You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+55-3Lines changed: 55 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,6 +8,8 @@ Instead of storing secrets in `.env` files that can be accidentally committed, l
8
8
9
9
Enveil uses a SQLCipher-encrypted SQLite vault stored at `~/.enveil/vault.db`. The master key never touches disk — it lives only in memory while the daemon is running, or is derived fresh from your password on each command. Variables are organized by project and environment, making it easy to manage development, staging, and production secrets separately.
10
10
11
+
For teams, Enveil includes a self-hosted server that centralizes secrets across developers. Variables are encrypted on the client before being sent to the server — the server never sees plaintext values.
12
+
11
13
## Installation
12
14
13
15
### Linux and macOS
@@ -25,7 +27,7 @@ Use [WSL2](https://learn.microsoft.com/en-us/windows/wsl/install) and run the Li
25
27
26
28
Requires Go 1.22 or later and `libsqlcipher-dev` (Ubuntu/Debian) or `sqlcipher` (macOS).
27
29
```bash
28
-
go install github.com/MaximoCoder/Enveil/cmd/enveil@latest
30
+
go install github.com/MaximoCoder/Enveil/cli/cmd/enveil@latest
29
31
```
30
32
31
33
### Shell integration
@@ -137,20 +139,70 @@ enveil daemon stop # stop daemon, key is removed from memory
137
139
138
140
The daemon is optional. Without it, Enveil asks for your password on each command.
139
141
142
+
## Team server
143
+
144
+
The Enveil server allows teams to share encrypted secrets across developers without relying on `.env` files, chat messages, or shared drives.
145
+
146
+
### How it works
147
+
148
+
The server stores all variables encrypted. Values are encrypted on the client before being sent over the network — the server never sees plaintext values. Even if the server is compromised, secrets remain unreadable without the API key.
149
+
150
+
### Installing the server
151
+
152
+
Download the server binary from the [latest release](https://github.com/MaximoCoder/Enveil/releases/latest) for your platform (`enveil-server-linux-amd64`, `enveil-server-darwin-arm64`, etc.) and place it in your PATH.
153
+
154
+
### Running the server
155
+
```bash
156
+
ENVEIL_API_KEY=your-secret-key \
157
+
ENVEIL_VAULT_PASSWORD=your-vault-password \
158
+
ENVEIL_PORT=8080 \
159
+
enveil-server
160
+
```
161
+
162
+
The server stores its vault at `~/.enveil-server/vault.db` by default. You can override this with `ENVEIL_VAULT_PATH`.
163
+
164
+
For production, put the server behind a reverse proxy like nginx with HTTPS enabled.
165
+
166
+
### Connecting the CLI to the server
167
+
```bash
168
+
enveil server connect http://your-server:8080 --key your-secret-key
169
+
```
170
+
171
+
Once connected, all CLI commands use the server instead of the local vault. The connection settings are saved in `~/.enveil/config.json`.
172
+
```bash
173
+
enveil server status # check connection
174
+
enveil server disconnect # switch back to local vault
175
+
```
176
+
177
+
### Team workflow
178
+
179
+
The admin sets up the server once and shares the server URL and API key with the team. Each developer runs:
180
+
```bash
181
+
enveil server connect http://192.168.1.100:8080 --key shared-api-key
182
+
enveil init
183
+
```
184
+
185
+
From that point, all `set`, `get`, `list`, `run`, `import`, `export`, `diff`, and `env` commands operate against the shared server. Variables set by one developer are immediately available to all others.
186
+
140
187
## Project structure
141
188
```
142
189
~/.enveil/
143
-
vault.db # SQLCipher encrypted database
144
-
config.json # Active project and environment (no secrets)
config.json # Active project, environment, and server connection
145
192
daemon.sock # Unix socket (only while daemon is running)
146
193
daemon.pid # Daemon process ID (only while daemon is running)
194
+
195
+
~/.enveil-server/
196
+
vault.db # Server vault (on the machine running enveil-server)
197
+
salt # Key derivation salt
147
198
```
148
199
149
200
## Security model
150
201
151
202
-**Vault encryption**: AES-256 via SQLCipher. The entire database file is encrypted, including table names, project names, and variable names.
152
203
-**Key derivation**: Argon2id with 64MB memory, 4 threads. Resistant to GPU and ASIC brute-force attacks.
153
204
-**Master key**: Never written to disk. Lives in memory only while the daemon is running.
205
+
-**Transport encryption**: Values are encrypted with AES-GCM on the client before being sent to the server. The server stores and returns ciphertext only.
154
206
-**File permissions**: Vault and config files are created with `0600` permissions (owner read/write only).
155
207
-**Process injection**: Variables are passed directly to child process environments via `syscall.Exec`, never written to temporary files.
156
208
-**Secret scanning**: Pre-commit hook combines pattern matching and Shannon entropy analysis to catch secrets before they reach version control.
0 commit comments