envoak | Secure Secrets Everywhere

~/my-project

❯ envoak init

🔐 Initializing envoak...

✓ Generated encryption key: 869853411a4b7212...

✓ Created .envoakrc

❯ envoak push

🔒 Encrypting .env → .env.enc

✓ Vault sealed. Safe to commit.

# On another machine...

❯ export ENVOAK_KEY=869853411a4b7212...

❯ envoak pull

✓ Decrypted .env.enc → .env

🔓 Secrets restored!

😰 The Problem

Environment files contain secrets that can't be committed to git
Sharing .env files via Slack, email, or USB is insecure
New team members wait hours for credentials
CI/CD pipelines need manual secret configuration
Multi-repo projects have scattered, inconsistent secrets

✨ The envoak Way

AES-256-GCM encryption — military-grade security
Commit encrypted .env.enc safely to git
Share key once, sync secrets forever
CI/CD just needs ENVOAK_KEY environment variable
Global scan command manages all your repos

Features

Everything You Need for Secure Secrets

🔐

AES-256-GCM Encryption

Industry-standard authenticated encryption. Each encryption uses a unique IV from a cryptographically secure random source.

🔑

Simple Key Management

One 64-character hex key per project. Generate with envoak keys --generate or use your own.

📦

Git-Friendly Workflow

Encrypted files are safe to commit. Your secrets travel with your code, protected by the key.

🌐

Cross-Platform Sync

Works on macOS, Linux, and Windows. Share secrets across any development environment.

🔍

Global Scan Command

Audit all repositories at once with envoak scan. Find unencrypted secrets and stale vaults.

🤖

MCP Integration

AI agents can audit, encrypt, and decrypt via Model Context Protocol. Perfect for agentic workflows.

Integration

Works with Your Tools

envoak + Mycmail

When generating Mycmail encryption keys, back them up automatically to your envoak vault.

mycmail generate-keys --vault

Learn about Mycmail →

⚙️

CI/CD Pipelines

Set ENVOAK_KEY as a secret in GitHub Actions, GitLab CI, or any pipeline.

ENVOAK_KEY=${{ secrets.ENVOAK_KEY }}

🐳

Docker & Containers

Include .env.enc in your image, inject key at runtime. No secrets in layers.

docker run -e ENVOAK_KEY=... myapp

Commands

Full Command Reference

envoak init

Initialize envoak in current directory. Creates .envoakrc config.

envoak push

Encrypt .env → .env.enc using ENVOAK_KEY from environment.

envoak pull

Decrypt .env.enc → .env using ENVOAK_KEY from environment.

envoak status

Show vault status: encrypted, decrypted, or out of sync.

envoak audit

Audit current directory for .env files and encryption status.

envoak scan [dir]

Recursively scan directory for all .env files. Global secret audit.

envoak keys --generate

Generate a new 64-character hex encryption key.

envoak keys --propagate

Share key across all repos found by scan. One key, many projects.

Use Cases

Built for Real Workflows

🧑‍💻 Solo Developer

Sync secrets between your laptop, desktop, and cloud VMs without ever exposing them in plain text.

👥 Team Onboarding

New developer joins? Share the ENVOAK_KEY once. They git pull && envoak pull and they're ready.

🏗️ Monorepo Management

Use envoak scan to audit all projects. Propagate keys to ensure consistent encryption.

🤖 AI Agent Workflows

Agents can use MCP tools to check vault status and manage secrets without exposing keys in prompts.

FAQ

Common Questions

Yes! envoak uses AES-256-GCM, the same encryption standard used by governments and financial institutions. Each encryption uses a unique initialization vector (IV) from a cryptographically secure random source. The 64-character hex key provides 256 bits of entropy — virtually uncrackable with current technology.

We recommend using a password manager (1Password, Bitwarden), an encrypted messaging app (Signal), or your company's secrets management system. Never share keys via unencrypted email or Slack. For AI agents, consider using Mycmail's encrypted messaging with envoak backup.

Absolutely! Create separate .env files (.env.dev, .env.staging, .env.prod) and use different ENVOAK_KEY values for each. The --file flag lets you specify which file to encrypt/decrypt.

The encrypted file cannot be recovered without the key — that's the security guarantee. Always store your key in a secure location like a password manager. For critical projects, consider key escrow with a trusted party.

No. envoak is 100% local and offline. Your secrets are encrypted and stored as .env.enc files in your repository. We never transmit, store, or have access to your secrets or keys. You own your data completely.