Your .env files, encrypted, versioned, and shared on your terms.

ENV Layer is a local-first encrypted env manager. Secrets are encrypted on your machine, every change has history, commands get values through scoped injection instead of plaintext files — and the cloud syncs ciphertext it can never read to your other machines and your team.

Get startedOpen source local product

Local-first and open source

The CLI, daemon, and desktop app are open source and work offline forever. The cloud is optional.

End-to-end encrypted sync

The server stores ciphertext and wrapped keys only. The sync protocol is openly documented so you can verify that claim.

Team sharing with revocation

Grant teammates access with per-member key envelopes. Revoke a member and rotate without redistributing .env files.

History and safe diffs

Every environment is a ref with commits behind it. Diff dev against production without revealing a single value.

Runtime evidence

See which command ran with which environment, which keys were injected, and whether an agent held a short-lived lease.

Agent-safe by default

Give AI agents scoped, temporary, audited access instead of a whole .env file.