Skip to content


Repository files navigation

envbox - Secure environment variables via NaCl secretbox

Have you ever felt squirely about this?

$ export GITHUB_TOKEN=abcabcabcabcabcabc
$ some-command --that needs --github authentication

Now that environment variable is in your shell's history, not to mention that it's exposed to every command that you run.

Wouldn't it be nice if you could store environment variables like GITHUB_TOKEN encrypted and expose them only to the commands that need them? Well, that's what envbox tries to do.


1. Install

Grabbing one of the releases or use holen.

2. Set key

Generate and set a key:

$ envbox key generate --set


Store an environment variable

$ envbox add -n GITHUB_TOKEN
value: abcabcabcabcabc
$ envbox ls

Run commands that need those environment variables

Envbox will add the variable to the environment and then run the command.

$ envbox run -e GITHUB_TOKEN -- some-command --that needs --github authentication

For ease of use, set up an alias.

$ alias some-command="envbox run -e GITHUB_TOKEN -- some-command"
$ some-command --that needs --github authentication

To run a command that has an environment variable as an argument, quote it and run through bash:

$ envbox run -e GITHUB_TOKEN -- bash -c 'some-command --that needs --github $GITHUB_TOKEN'

Key storage

By default, envbox will store the key locally in a plaintext file, which moves the security concerns from bash history to system security.

To aid in this, if the appropriate docker credential helper is found in your $PATH, then that will be used to store the key.