env-vault

CLI tool for secure .env secrets management — encrypt, share, and sync environment variables across teams.

Installation

pip install -e .

Quick Start

# Initialize a new vault (generates a master key)
env-vault init

# Or initialize with your own key
env-vault init --key "my-secret-master-key"

# Set secrets
env-vault set DATABASE_URL "postgres://user:pass@localhost/db"
env-vault set API_KEY "sk-abc123"
env-vault set REDIS_URL "redis://localhost:6379"

# Get a secret
env-vault get DATABASE_URL

# List all keys (values hidden)
env-vault list

# Export all secrets to .env file
env-vault export
env-vault export -o .env

# Import from existing .env file
env-vault import .env

# Delete a secret
env-vault delete API_KEY

Master Key

The master key is resolved in the following order:

1. --key flag on any command
2. VAULT_KEY environment variable
3. .vault/master.key file (created by env-vault init)

# Using environment variable
export VAULT_KEY="my-secret-key"
env-vault set SECRET value

# Using --key flag
env-vault get SECRET --key "my-secret-key"

Storage

Secrets are stored in .vault/secrets.enc as a Fernet-encrypted JSON blob. The .vault/ directory should be added to .gitignore (done automatically).

Project Structure

env_vault/
├── __init__.py     # Package metadata
├── cli.py          # Click CLI commands
├── crypto.py       # Fernet encryption/decryption
└── storage.py      # Vault file I/O
setup.py            # Package setup (pip install -e .)