.env is dead. Long live anv.
You know that moment when you push a commit and immediately panic because you think you might have accidentally committed your .env file?
Or worse β you find out later that your AI coding agent silently read your DB_URL and sent it to some server you don't control?
Yeah. Me too.
I got tired of being scared of a plaintext file.
So I built anv.
What is anv?
anv is a CLI tool that kills .env files. Period.
- No plaintext secrets on disk.
- No accidental
git pushleaks. - No AI agent reading your keys.
- No dotenv library required.
Your code stays the same. You just change how you run it.
# Before
node app.js
# After
anv run -- node app.js
That's it.
How it works
- Initialize once
anv init
This creates an encrypted store (AES-256-CBC + HMAC) and a master key. The key never leaves your machine.
- Add your secrets
anv set DB_URL=postgres://localhost
anv set API_KEY=12345
Your secrets are encrypted immediately. The store file is safe to commit to git.
- Run your app
anv run -- npm start
anv decrypts your secrets in memory, injects them as environment variables, and runs your command. No files. No leaks. No AI reading your keys.
Why I built this
I use AI coding assistants every day. Cursor, Copilot, etc. They're amazing. But they read my project files to help me code. And that includes my .env file.
One day I realized: my DB_PASSWORD was being sent to an LLM provider's server just so the AI could "help me think."
That's insane.
So I built anv to keep my secrets offline. The AI can read every file in my project β but it only sees encrypted garbage.
What about teams?
anv works solo, but you can share the master key securely with teammates. Or use environment variables in CI/CD. It's flexible.
For production, you can still use Render/Vercel/Heroku environment dashboards. anv is for local development and keeping secrets out of git.
The stack
- Crystal language (fast, compiled, low memory)
- AES-256-CBC + HMAC for authenticated encryption
- File locking for concurrent access
- ~1,500 lines of code
No dependencies. No runtime. Just a single binary.
Is it production-ready?
It's version 0.1.0. I use it every day. You can too.
But more importantly, it's open source. Audit it. Break it. Fix it. Help me make it better.
Links
- GitHub: Github
- Install: git clone and crystal build
The bottom line
AI is changing how we code. But it shouldn't change how we handle secrets.
.env was good enough for 2015. It's not good enough for 2026.
anv is my attempt to fix that.
Try it. Break it. Tell me what you think.
And stop leaking your DB_URL to AI servers π
zendrx
Top comments (1)
You might like varlock.dev - itβs a complete toolkit - with plugins to pull from 15 different sources. Also has built in local encryption with biometric unlock.