Stop leaking your .env to AI! I built a Rust/Tauri Secret Manager to inject API keys safely 🛡️

EriTech — Sun, 05 Apr 2026 07:21:10 +0000

The AI Editor Problem 🤖

We all love using AI assistants like Cursor, GitHub Copilot, and Claude. But let's be honest: they brought a terrifying new security risk to our local development workflow.

Have you ever worried that your AI assistant might accidentally read your local .env file and send your raw database passwords or OpenAI API keys to the cloud? Or maybe you were screen-sharing and accidentally opened your .env file for everyone to see?

To solve this problem once and for all, I built Kimu — an open-source, hybrid CLI & GUI secret manager powered by Rust and Tauri.

👉 Check out Kimu on GitHub!

🗝️ The Magic of Kimu: Use Placeholders, Not Passwords

With Kimu, you no longer need to write actual sensitive information in your .env files. Instead, you use simple placeholders.

❌ Before (Dangerous)

# If your AI reads this, your keys are gone...
DATABASE_URL=postgres://user:SuperSecretPassword@localhost/db
OPENAI_API_KEY=sk-proj-xxxxxxxxxxxxxxxxxxxxxxxx

✨ After with Kimu (100% Safe)

# Completely harmless even if leaked!
DATABASE_URL=SECRET{{DB_PASSWORD}}
OPENAI_API_KEY=SECRET{{OPENAI_KEY}}

🚀 How to Use It (CLI Mode)

You don't need to change a single line of code in your application. Just prefix your usual development commands with kimu run --.

# For Next.js / Vite / Node
kimu run -- npm run dev

# For Python / Go
kimu run -- python main.py
kimu run -- go run main.go

When you run this command, Kimu quietly intercepts it, grabs the real passwords directly from your OS native keychain, injects them into memory as environment variables, and spawns the child process.

Your app will read process.env.OPENAI_API_KEY exactly as it normally would!

🎨 A Beautiful UI for Management (GUI Mode)

Kimu isn't just a CLI tool; it's a hybrid. If you type kimu in your terminal without any arguments, a beautiful Desktop UI opens up.

Here, you can securely add, edit, and organize your secrets with custom tags. Nothing is sent to the cloud. Everything is kept strictly on your local machine.

🛠️ Under the Hood

I built Kimu using Rust, Tauri v2, and React (TypeScript). Here are a few technical highlights:

1. OS-Native Keychain Security 🛡️

Instead of writing a custom encryption logic, Kimu delegates the security to the most secure place on your computer using the Rust keyring crate:

macOS: Keychain
Windows: Credential Manager
Linux: Secret Service API

2. Smart `.env` Discovery 🧠

Modern frameworks like Next.js have specific priority rules for .env files. Kimu's CLI automatically scans and respects this order:

.env
.env.development
.env.local (Highest priority)

3. One Binary, Two Faces 🎭

The coolest part of the architecture is that the single kimu executable acts as a headless CLI wrapper when you pass the run argument, but functions as a full Tauri desktop application when executed without arguments.

Give it a Try!

If you are currently hardcoding raw secrets in your .env files, please give Kimu a try. It will give you peace of mind while pair-programming with AI.

Pre-built binaries (macOS .dmg and Windows .exe) are available in the repository.

If you find it useful, a Star ⭐️ on GitHub would mean the world to me! I'm also open to feedback, Issues, and Pull Requests.

DEV Community: EriTech