⚿
SOPS + age encryption
Modern, battle-tested crypto. Values are encrypted at rest in your own Git repo.
Encrypted .env management for the AI-coding era — one vault for every project's secrets.
pipx install envseal-vault
The problem
.env.
Claude Code, Cursor and friends make it cheap to spin up a dozen repos a
month. The secrets sprawl is the cost. EnvSeal scans every repository,
normalizes the .env* files, and syncs them into one
SOPS + age encrypted Git vault that you fully own — no SaaS,
no account, no lock-in.
What you get
Modern, battle-tested crypto. Values are encrypted at rest in your own Git repo.
Scan N repositories, keep a single encrypted vault. Unlimited projects.
diff, list and status show key names — never values.
New laptop? envseal pull rebuilds a project's .env in seconds.
envseal report writes a static, key-only dashboard. Safe to share.
A drop-in CLAUDE.md/AGENTS.md snippet lets agents fetch secrets themselves.
How it works
envseal init
Generate an age key, scan your repos, point at your vault.
envseal push --commit
Encrypt every .env* with SOPS and commit it to the vault.
envseal pull <project> --env local --replace
Decrypt a project's secrets back into place — on any machine.
For AI coding agents
Paste this into a project's CLAUDE.md, AGENTS.md
or .cursorrules. When the agent hits a missing
.env, it runs one command instead of stalling or inventing
fake keys:
## Secrets & environment variables This project's .env* files are not committed — they are managed with EnvSeal (encrypted in a separate vault). - Create the local .env: envseal pull <PROJECT> --env local --replace - After editing a secret, sync it back: envseal push --commit - See which keys exist without decrypting: envseal list - Never commit .env*, never print secret values into logs.
More ready-to-paste prompts — docs/ai-agents.md
Why EnvSeal