Enterprise-grade secure environment variable manager with AES-256 encryption
Project description
๐ SecureEnv-Pro
Enterprise-Grade Environment Variable Security Tool
Military-grade AES-256 encryption โข Zero-persistence decryption โข Language-agnostic
๐ฏ Overview
SecureEnv-Pro is a professional security tool designed to protect your sensitive environment variables from unauthorized access. Whether you're working solo or in a team, SecureEnv-Pro ensures your secrets remain encrypted and are only decrypted in-memory when needed.
โจ Key Features
- ๐ Military-Grade Encryption: AES-256 encryption with PBKDF2 key derivation (100,000 iterations)
- ๐ Master Password Protection: Secrets are encrypted with your master password - no password, no access
- ๐พ Zero-Persistence: Decryption happens in-memory only - no plain-text files on disk
- ๐ Language-Agnostic: Works with any programming language (Node.js, Python, Java, Go, etc.)
- ๐ฅ Team Collaboration: Role-based access control for team environments
- ๐ Audit Logging: Track all vault operations for compliance
- ๐ฏ Multiple Vaults: Manage different environments (dev, staging, production)
- ๐ Easy Integration: Simple CLI commands for daily workflows
๐ฆ Installation
Quick Install (Recommended)
# Clone the repository
git clone https://github.com/yourusername/SecureEnv-Pro.git
cd SecureEnv-Pro
# Install dependencies
pip install -r requirements.txt
# Install as a system command (optional)
pip install -e .
System Requirements
- Python 3.8 or higher
- Windows, macOS, or Linux
๐ Quick Start
1. Lock (Encrypt) Your Environment File
# Encrypt your .env file
python main.py lock .env --name production --description "Production secrets"
# You'll be prompted for a master password
# The encrypted vault will be saved as .env.vlt
2. Run Commands with Encrypted Variables (Recommended)
# Run your Node.js app with encrypted variables
python main.py run --name production -- node app.js
# Run Python application
python main.py run --name production -- python manage.py runserver
# Run any command
python main.py run --name staging -- npm start
๐ฅ This is the most secure method - variables are loaded directly into memory, never touching the disk!
3. Unlock (Decrypt) if Needed
# Decrypt vault to .env file (use with caution)
python main.py unlock --name production --output .env
# Remember to delete the decrypted file after use!
๐ Complete Usage Guide
Command Reference
lock - Encrypt Environment File
Encrypts a plain-text environment file into a secure vault.
python main.py lock <env-file> --name <vault-name> [OPTIONS]
Options:
--name, -n Vault name identifier (required)
--description, -d Vault description
--output, -o Output vault file path (default: .env.vlt)
Examples:
python main.py lock .env --name production --description "Production API keys"
python main.py lock .env.local --name dev --output ./vault/dev.vlt
Security Tips:
- Use a strong master password (mix of uppercase, lowercase, digits, symbols)
- Delete the original
.envfile after encryption - Store the
.vltfile in version control (it's encrypted!)
unlock - Decrypt Vault
Decrypts a vault to a plain-text file.
python main.py unlock --name <vault-name> [OPTIONS]
Options:
--name, -n Vault name to unlock (required)
--output, -o Output file path (default: .env)
Examples:
python main.py unlock --name production
python main.py unlock --name staging --output .env.staging
โ ๏ธ WARNING: Decrypted files are security risks! Use 'run' command instead when possible.
run - Execute with Encrypted Variables (๐ Most Secure)
Runs a command with environment variables loaded from an encrypted vault directly into memory.
python main.py run --name <vault-name> -- <command>
Options:
--name, -n Vault name to use (required)
Examples:
# Node.js applications
python main.py run --name production -- node server.js
python main.py run --name dev -- npm run dev
# Python applications
python main.py run --name production -- python app.py
python main.py run --name dev -- flask run
# Docker containers
python main.py run --name production -- docker-compose up
# Any command
python main.py run --name staging -- ./start-app.sh
How it works:
- Prompts for your master password
- Decrypts vault in memory only
- Injects variables into the command's environment
- Executes your command
- Variables are cleared after execution
๐ Zero disk I/O - plain-text secrets never touch your hard drive!
list - View All Vaults
Lists all registered vaults with their metadata.
