Show HN: KeyEnv – CLI-first secrets manager for dev teams (Rust)
keyenv.devHi HN,
I built KeyEnv because I was tired of the "can you Slack me the Stripe key?" workflow.
The problem: My team's secrets lived in a mix of Slack DMs, shared Google Docs, and .env files that definitely weren't in .gitignore at some point. Enterprise tools like Vault required more DevOps time than we had. Doppler was close but felt
heavier than we needed.
What KeyEnv does:
keyenv init # link project
keyenv pull # sync secrets to local .env
keyenv run -- npm start # inject secrets, run command
That's basically it. Secrets are encrypted client-side (AES-256-GCM) before leaving your machine. Zero-knowledge architecture—we can't read your secrets even if we wanted to.
Technical details:
- Single Rust binary, no runtime dependencies
- Works offline (cached secrets)
- RBAC for teams (owner/admin/member/viewer)
- Service tokens for CI/CD
- Full audit trail
Honest tradeoffs:
- SaaS only, no self-hosted option
- Fewer integrations than Doppler
- If you need dynamic secrets or PKI, use Vault
Pricing: Free tier (3 projects, 100 secrets), $12/user/month for teams.
Would love feedback on the CLI UX and any rough edges. Happy to answer questions about the architecture.
https://www.keyenv.dev Love the CLI-first approach for secrets. The Rust implementation should give you solid performance for dev workflows.
How does it handle rotation policies and audit logs? We've found that API key rotation is often where teams struggle with governance at keypost.ai.
Congrats on shipping!
Thanks! Audit logs are fully implemented. One special focus is obviously on granular permissions on environment access. About rotation: that's going to be the next big feature, planning to ship within the next 15 days! Would really appreciate some usage feedback, service has been migrated on proper hardware and is now fully functional (no cold starts on free instances).