Your .env files, encrypted, versioned, and shared on your terms.
ENV Layer is a local-first encrypted env manager. Secrets are encrypted on your machine, every change has history, commands get values through scoped injection instead of plaintext files — and the cloud syncs ciphertext it can never read to your other machines and your team.
Get startedOpen source local productLocal-first and open source
The CLI, daemon, and desktop app are open source and work offline forever. The cloud is optional.
End-to-end encrypted sync
The server stores ciphertext and wrapped keys only. The sync protocol is openly documented so you can verify that claim.
Team sharing with revocation
Grant teammates access with per-member key envelopes. Revoke a member and rotate without redistributing .env files.
History and safe diffs
Every environment is a ref with commits behind it. Diff dev against production without revealing a single value.
Runtime evidence
See which command ran with which environment, which keys were injected, and whether an agent held a short-lived lease.
Agent-safe by default
Give AI agents scoped, temporary, audited access instead of a whole .env file.