Make security easy.
curl -fsSL https://getenvv.com/envv | sh
Change one key or all of them. Re-encrypts automatically.
$ envv secrets set
Change one key. Don't touch the rest.
$ envv edit
Opens in $EDITOR. Change anything. Save to re-encrypt.
$ envv pull --decrypt
Writes to .env for local dev. Keep it gitignored.
Your team stores secrets in plaintext because plaintext is faster. The tool you're not using already chose for you.
"DM me the prod creds?" We've all sent that message. There wasn't a better way that was also easy.
That dev who just left β what did they have access to? You need to know, and you need to rotate those keys. envv tracks it and makes rotation one command.
Vault is powerful. It's also a full-time job. You don't have a security team. You have a team that also handles security.
Encrypt locally. Sync via our backend. Decrypt only in memory.
envv run decrypts in memoryYour secrets live on our servers. We have no idea what they are.
Secrets are encrypted on your machine using your team's public keys. Only team members with matching private keys can decrypt. If our servers get breached, attackers get ciphertext they can't use.
We store ciphertext. We can't decrypt it.
Encryption happens locally. We never see plaintext.
Mozilla's proven crypto since 2015.
Invite, register, re-push, pull, run the app. No waiting around for someone to send credentials.
AES-256-GCM. Industry standard, not marketing copy.
Who accessed prod credentials last Tuesday? Now you know.
Each key encrypted separately. Change one secret, see one line change. Meaningful diffs.
Scripts. CI/CD. Local dev. One interface for secrets.
Pull once, run anywhere. Cached secrets work offline β airplane mode, flaky wifi, air-gapped CI.
Security fails when it's extra work. So we made it the default.
No extra steps. Push encrypts. Pull decrypts. The secure way is just the way it works.
Not six copies in six places. One versioned, audited source. Always know what's current.
envv run β that's what goes in chat. The secrets stay encrypted.
Someone leaves? envv rotate. Keys updated, access revoked, audit logged.
Secrets decrypt in memory, inject into your process, vanish. Nothing to leak.
We're built on SOPS, it's great. envv is the team layer SOPS doesn't have: key distribution, audit trail, team management, and simple re-encrypting when people leave.
Vault is powerful and complex. You'll likely need someone (or a platform team) to run it, upgrade it, back it up. 10-person startups shipping product don't need that overhead.
Solid products. But they see your secrets in plaintext and updating requires a web UI. We can't read yours. If zero-knowledge matters to you, that's the difference.
You're still usually left copy-pasting secrets in plaintext to your local .env and GitHub Actionsβnot a great workflow. envv is CLI-native, built for automation.
Flat pricing, not per seat. Your whole team, one price.
For individuals & pairs
3+ people
Not sure if envv fits your workflow? Have a specific use case? Just want to chat about secrets management?
We read every message. No sales pitch β just honest answers about what envv can and can't do for you.
Your keys, your data, standard formats.
Your private key lives on your machine at ~/.config/sops/age/keys.txt. We never see it. You control access β always.
We use SOPS + age β open source, battle-tested. Your encrypted files work with standard SOPS tooling. No proprietary format, no lock-in.
envv pull downloads your encrypted secrets. They're yours. Decrypt locally with your key anytime β no network, no backend, no us.
envv handles team management and sync. The cryptography is standard SOPS. We make it easy β we're not the lock on your data.
curl -fsSL https://getenvv.com/envv | sh
Windows? irm https://getenvv.com/install.ps1 | iex
14-day free trial, no card required.