StrideLabs
Tools from the lab · stridelabs.ai Built with agents
CLI · Go

Envsecrets

Sync .env files across your machines, with history and cloud encryption.

A simple, single-user CLI for syncing .env files across your own machines and sheds. Files are versioned with a git-like history and stored age-encrypted in a Google Cloud Storage bucket; status tells you whether to push, pull, or reconcile, and sync runs the safe action without silently overwriting another machine's changes.

$ brew install charliek/tap/envsecrets
envsecrets
$ envsecrets status
tracking 2 files: .env  .env.staging
local baseline:  a1b3c9d   (pushed from laptop)
remote HEAD:     7f4e0a2   (pushed from desktop)
→ another machine pushed; recommended action: pull
$ envsecrets sync
pulling from gs://charliek-secrets ...
decrypting .env          (age) ✓
decrypting .env.staging  (age) ✓
✓ in sync, baseline now 7f4e0a2
01

Overview

Envsecrets is a small, single-user CLI for syncing .env files across your own machines and sheds. The model is deliberately familiar. A .envsecrets manifest lists the files to track, those files are encrypted with age and stored in a Google Cloud Storage bucket with a version history, and you move them around with a git-like push and pull. On one machine you push, on the next you pull. The local files stay ordinary .env files; it is the copy in the bucket that is encrypted.

The part worth dwelling on is what happens when machines disagree. envsecrets status tells you plainly whether you are in sync or need to push, pull, or reconcile, and envsecrets sync runs the recommended safe action for you. Push will not silently overwrite changes another machine made, so the failure mode that turns “shared secrets” into “lost secrets” is designed out rather than papered over.

It is deliberately the simplest thing that works for my setup. It is solo, with no user or login model. It supports GCS and age and nothing else, and it stays focused on .env files rather than trying to be a full secret manager. If you want local encryption, multi-user access, or a richer policy model, tools like 1Password, SOPS, or a cloud secret manager will serve you better. What envsecrets offers instead is a single binary you can install anywhere, including a container or a Shed environment, that keeps your secret files in sync with a history behind them.

02

Where it stands

Envsecrets is the smallest tool here and the one I was most on the fence about sharing. For now it does one unglamorous job: keeping the credentials my machines and sheds need in sync, with a history, instead of pasting them around or checking them into git. It works for that purpose, but it may eventually give way to a stronger secrets-management setup.

What it does

Envsecrets

Age-encrypted cloud storage

Your .env files are encrypted with age and stored in a Google Cloud Storage bucket, so the copy at rest in the cloud stays unreadable without your passphrase. The local files stay ordinary .env files.

Git-like push and pull

Push your env files from one machine, pull them on the next, and keep a version history of every change behind them.

Multi-machine clarity

envsecrets status tells you whether to push, pull, reconcile, or do nothing, so there is no guessing about which machine is ahead.

Safe sync

envsecrets sync runs the recommended safe action for you, and push refuses to silently overwrite changes another machine made.

Goes where you work

A single Go binary that installs on macOS and Linux, in containers, and in Shed environments, so the same secret files travel with you across machines.

Flexible passphrase sourcing

Point passphrase_env at an environment variable, or use passphrase_command to pull the key from your own secret store.