Everything you need to know about securing your environment variables with Envoy
Envoy is a secure environment variable management system that uses end-to-end encryption to keep your secrets safe. Here's how to get started:
npm install -g @nishan30/envoy-cliConfigure Envoy with your API key and set the API URL.
Encrypt and upload your .env file to Envoy.
💡 Tip: Save your RepoKey! Share it with your team to grant them access to the secrets.
Download and decrypt your .env file from Envoy.
Envoy uses industry-standard cryptographic algorithms to protect your secrets:
All encryption and decryption happens on your device. The server only stores encrypted data and never has access to your encryption keys or plaintext secrets.
Envoy implements rate limiting to prevent brute-force attacks:
Your private key is essential for decrypting your secrets. If you lose it, you won't be able to decrypt existing secrets. Make sure to back it up in a secure location. For team members, another team member can re-invite you with a new wrapped encryption key.
No. All encryption happens client-side in your browser or CLI. We only store encrypted data and never have access to your encryption keys or plaintext secrets. This is zero-knowledge architecture.
You can share secrets in two ways:
1. Invite via email in the web interface (team member needs an account)
2. Share the RepoKey after pushing (anyone with the key can pull)
Yes! Envoy is completely free and open source. You can use it for unlimited projects and team members.
When you push secrets, Envoy generates a RepoKey. This key is derived using Argon2id and used to encrypt the Content Encryption Key (CEK). Anyone with the RepoKey can decrypt the CEK and access the secrets without needing an account.
Can't find what you're looking for? Check out our GitHub repository or join our community.