python main.py list
Example output:
โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโ
โ Name โ Description โ Created โ Last Access โ File Exists โ
โโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโค
โ production โ Prod API keys โ 2026-01-15 โ 2026-01-17 โ โ โ
โ staging โ Staging env โ 2026-01-10 โ Never โ โ โ
โ development โ Local dev โ 2026-01-05 โ 2026-01-16 โ โ โ
โโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโ
delete - Remove Vault
Deletes a vault registration (optionally removes the file too).
python main.py delete --name <vault-name> [OPTIONS]
Options:
--name, -n Vault name to delete (required)
--remove-file Also delete the .vlt file
Examples:
python main.py delete --name old-project
python main.py delete --name temp --remove-file
audit - View Audit Logs
Displays audit logs for compliance and security monitoring.
python main.py audit [OPTIONS]
Options:
--limit, -l Number of entries to show (default: 20)
Example:
python main.py audit --limit 50
add-member - Add Team Member
Adds a team member to a vault with role-based access.
python main.py add-member --name <vault> --email <email> --role <role>
Roles:
admin - Full access including team management
developer - Can read and deploy (default)
viewer - Read-only access
Examples:
python main.py add-member --name production --email dev@company.com --role developer
python main.py add-member --name staging --email manager@company.com --role admin
team - List Team Members
Shows all team members for a vault.
python main.py team --name <vault-name>
Example output:
Team members for 'production':
โโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโ
โ Email โ Role โ Added โ
โโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโค
โ admin@company.com โ admin โ 2026-01-10 โ
โ dev1@company.com โ developer โ 2026-01-12 โ
โ dev2@company.com โ developer โ 2026-01-15 โ
โโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโ
๐ข Real-World Team Workflow
Scenario: E-commerce Platform with Multiple Environments
Team Structure:
- 1 DevOps Lead (Admin)
- 3 Backend Developers
- 2 Frontend Developers
- 1 QA Engineer
Environment Setup:
# DevOps Lead creates encrypted vaults
python main.py lock .env.production --name production --description "Production DB and APIs"
python main.py lock .env.staging --name staging --description "Staging environment"
python main.py lock .env.dev --name development --description "Local development"
# Add team members with appropriate roles
python main.py add-member --name production --email devops@company.com --role admin
python main.py add-member --name production --email backend1@company.com --role developer
python main.py add-member --name production --email backend2@company.com --role developer
python main.py add-member --name production --email qa@company.com --role viewer
# Developers can now run applications securely
python main.py run --name development -- npm run dev
python main.py run --name staging -- python manage.py test
python main.py run --name production -- node server.js
Daily Developer Workflow:
# Morning: Start development server
python main.py run --name development -- npm run dev
# Testing: Run against staging
python main.py run --name staging -- pytest
# Deployment: Deploy to production
python main.py run --name production -- ./deploy.sh
# Audit: Check recent access
python main.py audit --limit 30
Benefits:
- โ
No
.envfiles in Slack or email - โ No accidental commits of secrets
- โ Centralized access control
- โ Complete audit trail
- โ Easy onboarding/offboarding
๐ Security Best Practices
1. Strong Master Passwords
โ Weak: "password123"
โ Weak: "mycompany"
โ
Strong: "C0mp@ny!Pr0d#2026"
โ
Strong: "Tr0pic@l$Sunse7*Mango"
2. Password Management
- Use a password manager (1Password, LastPass, Bitwarden)
- Never share passwords via Slack/Email
- Rotate passwords every 90 days for production vaults
3. Vault Organization
vault/
โโโ production.vlt # Production secrets - highest security
โโโ staging.vlt # Staging environment
โโโ development.vlt # Local development
โโโ testing.vlt # CI/CD testing
4. Git Configuration
# .gitignore
.env
.env.*
!vault/*.vlt # Commit encrypted vaults (they're safe!)
