Envy
Zero-trust, encrypted secret management CLI built in Rust. No SaaS, no internet, no plaintext.
Quickstart
GitOps workflow
CI/CD — GitHub Actions
Every secret encrypted with a fresh nonce before touching the database. Master key lives in your OS Keychain — never on disk.
Secrets are decrypted in RAM only. Memory is zeroed on drop. No plaintext ever reaches the filesystem.
Produces a single sealed envy.enc file (pure ciphertext) you can safely commit publicly.
Separate passphrases per environment. Partial access never triggers errors — junior devs get dev keys, prod stays restricted.
Headless mode via ENVY_PASSPHRASE_<ENV> env var. Works with GitHub Actions, GitLab CI, any pipeline.
Memory-safe by design. Argon2id key derivation. Constant-time base64. No unsafe dependencies.