Skip to content
/ gitvault Public

Git-backed secrets manager CLI in Go: list, set, import/export .env, and run commands with secrets, powered by SOPS + age.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

aatuh/gitvault

BranchesTags

Repository files navigation

GitVault

GitVault is a git-backed secret manager (Go CLI) that stores encrypted secrets in a dedicated vault repository. It uses SOPS to encrypt dotenv files with age recipients and keeps a plaintext index for fast listing without decrypting.

Quickstart

Prereqs:

  • Install sops and age.
  • Ensure your age identity is available (default: ~/.config/sops/age/keys.txt). If you store it elsewhere (e.g., ./keys.txt), set SOPS_AGE_KEY_FILE.

First secret (copy/paste minimal flow):

# If your age identity lives elsewhere, set SOPS_AGE_KEY_FILE first.
# export SOPS_AGE_KEY_FILE=./keys.txt

age-keygen -o ~/.config/sops/age/keys.txt
RECIPIENT=$(age-keygen -y ~/.config/sops/age/keys.txt)

gitvault init --path ./vault --name my-vault --recipient "$RECIPIENT"
gitvault --vault ./vault secret set myapp dev API_KEY "abc123"
gitvault --vault ./vault secret export-env myapp dev --out .env --force --allow-git

# Optional sanity checks:
gitvault --vault ./vault secret list myapp dev
gitvault --vault ./vault doctor

Tip: gitvault init --recipient is the fastest path; you can also add recipients later with gitvault keys add.

Initialize a vault:

gitvault init --path ./vault --name my-vault --recipient age1example...

Add recipients later:

gitvault --vault ./vault keys add age1another...

Set secrets:

gitvault --vault ./vault secret set myapp dev API_KEY "abc123"

Import from a local .env:

gitvault --vault ./vault secret import-env --project myapp --env dev --file .env

Update a local .env in-place:

gitvault --vault ./vault secret apply-env --project myapp --env dev --file .env

Export to stdout or a file:

gitvault --vault ./vault secret export-env --project myapp --env dev
gitvault --vault ./vault secret export-env --project myapp --env dev --out .env --force --allow-git

Store and retrieve binary files:

gitvault --vault ./vault file put --project myapp --env dev --path ./photo.jpg
gitvault --vault ./vault file get --project myapp --env dev --name photo.jpg --out ./photo.jpg --force

List keys without decrypting values:

gitvault --vault ./vault secret list --project myapp --env dev --show-last-changed

Run a command with secrets injected (no .env on disk):

gitvault --vault ./vault secret run --project myapp --env dev -- ./run-server

Health check:

gitvault --vault ./vault doctor

Vault Layout

  • .gitvault/config.json: vault config (recipients, version)
  • .gitvault/index.json: plaintext index (projects/envs/keys + last updated)
  • secrets/<project>/<env>.env: encrypted SOPS dotenv files
  • files/<project>/<env>/<name>: encrypted binary files

Safe Defaults

  • Export refuses to overwrite existing files without --force.
  • Export refuses to write into git-tracked paths without --allow-git (untracked files inside a repo are allowed).
  • Export refuses to write plaintext inside the vault repo.

Docs

  • docs/quickstart.md
  • docs/team-keys.md

Output Format

Use --json for machine-readable output. Errors go to stderr and return a non-zero exit code.

Environment Variables

  • GITVAULT_SOPS_PATH: override sops binary path.
  • SOPS_AGE_KEY_FILE: override the age identity file.

Development

make test
make build

About

Git-backed secrets manager CLI in Go: list, set, import/export .env, and run commands with secrets, powered by SOPS + age.

Topics

cli golang security devops dotenv encryption ci-cd configuration-management developer-tools compliance age local-development sops secrets-management gitops secret-manager key-mana

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
Jan 18, 2026

Packages

No packages published

Languages