Secure, centralized environment variable management for AI coding era - SOPS + age encryption for multi-project .env files
Project description
๐ EnvSeal
Secure, centralized environment variable management for the AI coding era
๐ค Why EnvSeal for AI Coding?
The reality of AI-powered development: project explosion
Working with Claude Code, Cursor, Gemini CLI, or Windsurf? You know the drill:
- ๐ Today: 3 new demos
- ๐ฏ Tomorrow: 5 more repos
- ๐ Each one:
.env,.env.dev,.env.prod
Then what happens?
- ๐ Migration Pain: Switching machines? The hardest part isn't codeโit's "where are all those .env files?"
- ๐ Sync Chaos: Updated
DATABASE_URLin project A, forgot about project B - โ ๏ธ Leakage Risk: AI screenshots, logs, and shares easily expose secrets
- ๐ซ Onboarding Nightmare: New developer clones in 30 seconds, spends 3 hours hunting for credentials
EnvSeal's Solution:
Scan repos โ Normalize .env โ Encrypt with SOPS โ Unified Git vault โ One-command recovery
๐ What is EnvSeal?
EnvSeal is a CLI tool that helps you manage .env files across multiple repositories with end-to-end encryption. It scans your projects, normalizes environment files, and syncs them to a Git-backed vault using SOPS encryption.
Key Benefits:
- ๐ Secure: SOPS + age encryption (modern, battle-tested)
- ๐ฆ Centralized: One vault for all secrets across unlimited projects
- ๐ Safe Diffs: Key-only diffs never expose values
- ๐ Version Control: Full Git history for audit and rollback
- ๐ Simple: One command to sync everything
- ๐ป Multi-Device: Restore entire dev environment in minutes
๐ฏ Use Cases
- ๐ค AI Coding / Vibe Coding: Using Claude Code/Cursor? Manage 10+ projects without env chaos
- ๐ป Multi-Device Development: Work laptop โ Home desktop โ GitHub Codespaces
- ๐ Environment Migration: New machine? One command restores all project secrets
- ๐ฅ Team Collaboration: Share secrets securely via private vault (supports multiple age keys)
- ๐ Secret Rotation: Git history tracks "who changed what key and why"
โก Quick Start
Prerequisites
# macOS
brew install age sops
# Verify installation
age-keygen --version
sops --version
Installation
# Install with pipx (recommended)
pipx install envseal-vault
# Or with pip
pip install envseal-vault
# Verify
envseal --version
Initialize
cd ~/your-projects-directory
envseal init
This will:
- โ Generate an age encryption key
- ๐ Scan for Git repositories
- ๐ Create configuration at
~/.config/envseal/config.yaml - ๐๏ธ Set up vault structure
Sync Secrets
# Push all .env files to vault (encrypted)
envseal push
# Commit to vault
cd ~/Github/secrets-vault
git add .
git commit -m "Add encrypted secrets"
git push
Check Status
envseal status
Output:
๐ Checking secrets status...
my-project
โ .env - up to date
โ prod.env - 3 keys changed
api-service
+ local.env - new file (not in vault)
โ prod.env - up to date
๐ Commands
| Command | Description | Options |
|---|---|---|
envseal init |
Initialize configuration and generate keys | --root DIR |
envseal push [repos...] |
Encrypt and push secrets to vault | --env ENV |
envseal status |
Show sync status for all repos | - |
envseal diff REPO |
Show key-only changes | --env ENV |
envseal pull REPO |
Decrypt and pull from vault | --env ENV, --replace, --stdout |
๐ AI Coding Quick Recovery
Scenario: Restore all project environments on a new machine in 10 minutes
# 1. Copy age private key from your password manager
mkdir -p ~/Library/Application\ Support/sops/age/
nano ~/Library/Application\ Support/sops/age/keys.txt
# Paste the 3-line key file
chmod 600 ~/Library/Application\ Support/sops/age/keys.txt
# 2. Clone your vault
git clone git@github.com:USERNAME/secrets-vault.git
# 3. Install EnvSeal
pipx install envseal-vault
# 4. Pull all environments
envseal pull my-api --env prod --replace
envseal pull my-web --env dev --replace
envseal pull my-worker --env staging --replace
# Done! All .env files restored
๐ Security
Age Key Management:
- Private key:
~/Library/Application Support/sops/age/keys.txt(NEVER commit!) - Public key: Stored in
vault/.sops.yaml(safe to commit)
Backup Your Private Key:
# Display full key file
cat ~/Library/Application\ Support/sops/age/keys.txt
# Save to password manager (1Password, Bitwarden, etc.)
โ ๏ธ Critical: Losing your private key = permanent data loss!
Vault Repository Best Practices:
- โ Keep vault repository private (even though files are encrypted)
- โ Enable branch protection and require PR reviews
- โ Use GitHub's secret scanning push protection
- โ Backup private key in password manager
See SECURITY.md for complete security model.
๐ Multi-Device Setup
On a new machine:
-
Copy your age key from backup:
mkdir -p ~/Library/Application\ Support/sops/age/ nano ~/Library/Application\ Support/sops/age/keys.txt # Paste the 3-line key file (created, public key, private key) chmod 600 ~/Library/Application\ Support/sops/age/keys.txt
-
Clone vault and install:
git clone git@github.com:USERNAME/secrets-vault.git pipx install envseal-vault envseal init
-
Pull secrets:
envseal pull my-project --env prod --replace
๐ Configuration
Location: ~/.config/envseal/config.yaml
vault_path: /path/to/secrets-vault
repos:
- name: my-api
path: /Users/you/projects/my-api
- name: web-app
path: /Users/you/projects/web-app
env_mapping:
".env": "local"
".env.dev": "dev"
".env.prod": "prod"
".env.staging": "staging"
scan:
include_patterns:
- ".env"
- ".env.*"
exclude_patterns:
- ".env.example"
- ".env.sample"
ignore_dirs:
- ".git"
- "node_modules"
- "venv"
๐ ๏ธ Development
# Clone repo
git clone https://github.com/chicogong/envseal.git
cd envseal
# Install with dev dependencies
pip install -e ".[dev]"
# Run tests
pytest
# Lint and format
make lint
make format
# Type check
make type-check
๐ Documentation
- USAGE.md - Complete usage guide (Chinese)
- SECURITY.md - Security model and best practices
- PUBLISHING.md - Guide for publishing to PyPI
๐ค Contributing
Contributions welcome! Please feel free to submit a Pull Request.
๐ License
Apache-2.0 License - see LICENSE for details.
Built for developers navigating the AI coding era
PyPI ยท Report Bug ยท Request Feature
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file envseal_vault-0.1.1.tar.gz.
File metadata
- Download URL: envseal_vault-0.1.1.tar.gz
- Upload date:
- Size: 83.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ff7e1f5739bf8ca11c43104f7301f807f021373aaf49b629d36795586e9d51f8
|
|
| MD5 |
f0caaa4a74521bfe45da00fc66d07c56
|
|
| BLAKE2b-256 |
2451fc0022ed566129bfe0522e1031e3dd83a9453f19e5696aec7363a090633f
|
File details
Details for the file envseal_vault-0.1.1-py3-none-any.whl.
File metadata
- Download URL: envseal_vault-0.1.1-py3-none-any.whl
- Upload date:
- Size: 15.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cb02615b6056dff85374fe299bad166c856eea71206a46f0b96479e5c1c71f52
|
|
| MD5 |
a1f0d44ccc54ae82f30cbc27dd78361f
|
|
| BLAKE2b-256 |
f11098533b6aba326bd0c561f0d17811a80eef689c0a2b12e7393201d8ba1fcc
|