# Commit encrypted vaults to version control
git add vault/*.vlt
git commit -m "chore: update production vault"
5. CI/CD Integration
GitHub Actions Example:
# .github/workflows/deploy.yml
name: Deploy Production
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Install SecureEnv-Pro
run: |
pip install -r SecureEnv-Pro/requirements.txt
- name: Deploy with encrypted secrets
env:
MASTER_PASSWORD: ${{ secrets.MASTER_PASSWORD }}
run: |
echo "$MASTER_PASSWORD" | python SecureEnv-Pro/main.py run --name production -- ./deploy.sh
GitLab CI Example:
# .gitlab-ci.yml
deploy:
stage: deploy
script:
- pip install -r SecureEnv-Pro/requirements.txt
- echo "$MASTER_PASSWORD" | python SecureEnv-Pro/main.py run --name production -- ./deploy.sh
only:
- main
๐งช Testing
Run All Tests
# Install test dependencies
pip install pytest pytest-cov
# Run tests with coverage
pytest tests/ -v --cov=core --cov-report=html
# View coverage report
# Open htmlcov/index.html in your browser
Test Coverage
The test suite includes:
- โ Encryption/decryption correctness
- โ Password strength validation
- โ Wrong password rejection
- โ File operations
- โ Vault registration
- โ Team management
- โ Audit logging
- โ End-to-end workflows
Current Coverage: ~95%
๐ Troubleshooting
"Module not found" errors
# Reinstall dependencies
pip install -r requirements.txt --force-reinstall
"Invalid password" when decrypting
- Ensure you're using the exact password from encryption
- Passwords are case-sensitive
- Check for extra spaces
"Vault not found"
# List all vaults
python main.py list
# Re-register vault if needed
python main.py list # Find the .vlt file path
# Then manually add to vault/config.yml
Permission errors
# Windows: Run as Administrator
# Linux/Mac: Check file permissions
chmod 600 vault/*.vlt
๐ Migration from Other Tools
From dotenv (Node.js)
# Before: .env file in project root
# After:
python main.py lock .env --name myproject
python main.py run --name myproject -- node app.js
# Update package.json
"scripts": {
"start": "python SecureEnv-Pro/main.py run --name production -- node server.js",
"dev": "python SecureEnv-Pro/main.py run --name development -- nodemon app.js"
}
From python-decouple (Python)
# Before: .env file or environment variables
# After:
python main.py lock .env --name myproject
python main.py run --name myproject -- python app.py
# Update scripts
python main.py run --name production -- gunicorn app:app
๐ Comparison with Alternatives
| Feature | SecureEnv-Pro | dotenv | direnv | Vault (HashiCorp) |
|---|---|---|---|---|
| Encryption | โ AES-256 | โ None | โ None | โ Yes |
| Master Password | โ Yes | โ No | โ No | โ Yes |
| Zero-Persistence | โ Yes | โ No | โ No | โ ๏ธ Partial |
| Language-Agnostic | โ Yes | โ ๏ธ Limited | โ Yes | โ Yes |
| Team Management | โ Yes | โ No | โ No | โ Yes |
| Audit Logging | โ Yes | โ No | โ No | โ Yes |
| Easy Setup | โ Simple | โ Simple | โ ๏ธ Moderate | โ Complex |
| Cost | โ Free | โ Free | โ Free | ๐ฐ Paid (Cloud) |
๐ค Contributing
We welcome contributions! Please see our contributing guidelines:
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
๐ License
MIT License - see LICENSE file for details
๐ Support
- Issues: GitHub Issues
- Email: support@secureenv-pro.com
- Documentation: Full Docs
๐ Star This Project
If SecureEnv-Pro helps secure your applications, please star this repository to show your support!
Built with โค๏ธ by developers, for developers
Keep your secrets secret. Stay secure with SecureEnv-Pro.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
vlt_cli-1.0.0.tar.gz
(21.2 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
vlt_cli-1.0.0-py3-none-any.whl
(14.8 kB
view details)
File details
Details for the file vlt_cli-1.0.0.tar.gz.
File metadata
- Download URL: vlt_cli-1.0.0.tar.gz
- Upload date:
- Size: 21.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b8f5b66d8822f79784d079bd0d2be70524fc8579a706ae9cd0c4519aa3530ee8
|
|
| MD5 |
71437258ec9454ab67cb45b9b186e933
|
|
| BLAKE2b-256 |
879df954ad2c909333f59a08be8dd987b4a185ff5df179f8e6af58d52448e325
|
File details
Details for the file vlt_cli-1.0.0-py3-none-any.whl.
File metadata
- Download URL: vlt_cli-1.0.0-py3-none-any.whl
- Upload date:
- Size: 14.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
838d17f9d334af370b515fde34a40fbda9ef231a60d1787e40c3c705354f2eef
|
|
| MD5 |
b72c2f31909c1e82530f39483d5330f1
|
|
| BLAKE2b-256 |
875c390be94ef9761252dcda513377ff6dae20e0507202f85422f170da8ae0a4
|
