Quickstart
Install, init, set, exec — 60 seconds. Read →
envless
Kill .env. Keep process.env. One binary, age + sops underneath, nothing to log into.
What envless is
A thin CLI on top of age + sops:
- replaces
.envfiles with encrypted-in-reposecrets/*.env.enc - preserves
process.env.KEY— language-agnostic viaexecve - treats every human, agent, and CI runner as a first-class identity (one age pubkey each)
- ships zero servers, zero accounts, zero SaaS
envless init # creates .envless/identity.keyecho "sk-test-xyz" | envless set OPENAI_API_KEYenvless exec -- node server.js # process.env.OPENAI_API_KEY populated| envless | .env files | HashiCorp Vault | 1Password CLI | |
|---|---|---|---|---|
| Hosting | none (file in repo) | none | self-hosted server | hosted |
| Account required | no | no | no | yes |
| Encryption at rest | age + sops | none | own KMS | proprietary |
| Process injection | envless exec -- cmd | manual source | sidecar / templates | op run --env-file |
| Works offline | yes | yes | no | partial |
| License | Apache-2.0 | n/a | BSL 1.1 | proprietary |
Where to start
Architecture
Data flow, lifecycle of a secret, the .env problem. Read →
CLI reference
Every subcommand, every flag, exit codes, file formats. Read →
Security
Threat model, cryptography, key rotation, audit. Read →
Status
v0.0.1 — single-user core: init, set, get, list, exec, migrate. Teams + plugins + skill in v0.1. See the roadmap and the changelog.
Living docs. Every page is a single dense reference — open the sidebar, find the topic, read it once.