Prevent environment variable drift with Pydantic schema validation, pre-commit hooks, and dotenvx encryption
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
envdrift
Sync environment variables across your team. No more "it works on my machine."
The Problem
- New developer joins → spends half a day hunting for the right
.envvalues - Someone updates a secret → nobody else knows until production breaks
- "Can you send me the latest API keys?" in Slack → security nightmare
Paid SaaS solutions exist, but do you really want your production secrets on someone else's infrastructure?
The Solution
envdrift is an open-source CLI that encrypts .env files and syncs them using your existing cloud vault and git.
No hosted service, no additional servers, no third-party trust.
- Your infrastructure — Works with all major cloud providers: Azure Key Vault, AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager
- Zero trust required — Secrets never leave your cloud
- No new servers — Just a CLI tool, no client-server architecture
- Free forever — MIT licensed, no per-seat pricing
# New team member onboarding - one command
envdrift pull
# That's it. Keys synced from vault, .env files decrypted, ready to code.
📘 This is the heart of envdrift. The end-to-end walkthrough — encrypt, push your key to your cloud vault, and have teammates pull and decrypt in one command — lives in the Env File Sync Guide. Start there.
Installation
One-liner (recommended):
# macOS / Linux
curl -sSL https://raw.githubusercontent.com/jainal09/envdrift/main/install.sh | sh
# Windows (PowerShell)
irm https://raw.githubusercontent.com/jainal09/envdrift/main/install.ps1 | iex
Or via pip:
pip install "envdrift[vault]" # All vault providers
Quick Start
1. Encrypt and push to vault (once per project):
envdrift encrypt .env.production
envdrift vault-push . my-app-key --env production --provider azure --vault-url https://myvault.vault.azure.net/
2. Team members pull instantly (no config needed):
envdrift vault-pull . my-app-key --env production --provider azure --vault-url https://myvault.vault.azure.net/
vault-pull fetches the key, writes .env.keys, and decrypts .env.production in one step.
3. Daily workflow (config-based, needs [vault.sync] in envdrift.toml):
envdrift pull # After git pull - sync keys, decrypt
envdrift lock # Before commit - encrypt, verify keys
Note:
pull/lockoperate on all services defined in your sync config. For a single secret without any TOML config, usevault-pull/vault-push.
Beyond Sync
| Feature | Description |
|---|---|
| Schema Validation | Validate .env against Pydantic schemas |
| Environment Diffing | Compare dev vs staging vs production |
| Vault Integration | Azure, AWS, HashiCorp, GCP |
| Encryption | dotenvx and SOPS backends |
| CI/CD Mode | Fail builds on misconfiguration |
envdrift validate .env --schema config:Settings
envdrift diff .env.dev .env.prod
Documentation
Full documentation: jainal09.github.io/envdrift
License
MIT
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file envdrift-0.1.4.tar.gz.
File metadata
- Download URL: envdrift-0.1.4.tar.gz
- Upload date:
- Size: 4.1 MB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.11.19 {"installer":{"name":"uv","version":"0.11.19","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0f9ca87a159c619eaf27bd4cda46821c7ed711f06df41a8e85b83d0f00f555fb
|
|
| MD5 |
4cbf490ee2f4f67eaee276f6f9053d37
|
|
| BLAKE2b-256 |
18e4a562bbc86dfa318703cbe8ebb2650df5335504ee8435975a510366b79f22
|
File details
Details for the file envdrift-0.1.4-py3-none-any.whl.
File metadata
- Download URL: envdrift-0.1.4-py3-none-any.whl
- Upload date:
- Size: 231.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.11.19 {"installer":{"name":"uv","version":"0.11.19","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
dc8720ff47b422c0d910df63da21a7cc8374b53f6cb7d40c9778b4d802cf5c10
|
|
| MD5 |
4b27fccf0aa9a1d5f79ba730e9b25f60
|
|
| BLAKE2b-256 |
3898993fe330724af895c03ae688f8d23e0a68ac4d0e2097a1dd70c0f87833e1
|
