envsecrets

CLI tool for managing encrypted environment files using GCS and age encryption.

Features

• Secure storage: Environment files encrypted with age and stored in Google Cloud Storage
• Version history: Git-based versioning for all environment files
• Team sharing: Share encrypted environment files across your team via GCS
• Simple workflow: Push/pull workflow similar to git
• Multi-machine clarity: envsecrets status tells you whether to push, pull, reconcile, or do nothing — and envsecrets sync runs the safe action automatically. Push refuses to silently overwrite changes another machine made.

Installation

Homebrew (macOS, Linux)

brew install charliek/tap/envsecrets

Linux (apt)

sudo install -d -m 0755 /etc/apt/keyrings
curl -fsSL https://apt.stridelabs.ai/pubkey.gpg | \
  sudo tee /etc/apt/keyrings/apt-charliek.gpg > /dev/null
echo 'deb [signed-by=/etc/apt/keyrings/apt-charliek.gpg] https://apt.stridelabs.ai noble main' | \
  sudo tee /etc/apt/sources.list.d/apt-charliek.list
sudo apt update
sudo apt install envsecrets

Tested on Pop!_OS 24.04 and Ubuntu 24.04+. Architectures: amd64, arm64. See apt-charliek for the full repo.

Linux (.deb download, no apt repo)

For one-off installs without configuring the apt repo (CI runners, locked-down hosts, etc.):

ARCH=$(dpkg --print-architecture)        # amd64 or arm64
# Resolve the latest tag from GitHub's `latest` redirect — no manual edits needed when a new version ships.
VERSION=$(curl -fsS -o /dev/null -w '%{redirect_url}' \
            https://github.com/charliek/envsecrets/releases/latest \
          | sed 's#.*/v##')
curl -fLO "https://github.com/charliek/envsecrets/releases/download/v${VERSION}/envsecrets_${VERSION}_${ARCH}.deb"
sudo apt install -y "./envsecrets_${VERSION}_${ARCH}.deb"

The apt install ./...deb form resolves dependencies; plain dpkg -i would skip that step.

Go install

go install github.com/charliek/envsecrets/cmd/envsecrets@latest

From source

git clone https://github.com/charliek/envsecrets.git
cd envsecrets
make install

Quick Start

1. Initialize configuration:

envsecrets init

2. Create a .envsecrets file in your project listing files to track:

.env
.env.local

3. Push your environment files:

envsecrets push -m "Initial commit"

4. Pull environment files on another machine:

envsecrets pull

5. From any machine, see what to do next:

envsecrets status   # shows: in sync / push / pull / reconcile
envsecrets sync     # runs the recommended safe action automatically

Documentation

Full documentation is available at https://charliek.github.io/envsecrets

Configuration

Configuration is stored in ~/.envsecrets/config.yaml:

bucket: your-gcs-bucket
passphrase_env: ENVSECRETS_PASSPHRASE  # or use passphrase_command

License

MIT