Show HN: Liberty – Hardware-bound secret manager (no more .env files)

7•deciphergit•3w ago

I got tired of: - .env files committed to Git (seen it happen 100+ times) - API keys shared in Slack - Wondering who has access to what secrets

So I built Liberty - a CLI tool that replaces .env files with hardware-bound encryption.

How it works:

  $ pip install liberty-secrets
  $ liberty add DATABASE_URL postgresql://...
  $ liberty add STRIPE_KEY sk-...
  $ liberty exec npm start

Secrets are encrypted with a key derived from your machine's hardware (CPU ID + machine ID + disk serial). If someone steals your .liberty vault file, it's useless on their machine.

Features:

  - Hardware-bound AES-256-GCM encryption
  - Complete audit trail (compliance-ready)
  - Works offline (no servers, no accounts)
  - Global vault (~/.liberty/ works from any directory)
  - MIT licensed, free for individual use

GitLab: https://gitlab.com/deciphergit/liberty

PyPI: https://pypi.org/project/liberty-secrets/

Team features (secret sharing) coming soon as paid tier.

Feedback welcome!

Comments

nosuchthing•3w ago

Anyone who uses this risks being locked out forever because the "key" will be destroyed if they upgrade their computer or suffer hardware failures.

ZeroConcerns•3w ago

Not really -- any secrets stored using this method should also live in a password manager somewhere. It's about providing more-secure programmatic access to secrets.

Basically, it rebuilds Windows DPAPI from first principles, which is fine (I've done it many times myself!), and something non-Windows platforms sorely need. It changes the impact of malware from "they dumped all our secrets from prod to their C2" to "they got some encrypted values, and now someone will need to figure out our methodology and underlying keys", which is a meaningfully higher bar.

hackingonempty•3w ago

How much entropy is in cpu id, machine id and disk serial? You might as well just generate an appropriate length random key and store it in the config dir.

Better would be to use the OS secret storage API to store the secrets. Maybe put the context name they are stored under in the .liberty file.

dissent•3w ago

STRIPE_KEY I understand because it's an external service that you can't really simulate locally. But DATABASE_URL - why not just default this to localhost, and default the secret to a dummy string? If your workflow doesn't even use secrets in the first place, you can never accidentally commit them.

Start all of your commands with a comma (2009)

Hoot: Scheme on WebAssembly

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

The Waymo World Model

Vocal Guide – belt sing without killing yourself

Reinforcement Learning from Human Feedback

Making geo joins faster with H3 indexes

Where did all the starships go?

Unseen Footage of Atari Battlezone Arcade Cabinet Production

Jeffrey Snover: "Welcome to the Room"

ga68, the GNU Algol 68 Compiler – FOSDEM 2026 [video]

What Is Ruliology?

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

Monty: A minimal, secure Python interpreter written in Rust for use by AI

Show HN: I spent 4 years building a UI design tool with only the features I use

Hackers (1995) Animated Experience

Sheldon Brown's Bicycle Technical Info

Show HN: If you lose your memory, how to regain access to your computer?

Microsoft open-sources LiteBox, a security-focused library OS

An Update on Heroku

Cross-Region MSK Replication: K2K vs. MirrorMaker2

PC Floppy Copy Protection: Vault Prolok

Was Benoit Mandelbrot a hedgehog or a fox?

Dark Alley Mathematics

The AI boom is causing shortages everywhere else

How to effectively write quality code with AI

Delimited Continuations vs. Lwt for Threads

I now assume that all ads on Apple news are scams

Introducing the Developer Knowledge API and MCP Server

Understanding Neural Network, Visually