End-to-end encryption for app secrets.
Superpowers for managing config.

🔒 No more sloppy secrets sharing → protect API keys, encryption keys, and credentials.

⚡️ Level up from .env files → keep developers and servers automatically in sync.

Open Source MIT License. Cloud or self-hosted.
Integrate in 2 minutes.

EnvKey is desktop-only.
Check back on desktop to download.

☠️ Prevent security incidents. Keep secrets away from code, email, chat, and browsers.

🛳 Ship faster. Prevent config bugs and keep environments in sync.

🐎 Tame your config. Prevent duplication and sprawl. Control access. Log everything.

🛠 Integrate anywhere. Works with every language, platform, and host.

Step 1

From development to CI to staging to production, securely manage configuration and secrets all in one place.

Step 2

Load your config anywhere. Reload automatically after a change.


$ envkey-source -- any-shell-command$ envkey-source -- command
# That's it!# That's it! Your command runs with the latest environment variables.

$ envkey-source -w -- ./start-server
# Automatically reload.# Automatically reload with the latest environment after a change.

$ envkey-source -w --rolling -- ./start-server
# No-downtime rolling reloads.# Avoid downtime with rolling reloads across all connected processes.

$ es -- ping '$DATABASE_URL'
# Use the `es` alias to type less.
# Reference vars in commands.# Reference EnvKey variables in your commands.

$ es -r ./reload-env -- ./start-server 
# Custom reload logic.# Run custom reload logic after a change.

$ eval "$(es)"
# Set vars in current shell.# Set your EnvKey variables in the current shell.

$ echo $'\n\neval "$(es --hook bash)"\n' >> ~/.bash_profile
# Auto-load in any directory.# Auto-load the latest environment when entering a directory.
# Works just like direnv.

$ es --dot-env > .env
$ es --json > .env.json
$ es --yaml > .env.yaml
$ es --pam > /etc/environment
# Easy export to many formats.


  More ways to load ˯

Integration Quickstart

See it in action.

Watch Dane integrate EnvKey with an app in just a few minutes.

Uncompromising Data Security

Zero-knowledge end-to-end encryption with out-of-band verification ensures that no host, server, employee, or third party ever has access to your organization's secrets, unless it is specifically granted.

EnvKey's encryption is built with NaCl: a fast, modern, trusted cryptography standard.

Security Overview

EnvKey has eliminated a class of problem which absolutely plagued us, especially on new fast-moving projects, where you can't afford to lose half a day debugging some cryptic error message because there just happens to be a random new env var.

Gabriel Fortuna
Founder, Zero One

EnvKey has been such a lifesaver for our team at Soundstripe. Onboarding new developers was instantly streamlined as far as environment setups are concerned, and configuring servers has been simplified dramatically. We're hooked!

Trevor Hinesley
CTO, Soundstripe

First of all, I would like to say THANK YOU. EnvKey has solved a major problem for us, in managing our secrets really well. We rolled it out across our dev, staging and production environments yesterday, and it was a smooth, 15 minute process.

Devan Sabaratnam
Founder, HRPartner

Multi-layered security.

Audit logs

Device-based auth

Secure invitations

Easy access control

OS keyring integration

Trusted IPs

Enhanced productivity.

Version control

Powerful, scriptable CLI

Auto-reloading environments

Environment branches

Stackable config blocks

Custom environments

Environment inheritance

Local development overrides

Data import/export

Conflict resolution

Change hooks

Account recovery keys

Flexible hosting.

Turn-key self-hosting

Multi-region redundancy

Behind-your-firewall mode

Advanced user management.

Teams

SAML SSO

SCIM directory sync