I built KeyEnv because I was tired of the "can you Slack me the Stripe key?" workflow.
The problem: My team's secrets lived in a mix of Slack DMs, shared Google Docs, and .env files that definitely weren't in .gitignore at some point. Enterprise tools like Vault required more DevOps time than we had. Doppler was close but felt
heavier than we needed.
What KeyEnv does:
keyenv init # link project
keyenv pull # sync secrets to local .env
keyenv run -- npm start # inject secrets, run command
That's basically it. Secrets are encrypted client-side (AES-256-GCM) before leaving your machine. Zero-knowledge architecture—we can't read your secrets even if we wanted to.
Technical details:
- Single Rust binary, no runtime dependencies
- Works offline (cached secrets)
- RBAC for teams (owner/admin/member/viewer)
- Service tokens for CI/CD
- Full audit trail
Honest tradeoffs:
- SaaS only, no self-hosted option
- Fewer integrations than Doppler
- If you need dynamic secrets or PKI, use Vault
Pricing: Free tier (3 projects, 100 secrets), $12/user/month for teams.
Would love feedback on the CLI UX and any rough edges. Happy to answer questions about the architecture.