Sync environment variables across your team. No more "it works on my machine."
- New developer joins → spends half a day hunting for the right
.envvalues - Someone updates a secret → nobody else knows until production breaks
- "Can you send me the latest API keys?" in Slack → security nightmare
Paid SaaS solutions exist, but do you really want your production secrets on someone else's infrastructure?
envdrift is an open-source CLI that encrypts .env files and syncs them using your existing cloud vault and git.
No hosted service, no additional servers, no third-party trust.
- Your infrastructure — Works with all major cloud providers: Azure Key Vault, AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager
- Zero trust required — Secrets never leave your cloud
- No new servers — Just a CLI tool, no client-server architecture
- Free forever — MIT licensed, no per-seat pricing
# New team member onboarding - one command
envdrift pull
# That's it. Keys synced from vault, .env files decrypted, ready to code.📘 This is the heart of envdrift. The end-to-end walkthrough — encrypt, push your key to your cloud vault, and have teammates pull and decrypt in one command — lives in the Env File Sync Guide. Start there.
One-liner (recommended):
# macOS / Linux
curl -sSL https://raw.githubusercontent.com/jainal09/envdrift/main/install.sh | sh
# Windows (PowerShell)
irm https://raw.githubusercontent.com/jainal09/envdrift/main/install.ps1 | iexOr via pip:
pip install "envdrift[vault]" # All vault providers1. Encrypt and push to vault (once per project):
envdrift encrypt .env.production
envdrift vault-push . my-app-key --env production --provider azure --vault-url https://myvault.vault.azure.net/2. Team members pull instantly (no config needed):
envdrift vault-pull . my-app-key --env production --provider azure --vault-url https://myvault.vault.azure.net/vault-pull fetches the key, writes .env.keys, and decrypts .env.production in one step.
3. Daily workflow (config-based, needs [vault.sync] in envdrift.toml):
envdrift pull # After git pull - sync keys, decrypt
envdrift lock # Before commit - encrypt, verify keysNote:
pull/lockoperate on all services defined in your sync config. For a single secret without any TOML config, usevault-pull/vault-push.
| Feature | Description |
|---|---|
| Schema Validation | Validate .env against Pydantic schemas |
| Environment Diffing | Compare dev vs staging vs production |
| Vault Integration | Azure, AWS, HashiCorp, GCP |
| Encryption | dotenvx and SOPS backends |
| CI/CD Mode | Fail builds on misconfiguration |
envdrift validate .env --schema config:Settings
envdrift diff .env.dev .env.prodFull documentation: jainal09.github.io/envdrift
MIT