CLI tool for managing encrypted .env files across multiple repositories
Project description
🔐 EnvSeal
Secure, centralized management for environment variables across multiple projects
📖 What is EnvSeal?
EnvSeal is a CLI tool that helps you manage .env files across multiple repositories with end-to-end encryption. It scans your projects, normalizes environment files, and syncs them to a Git-backed vault using SOPS encryption.
Key Benefits:
- 🔒 Secure: Uses SOPS + age encryption (modern, battle-tested)
- 📦 Centralized: One vault for all your secrets across all projects
- 🔍 Safe Diffs: Only shows key names, never values
- 🔄 Version Control: Full Git history for audit and rollback
- 🚀 Simple: One command to sync everything
🎯 Use Cases
- Individual Developers: Manage secrets across 10+ personal projects
- Multi-Device Setup: Sync secrets between work laptop and home desktop
- Team Collaboration: Share secrets securely via private Git repo
- Secret Rotation: Track when and why secrets changed with Git history
⚡ Quick Start
Prerequisites
# macOS
brew install age sops
# Verify installation
age-keygen --version
sops --version
Installation
Currently in development - install from source:
# Clone the repository
git clone https://github.com/chicogong/envseal.git
cd envseal
# Install globally with pipx (recommended)
pipx install .
# Or with pip
pip install .
Note: PyPI package coming soon. Once published, you'll be able to install with
pipx install envseal.
Initialize
cd ~/your-projects-directory
envseal init
This will:
- ✅ Generate an age encryption key
- 🔍 Scan for Git repositories
- 📝 Create configuration at
~/.config/envseal/config.yaml - 🗂️ Set up vault structure
Sync Secrets
# Push all .env files to vault (encrypted)
envseal push
# Commit to vault
cd ~/Github/secrets-vault
git add .
git commit -m "Add encrypted secrets"
git push
Check Status
envseal status
Output:
📊 Checking secrets status...
my-project
✓ .env - up to date
⚠ prod.env - 3 keys changed
api-service
+ local.env - new file (not in vault)
✓ prod.env - up to date
📚 Commands
| Command | Description | Options |
|---|---|---|
envseal init |
Initialize configuration and generate keys | --root DIR |
envseal push [repos...] |
Encrypt and push secrets to vault | --env ENV |
envseal status |
Show sync status for all repos | - |
envseal diff REPO |
Show key-only changes | --env ENV |
envseal pull REPO |
Decrypt and pull from vault | --env ENV, --replace, --stdout |
🔐 Security
Age Key Management:
- Private key:
~/Library/Application Support/sops/age/keys.txt(NEVER commit!) - Public key: Stored in
vault/.sops.yaml(safe to commit)
Backup Your Private Key:
# Display full key file
cat ~/Library/Application\ Support/sops/age/keys.txt
# Save to password manager (1Password, Bitwarden, etc.)
⚠️ Warning: Losing your private key = permanent data loss!
See SECURITY.md for details.
🌍 Multi-Device Setup
On a new machine:
-
Copy your age key from backup:
mkdir -p ~/Library/Application\ Support/sops/age/ nano ~/Library/Application\ Support/sops/age/keys.txt # Paste the 3-line key file (created, public key, private key) chmod 600 ~/Library/Application\ Support/sops/age/keys.txt
-
Clone vault and install:
git clone git@github.com:USERNAME/secrets-vault.git pipx install envseal envseal init
-
Pull secrets:
envseal pull my-project --env prod --replace
📁 Configuration
Location: ~/.config/envseal/config.yaml
vault_path: /path/to/secrets-vault
repos:
- name: my-api
path: /Users/you/projects/my-api
- name: web-app
path: /Users/you/projects/web-app
env_mapping:
".env": "local"
".env.dev": "dev"
".env.prod": "prod"
".env.staging": "staging"
scan:
include_patterns:
- ".env"
- ".env.*"
exclude_patterns:
- ".env.example"
- ".env.sample"
ignore_dirs:
- ".git"
- "node_modules"
- "venv"
🛠️ Development
# Clone repo
git clone https://github.com/chicogong/envseal.git
cd envseal
# Install with dev dependencies
pip install -e ".[dev]"
# Run tests
pytest
# Lint and format
make lint
make format
# Type check
make type-check
📝 Documentation
- USAGE.md - Complete usage guide (Chinese)
- SECURITY.md - Security model and best practices
🤝 Contributing
Contributions welcome! Please feel free to submit a Pull Request.
📄 License
Apache-2.0 License - see LICENSE for details.
Made with ❤️ by developers, for developers
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file envseal_vault-0.1.0.tar.gz.
File metadata
- Download URL: envseal_vault-0.1.0.tar.gz
- Upload date:
- Size: 81.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
02bd6df3fc3d9e30ce5ef94c280f2c73fb25c3ef8b1154f9c86379aa6e312262
|
|
| MD5 |
8317897e3afc71d753c3fa1b7a69eb75
|
|
| BLAKE2b-256 |
5e81ebe196b9d4a0e92b5381803d2f2598bc68de9fa6b3ff359c7b8047a1f1a8
|
File details
Details for the file envseal_vault-0.1.0-py3-none-any.whl.
File metadata
- Download URL: envseal_vault-0.1.0-py3-none-any.whl
- Upload date:
- Size: 15.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f1ebefc8ebab9c3248da7477a8e49ea05ad9ad24b50ea789d1cd241b008b58e3
|
|
| MD5 |
3869d6a1ca98290aeb2d1d0fac3d6e79
|
|
| BLAKE2b-256 |
49b75a6f687154ccb5485db8ebd3d346ffe8edea0a42ba82b3e969384e0cf129
|
