envnest

Stop passing secrets
through chat.

Encrypted, versioned secrets management for teams that ship fast, straight from the terminal.

AES-256 encryptedKMS-backedZero plaintext storageVersioned
Get startedDocumentation →

Why envnest

Secrets shouldn't live in chat threads, diverge across machines, or sit unencrypted in config files.

Most teams manage secrets the same way they did a decade ago. API keys get shared in chat, every developer has a different version of.env, and nobody knows who changed what or when. Onboarding means asking three people for the right values.

envnest replaces all of that with a single CLI workflow. Push your.env to the cloud, pull it on another machine, inject secrets at runtime without touching disk. Every change is encrypted with AES-256-GCM, versioned, and audit-logged.

Product

See it in action

From project dashboards to audit logs, envnest gives your team visibility and control over every secret.

Project Management

Change Requests

Integrations

Audit Log

Secret Sharing

View all screenshots →

How it works

Three commands to secure your secrets.

01

Install and authenticate

One command to install. One command to log in. The CLI handles everything else.

$ curl -fsSL https://dl.envnest.dev/cli/install.sh | sh
$ envnest auth login
✔ Login successful
02

Push your secrets

Set your working context, then push your .env file. Secrets are encrypted before they leave your machine.

$ envnest context set --org=acme --project=api --env=production
$ envnest sync push --file=.env
✔ 12 secrets pushed
03

Inject at runtime

Run any command with secrets injected as environment variables. No .env files on disk, no exposure in process listings.

$ envnest inject -- npm start
✔ 12 secrets injected into process
> [email protected] start
> node server.js
Server running on port 3000

Capabilities

Everything you need. Nothing you don't.

Envelope encryption

AES-256-GCM with per-secret data encryption keys, wrapped by KMS. No secret shares a key with another.

Push, pull, and diff

Sync your .env to the cloud and back. Diff local against remote to catch config drift before it catches you.

Runtime injection

Inject secrets directly into any process with `envnest inject --`. No files on disk, no export commands.

Secret versioning

Every change is versioned. View history, compare values, and rollback to any previous version instantly.

AI-powered diff

Run `envnest sync diff --ai` for intelligent analysis of differences between local and remote configurations.

Org / project / env hierarchy

Organize secrets by team, project, and environment. Set context once with `envnest context set`, then work fast.

Role-based access control

Fine-grained permissions at the org, project, and environment level. Built-in roles or define your own.

Audit logging

Every read, write, delete, and permission change is logged with full traceability. Retention from 7 days to 1 year+.

Bring your own KMS

Use the built-in KMS by default, or bring your own AWS KMS for full control over key encryption keys.

Security

Encryption isn't a feature. It's the foundation.

Every secret is encrypted with AES-256-GCM using a unique 32-byte data encryption key. Each DEK is then wrapped by a key encryption key managed through KMS. This model is known as envelope encryption.

Even if the database is fully compromised, secrets remain encrypted. The KEK never touches the application database. You can use envnest's built-in KMS or bring your own AWS KMS for complete control over key material.

envnest is not a zero-knowledge system. The server performs encryption and decryption using the KEK. If you require client-side-only encryption, envnest is not the right fit. We believe transparency about our security model is more valuable than a misleading marketing claim.

Encryption
AES-256-GCM
Key architecture
Envelope encryption (DEK + KEK)
DEK generation
32 random bytes per secret
KMS providers
envnest (default), AWS KMS
At rest
No plaintext, ever
Access control
RBAC at org, project, and env level
Audit retention
7 days to 1+ year (by plan)
Integrations
GitHub Actions (GitLab, Vercel coming soon)
Learn more about our security model →

Built for the terminal

Your secrets workflow belongs next to your code.

No browser tabs. No GUI bottlenecks. Push, pull, diff, inject, and rollback, all from the same terminal where you write code.

envnest workflow
# Set your working context
$ envnest context set --org=acme --project=api --env=staging

# Push local secrets
$ envnest sync push --file=.env
✔ 12 secrets pushed

# Compare local vs remote with AI analysis
$ envnest sync diff --file=.env --ai
~ API_KEY changed: sk_live_new... → sk_live_old...
+ NEW_KEY added locally
✔ AI: Looks like a staging environment update

# Pull latest secrets
$ envnest sync pull --file=.env
✔ Secrets written to .env

# View history and rollback
$ envnest secret history DB_PASSWORD
v3  2025-12-01  [email protected]  (current)
v2  2025-11-15  [email protected]
v1  2025-10-01  [email protected]

$ envnest secret rollback DB_PASSWORD --version 2
✔ Secret rolled back to version 2

# Inject into any process, no files on disk
$ envnest inject -- npm start
✔ 12 secrets injected into process

Integrations

Connect your stack. Sync your secrets.

Push secrets directly to the platforms your team already uses. One connection, automatic sync.

GitHub

GitHub

Available

Source Control

Sync secrets to GitHub Actions at organization, repository, and environment level. Webhook-powered with automatic cleanup.

GitLab

GitLab

Coming soon

Source Control

Project-level secrets with group scoping and pipeline token syncing.

Vercel

Vercel

Coming soon

Hosting

Keep deployments and preview branches aligned with environment secrets.

AWS Secrets Manager

AWS Secrets Manager

Coming soon

Secrets Manager

Mirror secrets across regions with automatic key rotation support.

GCP Secret Manager

GCP Secret Manager

Coming soon

Secrets Manager

Project sync with versioned secrets and audit trails.

Supabase

Supabase

Coming soon

Backend Platform

Sync edge functions, preview environments, and database secrets.

Pricing

Start free. Scale as you grow.

Free

$0

For solo developers getting started.

  • 1 user
  • 1 project
  • 3 environments per project
  • 50 secrets per environment
  • Basic secrets + config management
  • Secret sharing (time-limited links)
  • Manual deploy triggers
  • Community support
  • 7-day activity history
Get started

Solo

$6/mo

Everything you need as a solo developer.

  • 1 user (flat fee)
  • 3 projects
  • 5 environments per project
  • 200 secrets per environment
  • Role-based access control
  • Groups & secret versioning
  • Protected environments
  • Password leak scanning (HIBP)
  • AI features (50 calls/mo)
  • 30-day audit log

14-day free trial · No credit card required

Get started

Team

$4/seat/mo

For teams that need collaboration and control.

  • Per-seat pricing (2–50 seats)
  • 5 projects
  • 3 environments per project
  • 500 secrets per environment
  • 2 branch configs per environment
  • Role-based access control
  • Groups & team management
  • Secret versioning
  • Service accounts
  • Protected environments
  • Password leak scanning (HIBP)
  • Webhooks + integrations
  • AI: diff analysis & risk assessment (100 calls/seat/mo)
  • AI: secret grouping recommendations
  • 30-day audit log

14-day free trial · No credit card required

Start 14-day trial

Business

$9/seat/mo

For organizations that need full control.

  • Per-seat pricing (3+ seats, unlimited)
  • Unlimited projects & environments
  • Unlimited secrets per environment
  • 50 branch configs per environment
  • Advanced RBAC + custom roles
  • Policy enforcement (approvals, deploy rules)
  • KMS & key rotation scheduling
  • IP whitelisting
  • Groups & team management
  • Secret versioning
  • Service accounts
  • Protected environments
  • Password leak scanning (HIBP)
  • Webhooks + integrations
  • AI: unlimited calls
  • Full audit logs (1 year+)
Get started

Ready to stop sharing secrets in chat?

$ curl -fsSL https://dl.envnest.dev/cli/install.sh | sh
Get started free