Open Source · CLI Tool · MIT License

Backup your .env files across machines.

End-to-end encrypted. No accounts. No passwords. Just your 12-word recovery phrase — and three commands.

$ npm install -g vaultenv-clicopy
AES-256
GCM
600k
PBKDF2 iters
BIP-39
12 words
timothy@mbp ~/projects

live session · recovery phrase stays on-device

Why vaultenv

06 features
01

End-to-end encryption

AES-256-GCM. Key derivation via PBKDF2-SHA256 at 600,000 iterations. Your plaintext never leaves the machine.

02

Recovery phrase only

12 BIP-39 words is your entire identity. No account. No email. No password reset. Lose it and we genuinely cannot help you.

03

Smart project matching

On restore, projects are matched by Git remote URL → package name → folder name. Files land in the right place automatically.

04

Zero knowledge server

The server stores an encrypted blob and a vault ID derived from your phrase. It has no key. It cannot read your secrets.

05

Cloud-first, machine-agnostic

New laptop, new job, CI server. Three commands and every .env file is back exactly where it belongs.

06

Full project restore

One command. Every project. Every .env variant — .env.local, .env.production, all of it, restored automatically.

How it works

Three commands. That's it.

Step 01
$ vaultenv init

Generates a 12-word BIP-39 recovery phrase. Derives your vault ID locally via SHA-256. Registers the vault. Phrase never sent to server.

$ vaultenv init
Generating recovery phrase...
forest maple orbit candle velvet
river puzzle anchor thunder mirror galaxy pebble
⚠ SAVE THIS PHRASE SECURELY.
✓ Vault created: 2928e364...
Step 02
$ vaultenv backup

Walks the directory tree from CWD. Finds all .env* files. Encrypts the payload client-side. Uploads the ciphertext blob.

$ cd ~/projects && vaultenv backup
Scanning for .env files...
Found 8 projects · 14 files
Encrypting — AES-256-GCM ✓
Uploading — 6.2 KB compressed
✓ bkp_8f97b2da86b4 — done
Step 03
$ vaultenv restore

Downloads the latest encrypted backup. Decrypts locally. Matches each project by fingerprint. Writes files to disk.

$ vaultenv restore
Downloading latest backup...
Decrypting — AES-256-GCM ✓
Found 8 projects in backup
✓ my-api/.env
✓ frontend/.env.local
✓ backend/.env.production
Restored 14 files · 8 projects

Install

Get started in seconds.

npm

npm install -g vaultenv-cli

then

$ vaultenv init
$ vaultenv backup
$ vaultenv restore

Commands

vaultenv initCreate vault & generate recovery phrase
vaultenv backupBackup all .env files in current tree
vaultenv restoreRestore latest backup on any machine
vaultenv listList all backups for this vault
vaultenv viewView backup contents after decryption

Security model

What we protect.
What we don't.

✓ Protected

Recovery phrase never leaves your device
AES-256-GCM encryption on every backup
PBKDF2-SHA256 key derivation · 600k iterations
Unique random IV and salt per backup
GCM auth tags prevent ciphertext tampering
Server never stores or sees plaintext

✗ Not protected

Client-side malware on your device
Physical access to an unlocked machine
A recovery phrase you share or lose

Technical spec

AlgorithmAES-256-GCM
KDFPBKDF2-SHA256
Iterations600,000
Phrase formatBIP-39 · 12 words
IV96-bit · random per backup
AuthGCM tag · 128-bit

Stop losing your .env files.

Install in 10 seconds. First backup in under a minute.