key never leaves your machine. It also supports in-memory injection, team sharing via X25519 key exchange, key rotation, and audit logging — features dotenv-vault doesn't offer.

Is it safe to commit .env.vault to Git?

Yes. The vault is encrypted with AES-256-GCM. Without the key file (.xenvsync.key) or your X25519 private key, the ciphertext is cryptographically indistinguishable from random data. The key is auto-added to .gitignore.

How do I share secrets with teammates?

Each team member runs `xenvsync keygen` to create their X25519 keypair, then shares their public key. The project lead adds members with `team add`. When you push, the vault is encrypted individually for each member — no shared symmetric key needed.

What if a team member leaves?

Run `xenvsync rotate --revoke <name>` to remove the member from the roster and re-encrypt the vault in one atomic step. They can no longer decrypt the vault, even with a copy of the old file.

Does it work with Docker?

Yes. Use `xenvsync run -- docker compose up` to inject secrets into Docker processes, or use the init-container pattern from examples/docker/. Secrets exist only in process memory, not in any file.

What happens if someone tampers with the vault?

GCM provides authenticated encryption. Any modification — even a single bit flip — causes decryption to fail. Run `xenvsync verify` to check vault integrity, or use the pre-commit hook to block stale vaults automatically.

Can I protect the key file with a passphrase?

Yes. Run `xenvsync init --passphrase` to encrypt the key file with scrypt + AES-256-GCM. Set the XENVSYNC_PASSPHRASE environment variable to decrypt it during operations.

Ready to secure your .env?

Get started in under a minute. No sign-ups, no cloud accounts, no configuration files.

Read the DocsView on GitHub