๐Ÿ” age-encrypted ยท ๐Ÿชถ zero pip deps ยท ๐Ÿ–ฅ๏ธ native macOS

An encrypted home for the API keys your AI agents keep asking for.

Stop pasting secrets into your AI chat. Envkeep keeps your team's ENV secrets in an age-encrypted vault โ€” a native macOS app for you, and a CLI that hands your coding agent exactly one value, on demand, with nothing left in plaintext.

Free & open source (MIT) ยท macOS ยท brew install jackofshadowz/tap/envkeep

Envkeep CLI: get one value, load a project, notes & fields, audit log

Why Envkeep

Secrets that fit how you actually work now.

A real encrypted vault with the ergonomics of a password manager โ€” and a command line built for the agents in your editor.

๐Ÿ”

Encrypted at rest

An age-encrypted vault.age โ€” only ciphertext ever touches disk or git.

โŒจ๏ธ

A CLI for agents

envkeep get NAME prints one value; envkeep env project loads a whole project into the shell.

๐Ÿ–ฅ๏ธ

Native macOS app

A real Swift / WKWebView window with its own Dock icon, โŒ˜K palette, and menus โ€” not a browser tab.

๐Ÿ“

Notes & extra fields

Attach a rotation reminder or owner to any secret, plus extra fields like USERNAME / URL โ€” metadata, never injected into env.

โ›”

Decrypt on demand

No plaintext cache by default. Optional Keychain cache for speed, one-click Lock, Touch ID & 2FA gates.

๐Ÿ‘ฅ

Team-ready

Share the encrypted vault via a private git repo; add teammates by age public key, revoke & rotate in one command.

Built for AI coding agents

Hand it the name. Not the secret.

Claude Code, Cursor, and aider all run shell commands. Envkeep gives them a safe verb: fetch a single value at the moment it's needed.

  • Nothing in the transcript. Agents call envkeep get / env instead of you pasting keys into chat.
  • One value at a time. Scope access to a single secret or a single project โ€” not your whole .env.
  • No .env lying around. Inject straight into the process environment; nothing written to disk.
  • Audited. Every read is logged by name โ€” never the value.

Claude Code guide โ†’ Cursor โ†’ aider โ†’

Envkeep macOS app

Security you can reason about

Layered. Honest. Yours.

Turn on as much as you need. Only ciphertext is ever stored or pushed โ€” a stolen repo or laptop-at-rest exposes nothing.

๐Ÿ”‘ Passphrase-encrypted key

Encrypt your age identity itself (openssl AES-256 + PBKDF2). A stolen key file is useless; unlock once per session.

๐Ÿ‘† Touch ID & 2FA gates

Biometric or TOTP before a value is revealed or copied in the app, with auto-relock windows.

๐Ÿ“œ Names-only audit log

Every read/write appended to a local log โ€” actions and names, never values.

๐Ÿชถ Zero dependencies

Pure Python 3 stdlib + age. No pip, no server, no database โ€” a small surface you can audit yourself.

Get started

Up and running in a minute.

Pick your install. Then envkeep init creates your key, vault, and recipients entry.

brew install jackofshadowz/tap/envkeep envkeep init
curl -fsSL https://raw.githubusercontent.com/jackofshadowz/envkeep/main/web-install.sh | bash envkeep init
pipx install envkeep # or: pip install envkeep envkeep init
git clone https://github.com/jackofshadowz/envkeep.git cd envkeep && ./install.sh envkeep init ./build-app.sh && open Envkeep.app # optional native app

Prefer the app? Grab Envkeep.app from the latest release. Requires macOS & age (brew install age).