Enterprise-grade secure environment variable manager with AES-256 encryption
Project description
๐ VLT-CLI
Enterprise-Grade Environment Variable Security
Secure your secrets with military-grade AES-256 encryption
Features โข Installation โข Quick Start โข Documentation โข Examples
Never commit secrets again. Encrypt your .env files with a password. Deploy with confidence.
๐ฏ Why VLT-CLI?
โ Without VLT-CLI# Your .env file (plain text)
DATABASE_URL=postgresql://admin:pass123@...
API_KEY=sk_live_abc123xyz789...
AWS_SECRET=wJalrXUtnFEMI/K7MDENG...
# Risks:
โ Accidentally committed to Git
โ Shared via Slack/Email
โ Visible to anyone with file access
โ No encryption at rest
โ No audit trail
|
โ With VLT-CLI# Encrypted vault (.vlt file)
๏ฟฝk๏ฟฝX๏ฟฝ8๏ฟฝa๏ฟฝm๏ฟฝW๏ฟฝE๏ฟฝZ...
# Unreadable encrypted data
# Benefits:
โ
AES-256 military-grade encryption
โ
Master password protection
โ
Safe to commit to Git
โ
Memory-only decryption
โ
Complete audit logging
โ
Team collaboration ready
|
โจ Features
๐ Security First
| Feature | Description |
|---|---|
| ๐ก๏ธ AES-256 Encryption | Military-grade encryption used by governments worldwide |
| ๐ PBKDF2 Key Derivation | 100,000 iterations to prevent brute-force attacks |
| ๐ง Random Salt Generation | Unique salt for each vault ensures maximum security |
| ๐พ Zero-Persistence Mode | Decrypt secrets in RAM only - never touch disk |
| ๐ซ No Password Storage | Passwords never saved anywhere - forgotten = unrecoverable |
๐ Language-Agnostic
Works with ANY programming language or framework:
# Node.js / JavaScript
vlt run --name prod -- npm start
vlt run --name prod -- node server.js
# Python / Django / Flask
vlt run --name prod -- python manage.py runserver
vlt run --name prod -- gunicorn app:app
# Docker
vlt run --name prod -- docker-compose up
# Java / Spring Boot
vlt run --name prod -- mvn spring-boot:run
# Go
vlt run --name prod -- go run main.go
# Ruby / Rails
vlt run --name prod -- rails server
# ANY command
vlt run --name prod -- ./your-script.sh
๐ฅ Team Collaboration
|
๐ง Admin Full control Manage team Access all vaults |
๐จโ๐ป Developer Deploy apps Read vaults Run commands |
๐ Viewer Read-only access View audit logs Monitor usage |
๐ Audit & Compliance
- โ Full audit logging - Every action tracked with timestamp
- โ NIST compliant - Follows NIST SP 800-132 guidelines
- โ SOC 2 ready - Audit trails support compliance requirements
- โ GDPR compatible - Encryption-at-rest for sensitive data
๐ Installation
Quick Install
# Clone or download VLT-CLI
cd SecureEnv-Pro
# Install dependencies
pip install -r requirements.txt
# Verify installation
python main.py --version
Install as System Command
# Install globally
pip install -e .
# Now use 'vlt' anywhere!
vlt --version
Requirements
- Python: 3.8 or higher
- OS: Windows, macOS, Linux
- Dependencies: Automatically installed
โก Quick Start
1๏ธโฃ Lock Your Secrets
Encrypt your .env file with a master password:
vlt lock .env --name production --description "Production API keys"
What happens:
- ๐ You create a strong master password
- ๐ File encrypted with AES-256
- ๐พ Saved as
.env.vlt(safe to commit!) - ๐๏ธ Original
.envcan be deleted
2๏ธโฃ Run Your Application (๐ Most Secure!)
Execute commands with encrypted variables loaded in memory only:
# Node.js
vlt run --name production -- npm start
# Python
vlt run --name production -- python app.py
# Docker
vlt run --name production -- docker-compose up
Magic: Secrets are decrypted in RAM, injected into your app, and never written to disk!
