Stop storing secrets
in plaintext

Encrypted environment variables for teams.
Built on battle-tested SOPS. Backend MVP live. Team features shipping.

Request Early Access See How It Works β†’
AES-256-GCM Military-grade encryption
100% Offline Works without internet
Built on SOPS Mozilla's proven tech
envv demo
$ envv push .env --env production
βœ“ Encrypted for 3 team members
$ envv secrets set API_KEY "sk_live_..." -e prod
βœ“ Updated atomically (pullβ†’encryptβ†’push)
$ envv run -- npm start
βœ“ Decrypted in memory
Zero plaintext on disk. Ever.

The Problem Every Team Has

πŸ’€

Plaintext .env Files

API keys, database URLs, and tokens sitting unencrypted on every laptop. One git mistake away from a data breach.

πŸ”‘

Manual Key Distribution

"Hey can someone Slack me the production secrets?" Your security team just had a heart attack.

🀷

No Audit Trail

Who accessed what? When did they rotate that API key? No idea. Hope nothing breaks.

πŸ—οΈ

Enterprise Overkill

Vault is amazing... if you have a dedicated ops team. Most teams just want secrets to work.

How envv Actually Works

We built a team collaboration layer on top of Mozilla SOPS.
Encrypted secrets sync via our backend. Zero plaintext on disk. Ever.

Your Machine

  • βœ“ envv run decrypts in memory
  • βœ“ Cached in .envv/ (encrypted)
  • βœ“ AES-256-GCM + Age keys
  • βœ“ Private keys never leave
  • βœ“ Works offline after first pull
⟷

envv Backend

  • βœ“ Stores encrypted secrets
  • βœ“ Can't decrypt (zero-knowledge)
  • βœ“ Team membership + public keys
  • βœ“ Audit logs & compliance
  • βœ“ Row Level Security (RLS)

End-to-End Encrypted

We store your secrets so teammates can sync them β€” but we can't read them.

Secrets are encrypted on your machine using your team's public keys, then pushed to our servers. Only team members with the matching private keys can decrypt. Private keys never leave your machine. If our servers get breached, attackers get ciphertext they can't use.

Open Source

Check the code yourself. View on GitHub

Client-Side Encryption

Encryption happens locally. We never see plaintext.

Built on SOPS

Mozilla's proven crypto since 2015. Architecture

What Makes envv Different

SOPS Vault 1Password envv
Works offline βœ“ βœ— βœ— βœ“
Team onboarding Manual Complex βœ“ βœ“
Audit trail βœ— βœ“ βœ“ βœ“
Built for teams of 1-2 20+ Any 3-10

SOPS is great. Vault is powerful. 1Password works for many teams. We're focused on the gap: teams too big for manual key management, too small for enterprise complexity.

What You Get

πŸ”

Military-Grade Encryption βœ… Live

AES-256-GCM encryption. Same crypto that protects government secrets. Built on Mozilla SOPS, trusted by thousands of companies.

πŸ‘₯

Team Management πŸš€ MVP

Create organizations, generate age keys automatically. Role-based membership ready. Full invitation system included.

πŸ“Š

Full Audit Trail

Who decrypted what secret, when? Database schema ready. Audit logging implementation in progress. SOC 2 ready architecture.

πŸ”„

Key Rotation πŸš€ MVP

Rotate encryption keys with SOPS. Team-wide secret rotation included. Database infrastructure ready.

✈️

Works Offline βœ… Live

Airplane? VPN down? No problem. Encryption and decryption happen locally. Internet only needed for team sync.

🎯

Git-Friendly βœ… Live

Commit encrypted files safely. Meaningful diffs. Easy merge conflicts. Works with your existing workflow.

πŸ”Œ

Integrate Everything βœ… Live

Works with PGP, age, AWS KMS, GCP KMS, Azure Key Vault, and HashiCorp Vault. Use what you already have.

⚑

CLI Integration πŸš€ MVP

Backend API ready for CLI. /cli/init endpoint provides SOPS config and keys. Full CLI commands in development.

Development Status

Production Ready

  • + AES-256-GCM encryption
  • + SOPS battle-tested core
  • + Offline-first operation
  • + Multi-cloud KMS support
  • + Git-friendly encrypted files

Backend MVP (Live)

  • + User auth & JWT tokens
  • + Organization creation
  • + Automatic age key gen
  • + CLI integration endpoint
  • + Database with RLS

Roadmap

  • - Team invitation system
  • - Full audit logging
  • - CLI wrapper commands
  • - Email notifications
  • - Project management
  • - "Easy Install" scripts

Building in public. Core encryption is production-ready (it's SOPS). Team features in active development. See the code

Pricing

For small teams (3-10 people) who want secrets to just work.
If you're solo or can build this yourself, you probably should.

Team

$59 per month

For 3-10 people who value their time

  • + Core encryption (live)
  • + Backend MVP (live)
  • - Team invitations (soon)
  • - Audit trail (soon)
  • + Direct support
  • Max 10 team members
Request Early Access

Early Access: Free during beta. Pricing starts when team features are complete.

Have 2 people? You can probably manage with SOPS.
Have 15+? Let's talk about your needs.

Design Partner Program

We're working with 10 teams to figure out what actually matters for secret management.
Work directly with us for 3 months. Help shape the product. Pay nothing until we've earned it.
Apply for design partner program β†’

Ready to Stop Storing Secrets in Plaintext?

Join the waitlist for early access. We're onboarding design partners now.

No spam. We'll email you when we're ready.