Skip to content(if available)orjump to list(if available)

Show HN: Lockenv – Simple encrypted secrets storage for Git

Show HN: Lockenv – Simple encrypted secrets storage for Git

3 comments

·December 8, 2025

Hi!

I got tired of setting up tools I can't explain to a team in a few words like sops or git-crypt, just to store few files with environment variables or secrets, so I built lockenv as a simple alternative.

It's basically a password-protected vault file you commit to git. No gpg keys, no cloud, just lockenv init, set a password, and lock/unlock the secrets.

This tool integrates with OS keyring, so you're not typing passwords constantly. Should work on Mac/Linux/Windows, but I tested it only on linux so far.

I am not trying to replace any mature / robust solution, just making small tool for simple cases, where I want to stop sharing secrets via slack.

Feel free to try, thank you!

Visit

jillesvangurp

Sounds useful. We do similar things with encrypted properties files. Also, things like Ansible come with ansible vault. If you use Github, you can use Github secrets of course. And AWS/GCP/etc. tend to have secret stores.

The challenge with this solution is of course managing who has access and dealing with people leaving your team and no longer being trusted. Even if you still like them personally, just because they are outside your team would require you to change any credentials they might have.

In our case, our team is small and I simply ignore this problem. So, we have a keepass file with shared secrets and repositories with encrypted properties files and a master password in this keepass file. Mostly, it's just me handling the password. It also gets configured as a Github secret on repositories for CI and deployment jobs. It works. But I'm aware of the limitations.

This is an area where there are lots of tools but not a whole lot of standardized ones or good practices for using them. It's one of those things that acts as a magnet for enterprise complexity. Tools like this tend to become very unwieldy because of this. Which is why people keep reinventing them.

shoemann

Absolutely agree. That is exactly why I made this tool - my projects usually don't have ansible, github, aws and other external dependencies, or have different sets of such dependencies, and teams are too small to use something enterprise level.

rcarmo

I use a Makefile target with GPG :)