🌸 envware

![npm version](https://www.npmjs.com/package/envware)
![License](LICENSE.md)
![GitHub](https://github.com/envware/cli)

Securely sync encrypted secrets across your devices and team.

Envware is a CLI tool designed to simplify environment variable management with a focus on security, privacy, and developer experience.

Why Envware?

Stop sharing .env files via Slack, DMs, or insecure notes. Envware ensures your secrets never touch the cloud in plain text.

- 🔒 Zero-Trust Architecture: Built on a decentralized trust model. Your secrets are encrypted locally using AES-256-GCM. We never see your data.
- 🔑 SSH Identity: Authorization is tied to your existing SSH keys. No complex setup, no passwords to leak.
- 🏢 Multi-tenant Teams: Organize projects by teams with granular access control.
- 🛡️ Secure Key Exchange: Access is granted by encrypting a Project Key directly for a user's verified public key. No intermediate codes.
- ✨ Verification via Fingerprint: Verify collaborator identities using SHA256 fingerprints, making it immune to server-side tampering.

Quick Start

$3

Run directly with npx:
``

bash
npx envware login

$3

bash
npx envware project create my-awesome-api

$3

bash
Upload your local .env (encrypted locally first!)

npx envware push
On another machine, download and decrypt

npx envware pull


Security Model (How it works)
Envware uses a dual-key E2EE system:
1. User Identity: Derived from your local SSH public key.
2. Project Key: A unique AES-256 key generated for each project.
3. Storage: The server only stores "encrypted blobs". The Project Key is stored encrypted with your SSH Public Key.
$3

To ensure absolute security even if the database is compromised:
1. A collaborator requests access:

envw request team/project

.
2. They share their unique identity:

envw fingerprint

.
3. The owner approves the request:

envw approve

.
4. The owner verifies the fingerprint displayed on their screen matches the collaborator's identity before the CLI encrypts the key.
Result: Mathematical certainty that secrets only open for authorized devices.
Core Commands

- signup: Create a new account and your default team. -project: Manage projects (create, list, select). -team: Manage teams (create, list). -request : Request access to a project. -approve: Approve pending requests (Owner/Admin only). -sync-access: Sync all your approved accesses. -fingerprint: Show your device SHA256 identity. -keys: Manage your authorized SSH keys. -status`: Check your plan, team, and usage.

---

Website: https://www.envware.dev
Documentation: https://www.envware.dev/docs
GitHub: https://github.com/envware/cli 🌸