Environment Variable Manager
Your secrets, outside the reach of git and AI.
Shell-loaded. Masked by default. Local forever.
Eight problems that keep happening to developers. .envVault handles all of them.
Secrets are stored in the app's data directory — outside your
project tree entirely. There's no
.env
file to accidentally commit, no gitignore rule to forget, no
late-night key rotation.
Copilot, Claude, Cursor — they all index your file tree. Because your keys aren't in files, they're never in context. Agents work on your code without ever seeing a secret.
Switch between
.env,
.env.local,
.env.production, staging, and more — per project. No more juggling files or
copy-pasting between configs.
Manage env across dozens of services in one place. Sub-projects inherit from parents — shared infra vars live once, services override only what differs. No copy-paste drift.
A one-time hook in your shell config auto-injects the right vars
when you
cd
into a project. No manual sourcing, no forgotten exports, no wrong
environment.
Values are hidden at rest, revealed individually on demand. Configurable inactivity timeout re-masks after a period of no interaction. Safe for screen sharing.
Side-by-side diff of any two environments. See what's added, removed, or changed. Push individual vars across envs with one click.
Export to ENV, JSON, YAML, CSV, or shell script. Import from any format with conflict resolution — keep existing, overwrite, or skip per-key.
One-click variable duplication. Rename a key and it propagates automatically across all environments — no manual find-and-replace.
Three steps. One shell hook. Zero leaks — from that moment on.
Point .envVault at a directory. It scans for existing
.env
files and imports them automatically. Secrets move to the vault —
your project folder has nothing to commit.
Edit variables in the app. Switch environments with a dropdown. Values are masked at rest and revealed individually on demand — safe for screen sharing and pair programming.
The shell hook detects when you change directory and injects the right vars. No manual sourcing. The correct environment is always active — in every terminal window.
Representative scenarios from developers who needed a better answer to the .env problem.
I stopped rotating leaked keys after the third time it happened. Now the folder simply doesn't have the file.
Microservices developer · 4+ projects managedI use Cursor and Claude daily. Knowing my API keys are never in context is a baseline requirement now.
Full-stack developer · AI-native workflowShell hook setup takes 30 seconds. New machines are up and running before the Homebrew install finishes.
Engineering lead · Distributed teamThe short answers to the things you're already wondering.
The app is built with Tauri and ships as a native macOS binary. The shell hook works with zsh and bash. Linux and Windows support are on the roadmap — the core architecture is platform-agnostic.
In the macOS app data directory — the same location apps like 1Password use for local data. Not in your project folder, not in iCloud, not on any server. The path is the Tauri app data directory, which is sandboxed to the app.
Yes. When you add a project, .envVault scans the directory and imports any existing .env, .env.local, .env.production, and other suffixed files automatically. Nothing is deleted from your project until you explicitly remove it.
Your secrets remain in the app data directory until you delete them. The app does not auto-delete on uninstall. You can export at any time from within the app before uninstalling.
No. Everything is local. There is no account, no cloud, no telemetry. The app data never leaves your machine unless you explicitly copy or export it.
Recent additions to .envVault.
Free. Local. Open source. No account required.