envm

Secure environment variable manager - store and sync .env files across machines.

Features

• Encrypted storage: All env files are encrypted with AES-256-GCM
• Multi-environment support: Manage dev, staging, prod, and custom environments
• Remote sync: Pull and push env files between server and local machine
• Setup wizard: Interactive setup for both server and client modes
• Automatic SSH tunneling: Built-in SSH tunnel management for secure remote access
• Interactive mode: Commands prompt for inputs when called without arguments
• System service: Auto-install as systemd (Linux) or launchd (macOS) service

Installation

npm install -g @motive_sx/envm

Quick Start

Setup Wizard (Recommended)

The easiest way to get started is with the interactive setup wizard:

envm setup

This will guide you through:

• Server mode: Generate encryption key, configure port, install as system service
• Client mode: Configure SSH connection for automatic tunneling

Server Setup (Manual)

1. Start the envm server:

envm server start --port 3737

2. Create a project and add variables:

envm init myapp
envm set myapp dev DB_HOST=localhost DB_PORT=5432
envm set myapp prod DB_HOST=prod.example.com DB_PORT=5432

Client Setup (Manual)

1. Configure the CLI:

envm config set server http://localhost:3737

2. Set up SSH tunnel (if not using automatic tunneling):

ssh -L 3737:localhost:3737 your-server

3. Pull env files:

cd your-project
envm pull myapp dev           # Saves to .env
envm pull myapp prod -o .env.production

4. Push local changes:

envm push myapp dev           # Pushes .env
envm push myapp staging -f .env.staging

Interactive Mode

Commands can be run without arguments for an interactive experience:

# Interactive project creation
envm init
? Project name: myapp

# Interactive variable setting
envm set
? Select project: myapp
? Select environment: dev
? Enter KEY=value (empty to finish): DATABASE_URL=postgres://localhost/myapp
? Enter KEY=value (empty to finish): REDIS_URL=redis://localhost:6379
? Enter KEY=value (empty to finish):
Set 2 variables in myapp/dev

# Interactive variable viewing
envm get
? Select project: myapp
? Select environment: dev
? Variable key (leave empty for all):

Commands

Setup & Configuration

Command	Description
envm setup	Interactive setup wizard
envm config set server <url>	Configure remote server URL
envm config get [key]	View configuration

Server Commands

Command	Description
envm server start [--port 3737]	Start the envm server
envm init [project]	Create a new project
envm set [project] [env] [KEY=value]	Set environment variables
envm get [project] [env] [key]	Get environment variables
envm edit <project> [env]	Edit env in your default editor
envm list	List all projects
envm envs <project>	List environments for a project

Client Commands

Command	Description
envm pull <project> [env]	Pull env from remote to local .env
envm push <project> [env]	Push local .env to remote
envm list -r	List projects from remote
envm envs <project> -r	List environments from remote

Options

• [env] defaults to dev if not specified
• --output, -o <file> - Specify output file for pull (default: .env)
• --file, -f <file> - Specify input file for push (default: .env)
• --force - Overwrite existing files without prompting
• --create - Create project on push if it doesn't exist
• --remote, -r - Force remote server operation

SSH Tunnel (Automatic)

When configured via envm setup in client mode, SSH tunnels are managed automatically:

envm setup
? How will you use envm? Client - Pull/push from remote server
? SSH host: myserver.com
? SSH username: deploy
? SSH port: 22
? Authentication method: SSH key
? Path to private key: ~/.ssh/id_rsa
Testing connection... Connected!
Setup complete!

# Now pull/push commands auto-connect via SSH
envm pull myapp dev
Establishing SSH tunnel... Connected.
Pulled 5 variables to .env

Supported authentication methods:

• SSH key: Path to private key (recommended)
• Password: Prompted at runtime, never stored

System Service

During server setup, envm can install itself as a system service:

Linux (systemd):

envm setup
? Install as system service? Yes
Installing systemd service...
Service installed and started.

# Manage with systemctl
sudo systemctl status envm
sudo systemctl restart envm

macOS (launchd):

envm setup
? Install as system service? Yes
Installing launchd service...
Service installed and started.

# Manage with launchctl
launchctl list | grep envm

Data Storage

Server

All data is stored in ~/.envm/:

~/.envm/
├── master.key          # Auto-generated encryption key (chmod 600)
├── config.json         # Configuration (chmod 600)
├── projects.json       # Project metadata
└── projects/
    └── myapp/
        ├── dev.enc     # Encrypted env files
        ├── staging.enc
        └── prod.enc

Client

Client configuration is stored in ~/.envm/config.json:

{
  "server": "http://localhost:3737",
  "mode": "client",
  "ssh": {
    "host": "myserver.com",
    "port": 22,
    "username": "deploy",
    "authMethod": "key",
    "privateKeyPath": "~/.ssh/id_rsa",
    "localPort": 3737,
    "remotePort": 3737
  },
  "setupComplete": true
}

Security

• Encryption: All env files are encrypted with AES-256-GCM
• Master key: Auto-generated on first run, stored with 0600 permissions
• Config protection: Config file stored with 0600 permissions
• Localhost only: Server binds to 127.0.0.1 by default
• SSH tunneling: Secure remote access via encrypted SSH connection
• No password storage: SSH passwords are prompted at runtime, never saved
• No auth required: Security is provided by SSH tunnel

Development

# Install dependencies
npm install

# Run in development
npm run dev -- <command>

# Build
npm run build

# Run built version
npm start -- <command>

License

MIT