.env encrypted.
Zero config.
Local-first.

Envelope encryption, zero config. One CLI, one key - you hold it.

Open source. Commit encrypted .env, decrypt only where you run.

✓ Generated keypair
✓ Encrypted .env
Enter value: ••••••••
✓ Secret stored
Running with decrypted environment...

Why openenvx

Control, transparency, trust.

One key per secret - you hold the master. Your repo, your key - no middleman, no API to call.

.envciphertext

1
2
3

DATABASE_URL=envx:…

API_KEY=envx:…

SECRET=envx:…

wraps

age keylocal only

Wraps each DEK

Stays on your machine

repo.openenvx.yaml

you keepprivate key

Envelope encryption

Each secret gets a unique data encryption key (DEK), then AES-256-GCM. Your age-derived master key wraps every DEK. Key names are associated data - no replay, no swap, no backdoor.

Your repolocal

.cursor

node_modules

src

.envencrypted

.openenvx.yaml

You own the flow

Key stays local
Same binary, dev & CI
Commit .env safely
No subscription
No lock-in

Local-first

Keys and ciphertext live where you put them. Same binary on your laptop, in CI, or on a server - you decide where to decrypt.

Zero config

init, set, run.

AES-256-GCM

One DEK per secret. Your key wraps them all.

You hold the key

Master key stays local. Ciphertext can go anywhere.

Safe to commit

.env holds only ciphertext. Without the private key it's unreadable. Store the key in 1Password or a hardware key. Commit .env to the repo without worry.

✓Public key stored in .openenvx.yaml (safe to commit)
✓Private key stored locally
✓Environment variable override supported

.env

DATABASE_URL=envx:a2V5...:Y2lwaGVy...

API_KEY=envx:bDNr...:ZGF0YQ...

SECRET_TOKEN=envx:Y2Vk...:ZW5jcnlw...

Secrets belong in encryption,
not in chat.

OpenEnvX keeps .env as ciphertext. Keys and ciphertext stay where you put them - so nothing leaks into Slack or commit history.

Stop sharing secrets in Slack

Every day, developers share API keys, database credentials, and secrets over Slack, email, and DMs. Stop the leak before it happens.

Encrypt once, decrypt only where you run
Full audit trail for every decrypt
No more pasting secrets into Slack

general240 members

Message #general

In your editor

OpenEnvX for VS Code

Edit .env with decrypted values, see status at a glance, and run OpenEnvX without leaving the editor.

Script CodeLens

Run npm scripts with OpenEnvX decrypted environment variables.

Secret Scanning

Detect potential secret leaks before they reach git.

Go to Definition

Jump from code to .env file definitions.

my-app

.openenvx.yaml

audit.logl

.env

.envencrypted

1 DATABASE_URL= postgres://localhost:5432/app

2 STRIPE_API_KEY= sk_live_••••••••

.env > STRIPE_API_KEY - References (2)

stripe-client.tssrc/lib

createStripeClient(process.env.STRIPE_API_KEY)

billing.tssrc/features

3 NODE_ENV= development

Ln 2, Col 1openenvx

CodeLens Actions

Decrypt individual secrets or all secrets at once with inline buttons.

Find References

Monorepo-aware reference finding across packages and workspaces.

Rename Support

Rename environment variables across your entire workspace.

.envdecrypted

DATABASE_URL= postgres://...
API_KEY= sk_live_••••••••

openenvx

If it’s not encrypted,
it’s not a secret.

In the repo, in CI, in every handoff-ciphertext only. OpenEnvX keeps it that way.

Encrypt in the repo. Decrypt in the editor.
One master key. Every secret wrapped.
Ciphertext travels. The key doesn't.

Compatibility

Works with

Runtimes & frameworks

Run openenvx in any JS/TS runtime or framework.

CI / CD

Decrypt in pipeline. No secrets in logs.

Package managers

Install once, use in scripts and dev.

Containers & orchestration

Same binary in containers and clusters.

Any runtime or CI that can run a binary and read env.No plugins required.

.env encrypted.Zero config.Local-first.