English | Español
Secure your secrets. Sync your team. Trust your configs.
Vaultic is a CLI tool for managing secrets and configuration files securely across development teams. It encrypts your sensitive files, syncs them via Git, detects missing variables, and audits every change.
- Strong encryption — age or GPG, your choice
- Detects problems — missing variables, out-of-sync configs
- Multi-environment — dev/staging/prod with smart inheritance
- Audit trail — who changed what, when
- Zero cloud — everything local + Git, no external dependencies
- Extensible — designed to support .env, .toml, .yaml, .json
cargo install vaulticDownload from Releases for Windows, Linux, or macOS.
# 1. Initialize in your project
cd my-project
vaultic init
# 2. Encrypt your secrets
vaultic encrypt .env --env dev
# 3. Commit the encrypted file (safe)
git add .vaultic/
git commit -m "feat: add encrypted secrets"
# 4. Another dev clones and decrypts
vaultic decrypt --env devEach team member has their own key pair (public + private). When you encrypt, the file is sealed for all authorized public keys at once — so everyone can decrypt independently with their own private key. No one shares private keys.
Admin setup Team member joins
───────────── ──────────────────
vaultic init vaultic keys setup
→ generates admin key pair → generates their key pair
→ creates .vaultic/ → sends PUBLIC key to admin
Admin adds member Member decrypts
──────────────── ────────────────
vaultic keys add <public_key> git pull
vaultic encrypt --all vaultic decrypt --env dev
→ re-encrypts for all keys → decrypts with their private key
Updating secrets: Anyone encrypts → pushes → others pull + decrypt. Changes flow through Git like any other file.
Revoking access: Admin removes the key → re-encrypts → the removed member can no longer decrypt new versions.
For detailed explanations, examples, and common workflows, see the Command Reference.
| Command | Description | Status |
|---|---|---|
vaultic init |
Initialize Vaultic in the current project | ✅ |
vaultic encrypt [file] |
Encrypt secret files (--all to re-encrypt all envs) |
✅ |
vaultic decrypt [file] |
Decrypt secret files (--key <path>, -o <path>) |
✅ |
vaultic check |
Verify missing variables against template | ✅ |
vaultic diff <file1> <file2> |
Compare two secret files side by side | ✅ |
vaultic diff --env dev --env prod |
Compare two resolved environments | ✅ |
vaultic keys setup |
Generate or import a key | ✅ |
vaultic keys add <key> |
Add a recipient | ✅ |
vaultic keys list |
List authorized recipients | ✅ |
vaultic keys remove <key> |
Remove a recipient | ✅ |
vaultic resolve --env <env> |
Generate resolved file with inheritance (-o <path>) |
✅ |
vaultic log |
Show operation history | ✅ |
vaultic status |
Show full project status | ✅ |
vaultic hook install |
Install git pre-commit hook | ✅ |
| Flag | Description |
|---|---|
--cipher <age|gpg> |
Encryption backend (default: age) |
--env <env> |
Target environment (repeatable for diff) |
--config <path> |
Custom vaultic directory path |
-v, --verbose |
Detailed output (source files, recipients, etc.) |
-q, --quiet |
Suppress all output except errors |
See the full roadmap for planned features: update notifications, secret validation, Docker/CI integration, multi-format parsers, access control, server sync, and more.
| Phase | Description | Status |
|---|---|---|
| Phase 1 | Foundation — architecture, CLI, CI/CD | ✅ |
| Phase 2 | Encryption — age + GPG backends, key management | ✅ |
| Phase 3 | Diff & Check — dotenv parser, variable comparison | ✅ |
| Phase 4 | Multi-environment — inheritance, resolution | ✅ |
| Phase 5 | Audit & Polish — logging, status, hooks | ✅ |
| Milestone | Scope | Status |
|---|---|---|
| Stability | Bug fixes, CLI flags, feature gaps, input validation | ✅ |
| Polish | Dependency cleanup, error messages, UX refinements | ✅ |
| Release | Version bump, CI verification, publish v1.0.0 | ✅ |
See Development Phases for detailed information.
We welcome contributions! Please read our Contributing Guide before submitting a pull request.
Note: Vaultic uses a dual licensing model (AGPLv3 + Commercial). By contributing, you agree to the terms described in the contributing guide.
Encrypted .enc files use asymmetric cryptography. Only authorized recipients can decrypt them with their private key. Public keys in the repository are only used for encryption and pose no risk.
See SECURITY.md for the full security policy.
This project is licensed under the GNU Affero General Public License v3.0.
Commercial licensing is available for organizations that require alternative terms. See COMMERCIAL.md for details or contact: legal@softdryzz.com