What envkey Is
A command-line secret manager for local development. It stores credentials encrypted at rest and injects them only where needed.
Local-First Secrets CLI
envkey encrypts your API keys and injects them on demand.
Manage secrets by profile, run tools with injected environment variables, and avoid putting your master password in shell env. `ek auth` creates an ephemeral local session so you can operate securely across multiple commands.
Ephemeral
Daemon-backed sessions
AES-256-GCM
Encrypted at rest
Profiles + Ops
Add, run, list, remove
How It Works
You authenticate once (`ek auth`), receive an ephemeral session token, and run `add`, `run`, `env`, and management commands without repeated password prompts.
Where It Fits
Use it for app dev, scripts, and agent workflows when `.env` sprawl and shell credential leakage become operational pain.
Features
Encrypted vault (`~/.envkey/vault.db`) with Argon2id + AES-256-GCM for at-rest protection.
Session Controls
Ephemeral daemon-backed sessions with `auth`, `status`, `lock`, and `logout` commands.
Profile + Key Ops
Profile-scoped add/list/remove workflows: `add`, `profiles`, `key-rm`, `profile-rm`.
Session Auth
`ek auth` unlocks once, then `ENVKEY_SESSION` authorizes subsequent commands until lock/logout/expiry.
Operational Control
Built-in lifecycle operations for keys/profiles and explicit session controls (`status`, `lock`, `logout`).
Secure by Default
No normal-path reliance on `ENVKEY_MASTER_PASSWORD`; vault operations require a valid session token.