Projects / EnvGuard

EnvGuard

A command-line tool that stores environment variables in your operating system's secure keychain instead of .env files. Secrets stay encrypted on your machine and never touch your Git repository.

in progress open-source October 2025 — Present
EnvGuard

Tech Stack

TypeScript Node.js macOS Keychain Windows Credential Manager Linux Secret Service pnpm

What is EnvGuard?

EnvGuard is a modern CLI tool that solves the age-old problem of managing secrets in development environments. Instead of storing sensitive data in .env files (which can accidentally end up in Git), EnvGuard uses your operating system’s native secure keychain.

The problem with .env files:

  • Easy to accidentally commit to Git
  • Stored as plaintext on disk
  • Shared between developers via insecure channels
  • No encryption, no audit trail

The EnvGuard solution:

  • Secrets stored in OS keychain (hardware-encrypted)
  • Never touch your filesystem as plaintext
  • Per-project isolation with namespacing
  • Multi-environment support built-in

What It Does

Currently Implemented:

  • Store secrets in your OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service)
  • Interactive CLI for adding, viewing, and managing secrets
  • Support for multiple environments (development, staging, production)
  • Copy secrets between environments
  • Security checks for .env files in your repository
  • Migration from existing .env files
  • Template generation for team onboarding

Recently Added:

  • Node.js Runtime - Drop-in replacement for dotenv (@envguard/node)
    • Auto-loading secrets from keychain
    • Multi-environment support
    • Full TypeScript support
    • Testing utilities included

In Development:

  • Secret validation and schema enforcement
  • Encrypted backup and restore
  • Python and Docker runtime support

Quick Start

Installation

# Install globally (requires Node.js 18+)
npm install -g @envguard/cli

# Or use without installing
npx @envguard/cli status

Basic Usage

# 1. Initialize in your project (one-time setup)
cd my-project
envg init

# 2. Add your secrets interactively
envg edit
# Opens interactive menu to add/edit secrets

# Or set them directly
envg set DATABASE_URL postgresql://localhost/mydb
envg set API_KEY sk_live_abc123

# 3. View your secrets (masked by default)
envg show all
# Tip: Use --reveal to see actual values

# 4. That's it! Your secrets are safely stored in your OS keychain

Migrating from .env Files

Already have a .env file? Migrate in seconds:

envg init
envg migrate  # Reads .env, stores in keychain, secures your repo
# Your secrets are now safe! The .env file can be deleted.

Common Workflows

Adding Your First Secret

# Interactive way (easiest!)
envg edit
# Select "Add new secret" and follow the prompts

# Direct way
envg set API_KEY abc123

Viewing Secrets Safely

# View all secrets (masked for security)
envg show all
# Output: API_KEY (required): ab***23

# View specific secret
envg show API_KEY

# Reveal actual value (when you need it)
envg show API_KEY --reveal

Working with Multiple Environments

# Set secrets for different environments
envg set DATABASE_URL postgres://localhost/dev
envg set DATABASE_URL postgres://prod-server/db --env production

# Copy development secrets to staging
envg copy --from development --to staging

# Copy specific secret to production (with confirmation)
envg copy API_KEY --from development --to production

# View staging environment secrets
envg show all --env staging

Checking Project Health

# Full security and secrets check
envg check

# Just check if secrets are configured properly
envg check --secrets

# Just check for security issues (.env files, etc.)
envg check --security

Generating Template for Team

# Create .env.template for your team
envg template
# Team members can see what secrets they need without seeing values!

How It Works

EnvGuard stores your secrets in your operating system’s secure keychain:

  1. Initialize - Run envg init to set up EnvGuard in your project
  2. Store - Use envg set or envg edit to save secrets to your OS keychain
  3. Retrieve - Use envg get or envg show to view your secrets
  4. Manage - Copy between environments, export templates, run security checks
my-project/
├── .envguard/
│   ├── config.json        # Project config (gitignored)
│   └── manifest.json      # Secret manifest (gitignored)
└── .env.template          # Team documentation (optional, can commit)

Where secrets are stored:

  • macOS: Keychain Access (Security.framework)
  • Windows: Credential Manager
  • Linux: Secret Service API (GNOME Keyring, KWallet)

Secrets are stored with a namespaced key: {package-name}:{environment}:{secret-name}

This ensures no conflicts between different projects on your machine.

Commands Reference

Getting Started

CommandDescription
envg initInitialize EnvGuard in current directory
envg statusShow EnvGuard status and configuration
envg migrateMigrate from .env files to EnvGuard

Managing Secrets

CommandDescription
envg editInteractive menu to add/edit secrets
envg edit <key>Edit a specific secret
envg set <key> <value>Quickly set a secret
envg show allView all secrets (masked)
envg show <key>View specific secret (use —reveal to unmask)
envg get <key>Retrieve a secret value
envg del <key>Delete a secret
envg listList all secret keys

Environment Management

CommandDescription
envg copy --from dev --to stagingCopy all secrets between envs
envg copy <key> --from dev --to prodCopy specific secret
envg set <key> <value> --env productionSet secret in specific environment
envg show all --env stagingView secrets in specific env

Project Health

CommandDescription
envg checkCheck secrets and security issues
envg check --secretsOnly check missing/invalid secrets
envg check --securityOnly check security issues (.env files, etc.)
envg templateGenerate .env.template from current secrets

Export (Use Sparingly!)

CommandDescription
envg export --unsafe --to .envExport to .env file (INSECURE - be careful!)

Security Model

What EnvGuard Does:

  • Stores secrets in your OS keychain (hardware-encrypted, platform-specific)
  • Secrets are bound to your machine and can’t easily be copied
  • Tracks when secrets were last updated for audit purposes
  • Supports marking secrets as required or optional

What EnvGuard Doesn’t Do (Yet):

  • Schema validation of secret values
  • Secret rotation automation
  • Git hooks for preventing commits
  • Encrypted backup/sync between machines

EnvGuard focuses on being a simple, reliable tool for local development. For production secret management, consider dedicated solutions like HashiCorp Vault, AWS Secrets Manager, or similar.

Project Structure

This is a TypeScript monorepo using pnpm workspaces:

envguard/
├── packages/
│   ├── cli/       # Main CLI application (@envguard/cli)
│   ├── node/      # Node.js runtime integration (@envguard/node)
│   └── core/      # Core business logic (internal)
├── package.json   # Root workspace config
└── pnpm-workspace.yaml

Development Status

EnvGuard is in alpha. Core functionality works, but expect bugs and changes.

What Works:

  • OS keychain storage (macOS, Windows, Linux)
  • All CLI commands (init, set, get, edit, show, copy, check, migrate, etc.)
  • Multi-environment support
  • Interactive secret management
  • Security checks

In Progress:

  • Runtime integration (Node.js, Python, Docker)
  • Secret validation and schema enforcement
  • Encrypted backup/restore
  • Comprehensive test coverage

Roadmap

Completed:

  • Project setup and configuration
  • Keychain integration
  • Basic CLI commands
  • Config parser and validation
  • Multi-environment support
  • Security checks for .env files
  • Migration from .env files
  • Interactive secret management
  • Template generation
  • Copying secrets between environments
  • Export to .env file (unsafe) for backwards compatibility
  • Node.js runtime integration

Planned:

  • Secret validation/schema enforcement
  • Backup/restore system
  • Encrypted sync between machines
  • Secret rotation
  • Git integration
  • Python runner
  • Docker integration
  • GUI applications (macOS, Windows, Linux)

Related Topics

# cli # security # devops # nodejs # typescript # keychain # dotenv # environment-variables # developer-tools