Secrets that never touch disk
Store environment secrets in your OS native credential store. Not in dotfiles. Not in plaintext. Not in the cloud. Just your Keychain, your rules.
Features
Everything you need.
Nothing you don't.
Architecture
Your OS is the vault
envsec delegates encryption to battle-tested credential stores. Metadata (key names, timestamps) lives in a local SQLite database. Values never do.
SQLite (key names only)
OS Credential Store
Use Cases
Real problems, real solutions
Common scenarios in everyday development and how envsec solves them. Click any question to see a live terminal walkthrough.
How do I clean up .env files scattered across old projects?
Over time, plaintext .env files pile up in forgotten project directories. A quick find reveals dozens of them sitting on disk with real credentials inside. Import them into envsec, delete the files, and regenerate them only when you need them.
How do I manage different secrets for dev, staging, and production?
Maintaining separate .env files for each environment is fragile and error-prone. It's easy to mix up credentials between environments.
How do I run my app with secrets without exposing them in shell history?
Passing secrets inline in commands exposes them in shell history and `ps` output. They should be injected as environment variables of the child process. With `-c` you can switch context (e.g. dev, staging, prod) and run the same command against different sets of secrets.
How do I generate a .env file for tools that require one (Docker, frameworks)?
Some tools like Docker Compose or frameworks require a physical .env file. You need a way to generate it on-demand without keeping it in the repo.
How do I import secrets from an existing .env file?
You already have a .env file with dozens of variables and want to migrate them into the native credential store without re-entering each one manually.
How do I check for expired or expiring secrets?
API keys and tokens have expiration dates. Without an audit system, you risk discovering expired credentials only when something breaks in production.
How do I securely share secrets with a teammate?
Sending credentials over Slack, email, or messages is insecure. You need an encrypted channel and a format the recipient can easily import.
How do I reuse my dev API keys when starting a new project or POC?
When you start a new project or try a new tool, you often need the same API keys you already use in development. Instead of hunting through dashboards or creating new ones, copy them from your dev context into the new project context in one command.
How do I use Next.js without keeping secrets in .env.local?
Vercel's CLI pulls environment variables into a local .env.local file, but that file sits on disk with real credentials. Import it into envsec, delete the file, and use envsec shell to inject secrets at runtime โ no plaintext file needed.
How do I generate secure API keys or passwords without leaving the terminal?
You need a cryptographically secure secret for an API key, database password, or webhook signing key. Instead of reaching for an external tool or website, generate and store it in one command โ with a prefix, custom length, and character set.
How do I export secrets as environment variables in my current shell?
You want secrets available as environment variables in your current session, without writing any files to disk.
Install
Ready in seconds
One command. No config. Node.js 22+ required.
$brew install davidnussio/homebrew-tap/envsecVerify installation: envsec --version