vaultEnv

A local encrypted secrets vault for developers. Keep API keys and credentials off your screen, out of your logs, and away from AI agents β€” without changing your app code.

Comment

VaultEnv

A secure offline CLI secret manager that helps developers protect API keys and credentials from leaks, logs, shell history, and accidental exposure.

🌐 Live Demo: https://vaultenv-fe.vercel.app/

Inspiration

The idea for VaultEnv came from a problem I kept seeing while building projects and working during internships β€” developers constantly expose secrets without realizing it.

API keys end up inside:

  • .env files pushed to GitHub
  • terminal history
  • logs
  • screenshots
  • AI coding tools
  • copied commands in chats

Even experienced developers make these mistakes because current workflows make it very easy to leak credentials accidentally.

I wanted to build something that felt simple like a normal CLI tool but was designed with security first.

The main question I kept thinking about was:

Can developers use secrets safely without constantly worrying about exposing them?

That became the foundation of VaultEnv.

What It Does

VaultEnv is an offline-first encrypted secret manager for developers.

It allows users to:

  • securely store secrets locally
  • encrypt credentials using strong cryptography
  • inject secrets directly into processes
  • avoid exposing keys in terminal history
  • manage sessions using OS-native keyrings
  • rotate and update secrets safely
  • maintain secure audit logs

The goal was to make secure secret management feel natural during development instead of something developers avoid because it’s complicated.

How I Built It

VaultEnv was built using:

  • Node.js
  • Commander.js
  • AES-256-GCM
  • PBKDF2-SHA256
  • Keytar

The encryption system uses PBKDF2 for key derivation:

[ K = PBKDF2(password, salt, iterations) ]

where:

  • (K) is the derived encryption key
  • SHA-256 is used internally
  • iterations ( \geq 100000 )

Secrets are encrypted using AES-256-GCM:

[ C = AES\text{-}256\text{-}GCM(K, plaintext) ]

This provides both:

  • confidentiality
  • integrity verification

One feature I spent a lot of time on was secure process injection.

Instead of exposing secrets globally, VaultEnv injects credentials directly into child processes only when needed. This reduces the chance of secrets leaking through:

  • shell history
  • terminal logs
  • accidental printing
  • process dumps

I also integrated native OS keyrings so sessions could remain secure without storing sensitive data in plaintext.

Challenges I Faced

Balancing Security and Simplicity

One of the biggest challenges was making the tool secure without making it annoying to use.

A lot of security tools are technically strong but frustrating in real workflows. I wanted VaultEnv to feel lightweight and developer-friendly while still following strong security practices.

That balance was harder than expected.

Understanding Cryptography Properly

Before building this project, I had only used encryption libraries at a surface level.

VaultEnv forced me to deeply understand:

  • authenticated encryption
  • nonce management
  • key derivation
  • secure randomness
  • encryption lifecycle design

I spent a lot of time researching why certain cryptographic choices are considered safe while others are dangerous.

Preventing Secret Leaks

Modern development environments have many hidden ways secrets can leak.

I had to think carefully about:

  • shell behavior
  • subprocess handling
  • environment inheritance
  • temporary memory exposure
  • cleanup after execution

A major focus became reducing accidental human mistakes rather than only defending against attackers.

What I Learned

Building VaultEnv taught me much more than just encryption.

I learned about:

  • secure software architecture
  • developer security workflows
  • operating system credential storage
  • process management in Node.js
  • threat modeling
  • designing tools for real developer behavior

One important thing I realized is:

Security tools only work if developers actually enjoy using them.

A perfectly secure system becomes useless if people avoid it because it slows them down.

Future Improvements

Some future ideas for VaultEnv include:

  • encrypted secret sharing
  • team-based secret workspaces
  • temporary access tokens
  • browser extension support
  • cloud sync with zero-knowledge encryption
  • hardware security key integration

I also want to improve the overall developer experience and make onboarding easier for new users.

Final Thoughts

VaultEnv started as a small side project but became one of the projects that taught me the most as a developer.

It pushed me to think beyond just writing code and focus on:

  • security
  • usability
  • developer behavior
  • real-world risk

More than anything, it showed me that good security products are not just about protecting systems β€” they are about helping people work safely without changing how they naturally build software.

Built With

Share this project:

Updates