Core EnvKey fetch/decryption/verification logic. Give it an ENVKEY, get back decrypted config as json. Compiles static cross platform binaries that can be easily built upon.
Clone or download
Latest commit fa2abef Oct 9, 2018


This library contains EnvKey's core cross-platform fetching, decryption, verification, web of trust, redundancy, and caching logic. It accepts an ENVKEY generated by the EnvKey App and returns decrypted configuration for a specific app environment as json.

It is used by EnvKey's various Client Libraries, including envkey-source for bash, envkey-ruby for Ruby and Rails, envkey-python for Python, envkey-node for Node.js, and envkeygo for Go.

If you want to build an EnvKey library in a language that isn't yet officially supported, build some other type of integration, or simply play around with EnvKey on the command line, envkey-fetch is the library for you. If you just want to integrate EnvKey with your project, check out one of the aforementioned higher level libraries.


envkey-fetch compiles into a simple static binary with no dependencies, which makes installation a simple matter of fetching the right binary for your platform and putting it in your PATH. An script is available to simplify this.

Install via bash:

curl -s | bash

Install manually:

Find the release for your platform and architecture, and stick the appropriate binary somewhere in your PATH (or wherever you like really).

Install from source:

With Go installed, clone the project into your GOPATH. cd into the directory and run go get and go build.

Cross-compile from source:

To compile cross-platform binaries, make sure Go is installed, then install goreleaser - follow instructions in the docs to do so.

Then to cross-compile, run:


Binaries for each platform will be output to the dist folder.


envkey-fetch YOUR-ENVKEY [flags]

This will either write your the app environment's configuration associated with your ENVKEY as json to stdout or write an error message beginning with error: to stdout.

Example json output


Example error output

error: ENVKEY invalid


    --cache              cache encrypted config as a local backup (default is false)
    --cache-dir string   cache directory (default is $HOME/.envkey/cache)
-h, --help               help for envkey-fetch
-v, --version            prints the version
    --verbose            print verbose output (default is false)
    --timeout float      timeout in seconds for http requests (default 2)

Further Reading

For more on EnvKey in general:

Read the docs.

Read the integration quickstart.

Read the security and cryptography overview.

Need help? Have questions, feedback, or ideas?

Post an issue or email us: