You've done it. I've done it. We've all done it.
Pasted a .env file into Slack. Committed DATABASE_URL to a repo "just temporarily." Spent 45 minutes debugging prod because someone was running against staging credentials and nobody realized it. Onboarded a new dev by saying "ask Sarah for the .env file" — and Sarah sends it over Gmail.
This is how secrets get leaked. Not through sophisticated attacks. Through completely normal, everyday developer workflows.
KeyEnv is our answer to this. And today, we're officially launching with a batch of updates that make it genuinely ready for teams.
What KeyEnv Actually Does
KeyEnv replaces your scattered .env files with a secure, centralized workflow that fits into how you already work — without changing how your apps consume environment variables.
Secrets are encrypted at rest with AES-256-GCM, scoped per project and per environment (dev, staging, production), and access is managed per team member. There's a full audit trail. You can rotate secrets, compare environments, and view version history — all from the CLI or the web dashboard.
The key idea: your app never needs a .env file on disk. Secrets are injected at runtime.
# Install the CLI
curl -fsSL https://keyenv.dev/install.sh | sh
# Authenticate with a service token from the dashboard
keyenv login
# Run your app — secrets are injected directly into the process
keyenv run -- npm start
keyenv run -- docker-compose up
keyenv run -- python manage.py runserver
That's it. No plaintext file sitting on disk. No risk of accidentally committing it. No "wait, which .env is this?"
If you're working with a legacy app that reads from a .env file directly, keyenv pull still works — but keyenv run is the better path forward.
The Full Workflow in 30 Seconds
# See what's different between local and remote before pushing
keyenv diff
# Push your local secrets up
keyenv push
# Pull the latest from the server
keyenv pull
# Manage secrets directly
keyenv set API_KEY=abc123
keyenv get API_KEY
keyenv delete OLD_SECRET
# Check the version history of a secret
keyenv history API_KEY
# Switch between projects
keyenv switch my-other-project
The CLI is written in Rust — fast, single binary, no runtime dependencies. Releases are now signed with an Ed25519 keypair so you can verify what you're installing.
What Just Shipped
We've been heads-down building. Here's what's live now:
- Audit log viewer — full history of who accessed or changed what, when. Compliance teams will ask for this eventually. Now you have it.
- Environment comparison view — see the diff between dev, staging, and production side by side. Catch the "why is this broken in prod but not locally?" problem before it happens.
- Service token management — generate scoped tokens for CI/CD pipelines and automated workflows, managed from the dashboard.
-
Bulk import fix —
.envfiles with empty values now import correctly. Sounds minor. Was definitely annoying. - Team plan at $4/user/month — straightforward pricing. No tiers designed to confuse you into the wrong one.
How It Compares
There are other tools in this space. Here's the honest version:
| Tool | Setup time | Team sync | No .env on disk | Hosted SaaS |
|---|---|---|---|---|
| KeyEnv | Minutes | Yes | Yes (keyenv run) | Yes |
| HashiCorp Vault | Hours to days | Yes | Yes | No (self-host) |
| Infisical | 15-30 min | Yes | Yes | Yes (or self-host) |
| 1Password Secrets | 20-40 min | Yes | Partial | Yes |
| dotenv-vault | Minutes | Limited | No | Yes |
Vault is powerful, but if you're a 3-person startup, you don't want to maintain Vault. Infisical is solid but the onboarding has more surface area than most teams need. dotenv-vault encrypts your .env file — which is better than nothing, but it's still a file, and team sync is clunky. KeyEnv is designed to get you from "I have a problem" to "my team is using this" in under 10 minutes.
CI/CD Works Too
Service tokens mean you can pull secrets in any pipeline without storing credentials in your CI provider's environment variables UI (which is itself a kind of scattered .env problem).
# In your GitHub Actions workflow
- name: Run tests
env:
KEYENV_TOKEN: ${{ secrets.KEYENV_SERVICE_TOKEN }}
run: keyenv run -- npm test
Secrets stay in KeyEnv. Your CI environment only holds one bootstrap token with scoped access.
Try It
KeyEnv is live at keyenv.dev. The CLI install is one line, the free tier covers solo projects, and the team plan is $4/user/month.
If you've got feedback — things that don't work the way you expect, features you'd want before switching from your current setup, anything — open an issue at github.com/keyenv/keyenv or reach out directly. We're actively building this and want to hear what's actually blocking people.
The .env file had a good run. There's a better way now.
Top comments (0)