E2E Encrypted · Zero Config · Rust

Your secrets deserve
better than .env files

Zero-config secret injection. E2E encrypted. Sub-millisecond overhead. Replace scattered .env files with a single encrypted vault that injects secrets at runtime.

$ cargo install zenv See it in action ↓
<1ms
Injection Overhead
0
Plaintext on Server
256
Bit Encryption
See it work

Three commands. That's it.

Initialize, vault your secrets, run your app. No config files. No environment juggling. No leaks.

zenv — ~/projects/my-api
$ zenv init
initialized project my-api
 
$ zenv vault add DATABASE_URL
Enter value: ••••••••••••••••••
vaulted DATABASE_URL in development
 
$ zenv run -- npm start
> Server running on port 3000
Features

Security that gets out
of your way

Every feature exists to remove friction. Because the most secure workflow is the one developers actually use.

Zero Friction

zenv run -- npm start replaces your entire .env workflow. True exec() on Unix means zero overhead after injection — zenv's memory is freed the instant your process starts.

End-to-End Encrypted

ChaCha20-Poly1305 with HKDF-SHA256 key derivation. Per-secret AAD prevents ciphertext substitution attacks. The OS keychain is the trust anchor — the server never touches plaintext.

Secret Scanner

zenv scan walks your codebase detecting leaked credentials via vendor prefix matching, Shannon entropy analysis, and keyword heuristics. Catch leaks before they ship.

Shell Integration

Automatic secret loading on directory change for bash, zsh, and fish. Secrets appear when you cd into a project and vanish when you leave. Zero manual steps.

Sync Anywhere

Push secrets to Vercel, GitHub Actions, or AWS Secrets Manager with a single command. Diff before you push — see exactly what changes before anything goes live.

Dynamic Credentials

AWS STS, Stripe restricted keys — automatically issued, renewed, and revoked. Secrets that expire can't be leaked usefully. Never touch a static credential again.

Real Scenarios

Teams shipping
without leaking

From early-stage startups to scaling platforms — here's how teams eliminated secret sprawl with zenv.

Stripe keys lived in three .env files across staging, prod, and local. After a close call with a leaked test key in a PR, the team switched to zenv in an afternoon. Dynamic credentials rotate every hour — there's nothing static left to leak.
0
Secrets in Git
1hr
Key Rotation
14
Devs Onboarded
<2ms
Startup Overhead
Node.js Stripe AWS Vercel
Syncing secrets across 200+ microservices to GitHub Actions was manual and error-prone. One bad copy-paste took down staging for a day. With zenv, the team diffs and pushes from one command — the audit trail alone justified the switch.
200+
Services Secured
45min
Saved per Deploy
100%
Audit Coverage
1 cmd
To Sync All
Go Kubernetes GitHub Actions Terraform
Client credentials were scattered across Slack DMs, shared vaults, and stale .env files. With zenv, each developer's machine has its own encrypted vault scoped per project. Shell hooks mean you just cd in and start coding — no credential handoff needed.
8
Projects Isolated
0
Shared Passwords
30s
New Dev Setup
E2EE
Client Isolation
Next.js Python Supabase Vercel
Get Started

Up and running in 60 seconds

Install the binary. Initialize your project. Import your .env. Your existing workflow doesn't change — it just gets encrypted.

Terminal
1# Install
2$ cargo install zenv
3 
4# Set up your project
5$ cd your-project
6$ zenv init
7$ zenv vault import .env
8 
9# Run with secrets injected
10$ zenv run -- npm start

Stop leaking secrets.
Start using zenv.

Open source. MIT licensed. Built with Rust.

$ cargo install zenv