secretenv

secretenvMulti-backend secrets via an alias registry

One registry. Every repo. Every backend. Migrate without touching a single repo.

Get Started
View on GitHub
๐Ÿ—‚

Three files, three owners

secretenv.toml in the repo lists alias names. Machine config names backend instances. The registry โ€” inside a backend you control โ€” maps aliases to backend URIs.

Read the model

๐Ÿ”Œ

15 backends, one binary

AWS SSM, AWS Secrets, 1Password, Vault, GCP, Azure, Doppler, Infisical, Keeper, Cloudflare KV, OpenBao, Conjur, Bitwarden Secrets Manager, macOS Keychain, local files. No plugins. No feature flags.

All backends

๐Ÿ”

Migrate without touching repos

Move a secret from 1Password to Vault: secretenv registry set. Every repo picks it up on the next run. No PRs, no re-encryption, no coordination.

Registry workflow

โš™๏ธ

CI-first integration

Set SECRETENV_REGISTRY once. OIDC patterns for GitHub Actions, GitLab, Jenkins, BuildKite, CircleCI. doctor --json as a pre-deploy gate.

CI/CD guide

๐Ÿงญ

Honest threat model

A workflow product, not a security product. We document what we eliminate, what we don't, and how the posture compares to .env, fnox, op-run, and direnv.

Threat model

๐Ÿ“–

No SaaS, no lock-in

Open source, AGPLv3. No server. No account. The registry lives in your own backend. AGPL ยง13 only triggers on network-deployed forks.

How it compares

Quick Start โ€‹

Install โ€‹

bash
# macOS
brew install secretenv

# Linux / macOS (universal)
curl -sfS https://secretenv.io/install.sh | sh

# Cargo
cargo install secretenv

Configure your machine โ€‹

bash
secretenv setup aws-ssm:///secretenv/registry --region us-east-1

Output:

โœ“ Registry configured as [registries.default]
โœ“ Registry reachable: 12 aliases found
โœ“ AWS credentials detected (profile: default)

Add a secretenv.toml to your project โ€‹

toml
[secrets]
STRIPE_KEY   = { from = "secretenv://stripe-key" }
DATABASE_URL = { from = "secretenv://db-url" }
LOG_LEVEL    = { default = "info" }

Run โ€‹

bash
secretenv run -- npm start

Secrets are fetched from whichever backends the registry points to, injected as env vars into the child process, and gone when it exits. No secret values written to disk.

How it fits together โ€‹

The manifest says what the project needs. The machine config says which backends this machine has. The registry says which backend URI each alias resolves to.

Why the indirection?

Repos commit alias names like secretenv://stripe-key. The registry maps each alias to its current backend location. Migrating from 1Password to Vault becomes one secretenv registry set โ€” every repo picks it up on the next run, no PRs.

For the full schemas, validation rules, and 5-phase resolution flow: The Three-File Model โ€” Deep Reference.

Where to go next โ€‹

  • Backends โ€” 15 backend pages with config, URI format, examples, tested CLI versions
  • CLI Reference โ€” every command, every flag, every exit code
  • CI/CD Integration โ€” GitHub Actions, GitLab, Jenkins, BuildKite, CircleCI patterns
  • Threat Model โ€” 14-category honest comparison with .env, fnox, op-run, direnv
  • Comparisons โ€” when to pick secretenv vs. an alternative

Try it now

secretenv doctor is the front door for validating your config against any backend. Run it after install, after every config change, and as a CI pre-deploy gate.

Released under AGPLv3.

ยฉ 2026 TechAlchemistX