Skip to content

AThevon/envora

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
assets
assets
 
 
lib
lib
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
default.nix
default.nix
 
 
ev.sh
ev.sh
 
 
flake.lock
flake.lock
 
 
flake.nix
flake.nix
 
 

Repository files navigation

envora

envora

Encrypted .env vault manager
Back up, restore, and sync your .env files across machines with age encryption and git.

Release License Nix Flake

Why

Your .env files contain secrets that can't go in git. But they need to exist on every machine you work from. Envora solves this by keeping them in a private git repo, encrypted with age. Even if the repo is compromised, your secrets stay safe.

How it works

your-project/.env  -->  ev push  -->  vault/your-project/.env.age  -->  GitHub (private)
                                                                          |
another-machine    <--  ev pull  <--  vault/your-project/.env.age  <------'
  • Push encrypts your .env files and stores them in a git-backed vault
  • Pull decrypts them back into your project
  • One age key, stored in your password manager, unlocks everything
  • Works across macOS, Linux, and WSL

Install

Nix (recommended)

# flake.nix
envora = {
  url = "github:AThevon/envora";
  inputs.nixpkgs.follows = "nixpkgs";
};
# packages
envora.packages.${system}.default

Manual

Requires: age, fzf, gum, gh, jq, git

git clone https://github.com/AThevon/envora.git
cd envora
chmod +x ev.sh
./ev.sh

Quick start

# First time: sets up key + vault repo
ev init

# Save your .env files
cd ~/projects/my-app
ev push

# Restore on another machine
cd ~/projects/my-app
ev pull

# Pull from Vercel
ev vercel

# Interactive mode
ev

Commands

Command Description
ev Interactive mode (context-aware)
ev push [project] Push all .env files (local + Vercel if detected)
ev push-local [project] Push only local .env files
ev push-vercel [project] Push only Vercel env vars
ev pull [project] Decrypt and restore .env files from the vault
ev diff [project] Compare local .env files with the vault
ev list List all projects in the vault
ev clean Remove a project from the vault
ev rotate Generate new age key and re-encrypt vault
ev config View and edit settings
ev init First-time setup
ev help Show detailed help

Interactive mode

Run ev without arguments for an interactive menu:

  • Inside a git repo: shows project-specific actions (push, pull, diff, vercel) plus global actions
  • Outside a repo: shows global actions (list, clean, config, rotate)

Configuration

Stored in ~/.envorarc:

ENVORA_VAULT="$HOME/.env-vault"       # Path to vault directory
ENVORA_KEY="$HOME/.age/key.txt"       # Path to age private key
ENVORA_PROJECTS="$HOME/projects"      # Path to projects directory
ENVORA_REPO="user/env-vault"          # GitHub repo for the vault

Edit with ev config.

Security

  • Secrets are encrypted with age before leaving your machine
  • The vault repo can be public or private - encrypted files are unreadable without the key
  • One key to manage: store it in your password manager (Bitwarden, 1Password, etc.)
  • ev rotate regenerates the key and re-encrypts everything if compromised

Providers

Envora can pull environment variables directly from cloud platforms:

  • Vercel - ev vercel pulls development, preview, and production env vars

More providers welcome via PR.

License

MIT

About

Encrypted .env vault manager with age encryption and git-backed storage

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

v0.2.0 Latest
Apr 3, 2026
+ 1 release

Packages

 
 
 

Contributors

Languages