Zero-knowledge
AES-256-GCM encryption happens entirely on your machine. The server stores ciphertext blobs it mathematically cannot decrypt, even with full database access.
envsh
The only secrets manager that can't read your secrets. Encrypted locally with your SSH keys. The server stores ciphertext it can never decrypt.
curl -fsSL https://envsh.dev/install.sh | shYour SSH keys
No new credentials to manage. envsh uses your existing Ed25519 SSH keys for asymmetric key wrapping. If you have ~/.ssh/id_ed25519, you’re ready.
Push & pull
Git-like workflow for secrets. push generates a fresh AES key, encrypts, wraps per-recipient, and uploads. pull unwraps and decrypts locally.
CI/CD machines
Ed25519 machine identities with challenge-response auth. Each scoped to exactly one project and one environment. Short-lived JWTs, no shared credentials.
$ envsh login✓ Code sent to you@company.com
$ envsh push .env --project my-api --env production✓ Encrypted for 3 recipients · v1 · 12 secrets
$ envsh pull production --project my-api✓ Decrypted · wrote .env · 12 secrets
$ envsh run --project my-api production -- node server.js✓ Injected 12 secrets · running... Quick Start First secret in 5 minutes.
How It Works The crypto, explained.
Self-Hosting Run your own server.
Why I Built This The story behind envsh.