3๏ธโฃ Manage Vaults
# List all vaults
vlt list
โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโโ
โ Name โ Description โ Created โ Last Access โ
โโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโโโโโค
โ production โ Production API keys โ 2026-01-15 โ 2026-01-18 โ
โ staging โ Staging environment โ 2026-01-12 โ 2026-01-17 โ
โ development โ Local dev secrets โ 2026-01-10 โ 2026-01-18 โ
โโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโโโโ
4๏ธโฃ Team Collaboration
# Add team member
vlt add-member --name production --email dev@company.com --role developer
# View team
vlt team --name production
# Check audit logs
vlt audit --limit 50
๐ Complete Command Reference
๐ lock - Encrypt Environment File
vlt lock <file> --name <vault-name> [OPTIONS]
Options:
--name, -n Vault identifier (required)
--description, -d Vault description
--output, -o Custom output path
Examples:
vlt lock .env --name production
vlt lock .env.local --name dev --description "Development secrets"
๐ run - Execute with Encrypted Variables
vlt run --name <vault> -- <command>
Examples:
vlt run --name production -- npm start
vlt run --name staging -- python manage.py migrate
vlt run --name dev -- docker-compose up
๐ฅ This is the most secure method - variables never touch disk!
๐ unlock - Decrypt Vault to File
vlt unlock --name <vault> [--output <file>]
Examples:
vlt unlock --name production
vlt unlock --name staging --output .env.staging
โ ๏ธ WARNING: Use 'run' command instead when possible!
๐ list - View All Vaults
vlt list
# Shows: Name, Description, Created Date, Last Access, File Status
๐๏ธ delete - Remove Vault
vlt delete --name <vault> [--remove-file]
Options:
--remove-file Also delete the .vlt file
Example:
vlt delete --name old-project --remove-file
๐ฅ add-member - Add Team Member
vlt add-member --name <vault> --email <email> --role <role>
Roles:
admin - Full access + team management
developer - Deploy and run applications
viewer - Read-only access
Example:
vlt add-member --name production --email dev@company.com --role developer
๐ฅ team - List Team Members
vlt team --name <vault>
# Shows: Email, Role, Date Added
๐ audit - View Audit Logs
vlt audit [--limit <number>]
Example:
vlt audit --limit 100
๐ก Real-World Examples
Example 1: Node.js Express Application
# 1. Lock your secrets
vlt lock .env --name myapp-prod --description "Production database and APIs"
# 2. Update package.json
{
"scripts": {
"start": "vlt run --name myapp-prod -- node server.js",
"dev": "vlt run --name myapp-dev -- nodemon app.js"
}
}
# 3. Deploy
npm start # Secrets loaded securely!
Example 2: Python Django Project
# 1. Lock environment
vlt lock .env --name django-prod
# 2. Run migrations
vlt run --name django-prod -- python manage.py migrate
# 3. Start server
vlt run --name django-prod -- gunicorn myproject.wsgi:application
# 4. Deploy to production
vlt run --name django-prod -- ./deploy.sh
Example 3: Docker Deployment
# Dockerfile
FROM node:18
WORKDIR /app
COPY . .
# Install VLT-CLI
RUN pip install vlt-cli
# Run with encrypted secrets
CMD ["vlt", "run", "--name", "production", "--", "node", "server.js"]
Example 4: GitHub Actions CI/CD
# .github/workflows/deploy.yml
name: Deploy Production
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Install VLT-CLI
run: pip install vlt-cli
- name: Deploy with encrypted secrets
env:
MASTER_PASSWORD: ${{ secrets.MASTER_PASSWORD }}
run: |
echo "$MASTER_PASSWORD" | vlt run --name production -- ./deploy.sh
๐ข Team Workflow Example
Scenario: 5-Person Development Team
# ๐ง DevOps Lead - Initial Setup
vlt lock .env.production --name production
vlt lock .env.staging --name staging
vlt lock .env.development --name development
# Add team members
vlt add-member --name production --email lead@company.com --role admin
vlt add-member --name production --email dev1@company.com --role developer
vlt add-member --name staging --email dev2@company.com --role developer
vlt add-member --name development --email intern@company.com --role viewer
# ๐จโ๐ป Developers - Daily Work
vlt run --name development -- npm run dev # Local development
vlt run --name staging -- npm test # Run tests
vlt run --name production -- ./deploy.sh # Deploy (if authorized)
# ๐ Weekly Security Review
vlt audit --limit 500 > weekly-audit.log
vlt team --name production # Review access
๐ Security Best Practices
โ DO's
- โ Use strong passwords: 16+ characters, mix of uppercase, lowercase, digits, symbols
- โ
Use
vlt runcommand: Most secure - memory-only decryption - โ
Commit
.vltfiles: They're encrypted and safe! - โ Store passwords in password manager: 1Password, LastPass, Bitwarden
- โ Rotate passwords every 90 days: For production vaults
- โ Enable audit logging: Track all access
- โ Use separate vaults: dev, staging, production
โ DON'Ts
- โ Don't commit
.envfiles: Always in.gitignore - โ Don't share passwords via Slack/Email: Use secure channels
- โ Don't use weak passwords: "password123" is not secure!
