Show HN: Liberty – Hardware-bound secret manager (no more .env files)

7•deciphergit•3w ago

I got tired of: - .env files committed to Git (seen it happen 100+ times) - API keys shared in Slack - Wondering who has access to what secrets

So I built Liberty - a CLI tool that replaces .env files with hardware-bound encryption.

How it works:

  $ pip install liberty-secrets
  $ liberty add DATABASE_URL postgresql://...
  $ liberty add STRIPE_KEY sk-...
  $ liberty exec npm start

Secrets are encrypted with a key derived from your machine's hardware (CPU ID + machine ID + disk serial). If someone steals your .liberty vault file, it's useless on their machine.

Features:

  - Hardware-bound AES-256-GCM encryption
  - Complete audit trail (compliance-ready)
  - Works offline (no servers, no accounts)
  - Global vault (~/.liberty/ works from any directory)
  - MIT licensed, free for individual use

GitLab: https://gitlab.com/deciphergit/liberty

PyPI: https://pypi.org/project/liberty-secrets/

Team features (secret sharing) coming soon as paid tier.

Feedback welcome!

Comments

nosuchthing•3w ago

Anyone who uses this risks being locked out forever because the "key" will be destroyed if they upgrade their computer or suffer hardware failures.

ZeroConcerns•3w ago

Not really -- any secrets stored using this method should also live in a password manager somewhere. It's about providing more-secure programmatic access to secrets.

Basically, it rebuilds Windows DPAPI from first principles, which is fine (I've done it many times myself!), and something non-Windows platforms sorely need. It changes the impact of malware from "they dumped all our secrets from prod to their C2" to "they got some encrypted values, and now someone will need to figure out our methodology and underlying keys", which is a meaningfully higher bar.

hackingonempty•3w ago

How much entropy is in cpu id, machine id and disk serial? You might as well just generate an appropriate length random key and store it in the config dir.

Better would be to use the OS secret storage API to store the secrets. Maybe put the context name they are stored under in the .liberty file.

dissent•3w ago

STRIPE_KEY I understand because it's an external service that you can't really simulate locally. But DATABASE_URL - why not just default this to localhost, and default the secret to a dummy string? If your workflow doesn't even use secrets in the first place, you can never accidentally commit them.

We Mourn Our Craft

Speed up responses with fast mode

Hoot: Scheme on WebAssembly

U.S. Jobs Disappear at Fastest January Pace Since Great Recession

Stories from 25 Years of Software Development

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

Al Lowe on model trains, funny deaths and working with Disney

The AI boom is causing shortages everywhere else

The Waymo World Model

Reinforcement Learning from Human Feedback

Start all of your commands with a comma (2009)

Vocal Guide – belt sing without killing yourself

France's homegrown open source online office suite

Coding agents have replaced every framework I used

Selection Rather Than Prediction

A Fresh Look at IBM 3270 Information Display System

72M Points of Interest

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

I Write Games in C (yes, C)

Unseen Footage of Atari Battlezone Arcade Cabinet Production

SectorC: A C Compiler in 512 bytes

Where did all the starships go?

Software factories and the agentic moment

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

Learning from context is harder than we thought

Monty: A minimal, secure Python interpreter written in Rust for use by AI

Making geo joins faster with H3 indexes

Show HN: Kappal – CLI to Run Docker Compose YML on Kubernetes for Local Dev

Hackers (1995) Animated Experience

Ga68, a GNU Algol 68 Compiler