xenvsync
Encrypt, commit, and inject .env secrets — a blazing-fast CLI with AES-256-GCM encryption, X25519 team sharing, and zero cloud.
The problem
Secrets management usually forces a choice between a cloud service you must trust (and pay for) and plaintext .env files that leak through chat, get lost, or get rebuilt by hand. xenvsync keeps secrets in git, encrypted end-to-end, with no SaaS in the loop — and adds asymmetric team sharing and in-memory injection that most tools skip.
Encryption & team-sharing pipeline
Step through what happens from passphrase to a committed, end-to-end-encrypted vault. Click a stage.
01Passphrase (optional)
Scrypt (N=32768, r=8, p=1) stretches your passphrase into a 32-byte key-encryption key that wraps the master key itself with AES-256-GCM.
Architecture
- Single Go binary, zero runtime dependencies, cross-compiled for Linux/macOS/Windows via GoReleaser
- V1 symmetric: AES-256-GCM with a 32-byte key and a fresh 12-byte nonce per operation; the key lives in .xenvsync.key (mode 0600) with an optional scrypt-derived passphrase KEK
- V2 team sharing: X25519 ECDH per-member key slots from ephemeral keypairs — each member decrypts only their own slot; add or revoke members without re-encrypting history
- Vault file format wraps base64 ciphertext (and, for V2, the JSON key-slot array) with headers, so vaults are safe to commit
- .env parsing handles multiline and quoted values plus fallback merging (.env.shared < .env.<name> < .env.local)
- In-memory injection: xenvsync run merges secrets into the child process environment only — plaintext never touches disk or shell history
- Operability: key rotation, atomic member revocation, a git-diff audit log, and a verify/doctor pair that catches GCM auth failures, duplicate keys, and stale vaults
Highlights
Zero cloud in the trust chain
Keys never leave the developer's machine; once secrets are encrypted it works fully offline. No vendor, no account, no compliance friction.
Asymmetric team sharing via X25519
Each member holds their own identity key; vaults carry a per-member encrypted slot, so members can be added or revoked atomically without re-encrypting existing secrets.
In-memory injection
Secrets are decrypted straight into a child process's environment — never written to disk — paired with a fresh random nonce per operation.
Built-in audit & integrity
xenvsync log derives change history from git diffs; verify and doctor check authentication tags, duplicates, and key hygiene.
Impact
23
CLI commands covering solo and team workflows
16
Stable releases shipped in about five weeks
5
Install channels — Homebrew, Scoop, npm, AUR, Nix
0
Cloud services in the trust chain