Zero-Knowledge Secret Management for Developers & Teams
The open-source alternative to Doppler and Infisical. Your secrets never leave your device unencrypted.
π Web App β’ π Docs β’ β‘ Quick Start β’ π Security
CriptEnv is a secret management platform built for developers who need to securely store, share, and sync environment variables, API keys, and sensitive credentials across teams and infrastructure.
Unlike traditional secret managers, CriptEnv uses Zero-Knowledge Encryption: your secrets are encrypted on your device with AES-256-GCM before ever reaching our servers. We store only opaque encrypted blobs β we cannot read your secrets, even if we wanted to.
Your secrets are scattered everywhere:
.envfiles on multiple machines, accidentally committed to Git- Plain-text messages in Slack, Email, or WhatsApp
- Hosting dashboards (Vercel, Render) without central control
- Personal notes and generic password managers
75% of data breaches involve exposed credentials. CriptEnv solves this with a unified, encrypted vault that stays under your control.
Your Device CriptEnv Servers
βββββββββββ βββββββββββββββ
βββββββββββββββ Encrypted Blob βββββββββββββββ
β Password β βββββββββββββββββββΊ β Vault β
β β β β Storage β
β βΌ β β β
β PBKDF2 β β (We can β
β β β β NEVER β
β βΌ β β decrypt β
β AES-256 β Encrypted Blob β this) β
β Encrypt β βββββββββββββββββββ β β
βββββββββββββββ βββββββββββββββ
- You enter the project's Vault password on your device
- Secrets are encrypted with AES-256-GCM using a key derived from that password
- Only the encrypted blob is sent to our servers
- Decryption happens in memory inside the CLI or web app, never on the server
pip install criptenvRequires Python 3.10+.
# Authenticate with your account
criptenv login --email you@example.comcriptenv init is optional and only prepares local CLI metadata under ~/.criptenv/.
# Add a secret to the remote project vault (encrypted locally before sending)
criptenv set DATABASE_URL=postgres://localhost/mydb
criptenv set API_KEY=your_api_key_here
# List all secrets (names only β values are never exposed)
criptenv list
# Get a decrypted value
criptenv get DATABASE_URL
# Import from an existing .env file
criptenv import .env
# Export to .env
criptenv export -o .env.production# Import a .env file into the remote vault
criptenv push .env.production -p my-project
# Export the remote vault to a local .env file
criptenv pull -p my-project --output .env.production| Command | Description |
|---|---|
criptenv init |
Prepare local CLI metadata (optional) |
criptenv login |
Sign in to your CriptEnv account |
criptenv set KEY=VALUE |
Encrypt and store a secret in the remote vault |
criptenv get KEY |
Decrypt and retrieve a secret in memory |
criptenv list |
List remote secret keys (names only) |
criptenv delete KEY |
Remove a secret from the remote vault |
criptenv push FILE -p PROJECT |
Import .env secrets into the remote vault |
criptenv pull -p PROJECT -o FILE |
Export remote secrets to a file |
criptenv import FILE |
Import secrets from .env file into the remote vault |
criptenv export -o FILE |
Export remote secrets to .env or JSON |
criptenv rotate KEY |
Rotate a secret value |
criptenv doctor |
Check CLI health and connectivity |
Prefer a visual interface? Use the web dashboard at:
π https://criptenv.77mdevseven.tech
Features:
- Projects & Environments β Organize secrets by project and environment
- Team Management β Invite members, manage roles
- Audit Logs β Complete history of who accessed what and when
- Secret Rotation β Set expiration dates and receive alerts
- Cloud Integrations β Sync secrets with Vercel and Render
- 2FA / OAuth β GitHub, Google, Discord login + TOTP support
| Feature | Description |
|---|---|
| π Zero-Knowledge | Server never sees plaintext. AES-256-GCM client-side encryption. |
| β‘ CLI-First | Natural terminal workflow. Fast, scriptable, automation-friendly. |
| π Web Dashboard | Visual interface for teams and non-technical members. |
| π Team Sync | Securely share encrypted vaults across devices and teammates. |
| π Audit Logs | Complete trail of every secret operation. |
| π CI/CD Native | GitHub Action, CI tokens, and cloud provider sync. |
| π‘οΈ 2FA & OAuth | TOTP + GitHub/Google/Discord authentication. |
| ποΈ Self-Hostable | Open source. Deploy on your own infrastructure. |
CriptEnv is built with security as the primary design constraint:
- AES-256-GCM β Industry-standard authenticated encryption
- PBKDF2-HMAC-SHA256 β 100,000 iterations for project vault key derivation
- HKDF-SHA256 β Per-environment key derivation
- HTTP-Only Cookies β Session tokens protected from XSS attacks
- Rate Limiting β Tiered protection against abuse
- Audit Logs β Complete traceability of all operations
We cannot decrypt your secrets. Even with full database access, your data remains cryptographically secure because the encryption key never leaves your devices.
- User Guide: https://criptenv.77mdevseven.tech/docs
- API Reference: https://criptenv-api.77mdevseven.tech/docs
- Local Development: docs/development/local-setup.md
- Architecture & Decisions: docs/project/architecture.md
- Changelog: docs/development/CHANGELOG.md
Want to contribute or self-host? Check out:
- Local Development Guide β Clone, build, and run the full stack locally
- CONTRIBUTING.md β Contribution guidelines, commit conventions, and PR process
- AGENTS.md β Guidelines for AI coding agents
| Layer | Technology |
|---|---|
| CLI | Python, Click, cryptography |
| Backend | FastAPI, SQLAlchemy, PostgreSQL, Redis |
| Frontend | Vinext (Next.js), React, Tailwind CSS |
| Deploy | Cloudflare Pages + Workers, VPS Docker |
MIT License β see LICENSE for details.
Built with π by developers, for developers.
Website β’
GitHub β’
Documentation