- โ Don't share production passwords widely: Limit access
- โ Don't leave unlocked files around: Delete after use
๐ Technical Specifications
Encryption Details
| Specification | Value |
|---|---|
| Algorithm | AES-256-CBC |
| Key Derivation | PBKDF2-HMAC-SHA256 |
| Iterations | 100,000 |
| Salt Size | 32 bytes (cryptographically secure random) |
| Key Size | 256 bits |
Performance Benchmarks
| Operation | Time | Notes |
|---|---|---|
| Encrypt 1 KB | ~0.05s | AES-256 encryption |
| Decrypt 1 KB | ~0.06s | Includes key derivation |
| Encrypt 1 MB | ~0.8s | 100,000 PBKDF2 iterations |
| Run command | ~1.2s | Decrypt + execute |
๐งช Testing
All features are comprehensively tested:
# Run test suite
pytest tests/ -v
# Run with coverage
pytest tests/ --cov=core --cov=cli --cov-report=html
Test Results:
- โ 18/18 tests passing
- โ ~93% code coverage
- โ Security tests included
- โ End-to-end workflows tested
๐ค Contributing
We welcome contributions! Here's how:
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
๐ License
This project is licensed under the MIT License - see the LICENSE file for details.
๐ Support
Need Help?
- ๐ Documentation: This README
- ๐ Bug Reports: GitHub Issues
- ๐ฌ Discussions: GitHub Discussions
- ๐ง Email: faryadali14pk@gmail.com
Troubleshooting
Q: "Invalid password" error
# Ensure you're using the correct password (case-sensitive)
# Check vault name: vlt list
Q: "Module not found" error
# Reinstall dependencies
pip install -r requirements.txt --force-reinstall
Q: Tests failing
# Set PYTHONPATH
export PYTHONPATH="$PWD" # Linux/Mac
$env:PYTHONPATH="$PWD" # Windows PowerShell
pytest tests/ -v
๐ Star This Project!
If VLT-CLI helps secure your applications, please โญ star this repository to show your support!
๐ Additional Resources
๐ Keep Your Secrets Safe with VLT-CLI
Built with โค๏ธ by Faryad Ali
Never commit secrets again. Encrypt everything. Deploy with confidence.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
vlt_cli-1.0.1.tar.gz
(22.2 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
vlt_cli-1.0.1-py3-none-any.whl
(15.3 kB
view details)
File details
Details for the file vlt_cli-1.0.1.tar.gz.
File metadata
- Download URL: vlt_cli-1.0.1.tar.gz
- Upload date:
- Size: 22.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cda3c727cb966013ca26dff1bd8d3aeb7c694650ee5b8a9273a117936eb61a0a
|
|
| MD5 |
3c0cebcccbb9cd9701d45e48f73d3ab4
|
|
| BLAKE2b-256 |
30b1b4505bb3f1ceb509bb76d8901609c76cdc9a6a3e8310ae4205087e28e8bc
|
File details
Details for the file vlt_cli-1.0.1-py3-none-any.whl.
File metadata
- Download URL: vlt_cli-1.0.1-py3-none-any.whl
- Upload date:
- Size: 15.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
383afcf0f5ce56ac4d92e874d614842ef9c5e745a73c73d987d6c80e088c50ca
|
|
| MD5 |
b466b2baed3fc578fca868838aa81dc6
|
|
| BLAKE2b-256 |
eb9a283368bb01fc380296e94e8d6585c79b1953bcc05ce655e37bc8bc626c72
|
