frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Show HN: Lockenv – Simple encrypted secrets storage for Git

https://github.com/illarion/lockenv
27•shoemann•3h ago
Hi!

I got tired of setting up tools I can't explain to a team in a few words like sops or git-crypt, just to store few files with environment variables or secrets, so I built lockenv as a simple alternative.

It's basically a password-protected vault file you commit to git. No gpg keys, no cloud, just lockenv init, set a password, and lock/unlock the secrets.

This tool integrates with OS keyring, so you're not typing passwords constantly. Should work on Mac/Linux/Windows, but I tested it only on linux so far.

I am not trying to replace any mature / robust solution, just making small tool for simple cases, where I want to stop sharing secrets via slack.

Feel free to try, thank you!

Comments

rcarmo•2h ago
I use a Makefile target with GPG :)
jillesvangurp•1h ago
Sounds useful. We do similar things with encrypted properties files. Also, things like Ansible come with ansible vault. If you use Github, you can use Github secrets of course. And AWS/GCP/etc. tend to have secret stores.

The challenge with this solution is of course managing who has access and dealing with people leaving your team and no longer being trusted. Even if you still like them personally, just because they are outside your team would require you to change any credentials they might have.

In our case, our team is small and I simply ignore this problem. So, we have a keepass file with shared secrets and repositories with encrypted properties files and a master password in this keepass file. Mostly, it's just me handling the password. It also gets configured as a Github secret on repositories for CI and deployment jobs. It works. But I'm aware of the limitations.

This is an area where there are lots of tools but not a whole lot of standardized ones or good practices for using them. It's one of those things that acts as a magnet for enterprise complexity. Tools like this tend to become very unwieldy because of this. Which is why people keep reinventing them.

shoemann•1h ago
Absolutely agree. That is exactly why I made this tool - my projects usually don't have ansible, github, aws and other external dependencies, or have different sets of such dependencies, and teams are too small to use something enterprise level.
crote•1h ago
> The challenge with this solution is of course managing who has access and dealing with people leaving your team and no longer being trusted. Even if you still like them personally, just because they are outside your team would require you to change any credentials they might have.

At least it's a clearly exposed problem: everyone who has ever cloned the repo has a copy of your secrets.

With software like 1Password it is way too easy to blindly rely on built-in permission management. People implicitly assume that removing a person's 1Password access means they can no longer rely the underlying resource - but in practice they could've copied the secret onto a sticky note at any time, and it's not safe until you've rotated the secret!

With shared user accounts there's at least usually the possibility of using 2FA - but that's not exactly going to work with things like deployment tokens intended for automated use...

Of course in an ideal world we wouldn't have those kinds of secrets and we'd all be using short-lived tightly-scoped service accounts - but we don't live in an ideal world.

akabalanza•1h ago
That looks amazing, thanks for sharing!

I have a git-based sync tool for my dotenv files. Maybe I can store my ssh keys, too

Barathkanna•1h ago
This actually looks handy for the “small team with a couple of env files” use case. Most secret-management tools are great once you’re at scale, but trying to explain sops or git-crypt to a team that just wants to stop pasting secrets into Slack is… not fun. A simple password-protected vault committed to git is a reasonable middle ground.

I like the OS keyring integration too,removes a lot of friction. Curious how it behaves in multi-machine workflows and whether you plan to add any guardrails around accidental plaintext commits, since that’s usually where lightweight tools get tripped up.

8cvor6j844qw_d6•43m ago
> stop pasting secrets into Slack

You got me interested. I've seen sharing of API keys via Discords in hackathons.

submain•10m ago
This is great! Coincidentally, I just started replacing my collection of bespoke security bash scripts with an app like yours. WIP here: https://github.com/leolimasa/age-vault

We all keep reinventing the same thing :)

Show HN: Lockenv – Simple encrypted secrets storage for Git

https://github.com/illarion/lockenv
27•shoemann•3h ago•8 comments

Show HN: ReadyKit – Superfast SaaS Starter with Multi-Tenant Workspaces

https://readykit.dev/
60•level09•1w ago•10 comments

Show HN: Cdecl-dump - represent C declarations visually

https://github.com/bbu/cdecl-dump
28•bluetomcat•11h ago•10 comments

Show HN: PVAC FHE over hypergraphs with LPN security

https://github.com/octra-labs/pvac_hfhe_cpp
5•0x0ffh_local•6d ago•0 comments

Show HN: Spotify Wrapped but for LeetCode

https://github.com/collinboler/leetcodewrapped
27•collinboler2•16h ago•10 comments

Show HN: Crier – Push notifications via TCP or MQTT (no public IP needed)

https://github.com/skorotkiewicz/crier
2•modinfo•4h ago•0 comments

Show HN: FuseCells – a handcrafted logic puzzle game with 2,500 levels

https://apps.apple.com/us/app/fusecells-logic-grid-puzzle/id6754704139
35•keini•1d ago•24 comments

Show HN: Tascli, a command line based (human) task and record manager

https://github.com/Aperocky/tascli
41•Aperocky•1d ago•18 comments

Show HN: S3 compatible store with 1M IOPS(4K-R,p99~5ms), BYOC in 5min with rust

https://github.com/fractalbits-labs/fractalbits-main
23•fractalbits•1d ago•7 comments

Show HN: I replaced my premium workout app with vibecode

https://strengthquest.lovable.app/
7•maddmann•10h ago•1 comments

Show HN: Kraa – Writing App for Everything

https://kraa.io/about
125•levmiseri•4d ago•73 comments

Show HN : WealthYogi - Net worth Tracker

https://apps.apple.com/gb/app/wealthyogi-net-worth-tracker/id6753881658
5•aalbatross•11h ago•0 comments

Show HN: Onlyrecipe 2.0 – I added all features HN requested – 4 years later

https://onlyrecipeapp.com/?url=https://www.allrecipes.com/turkish-pasta-recipe-8754903
200•AwkwardPanda•3d ago•157 comments

Show HN: OpenFret – Guitar inventory, AI practice, and a note-detection RPG

https://openfret.com?referral=showhn
3•openfret•14h ago•0 comments

Show HN: Walrus – a Kafka alternative written in Rust

https://github.com/nubskr/walrus
156•janicerk•6d ago•49 comments

Show HN: Tacopy – Tail Call Optimization for Python

https://github.com/raaidrt/tacopy
94•raaid-rt•1w ago•53 comments

Show HN: MTXT – Music Text Format

https://github.com/Daninet/mtxt
123•daninet•1w ago•39 comments

Show HN: Pbnj – A minimal, self-hosted pastebin you can deploy in 60 seconds

https://pbnj.sh/
67•bhavnicksm•2d ago•16 comments

Show HN: HCB Mobile – financial app built by 17 y/o, processing $6M/month

https://hackclub.com/fiscal-sponsorship/mobile/
176•mohamad08•5d ago•65 comments

Show HN: Minimal container-like sandbox built from scratch in C

https://github.com/Sahilb315/runbox
5•Sahil121•22h ago•0 comments

Show HN: I was reintroduced to computers: Raspberry Pi

https://airoboticist.blog/2025/12/01/i-was-reintroduced-to-computers-raspberry-pi/
84•observer2022•6d ago•31 comments

Show HN: TapeHead – A CLI tool for stateful random access of file streams

https://github.com/emamoah/tapehead
19•emamoah•1d ago•4 comments

Show HN: Fresh – A new terminal editor built in Rust

https://sinelaw.github.io/fresh/
183•_sinelaw_•4d ago•149 comments

Show HN: I built a dashboard to compare mortgage rates across 120 credit unions

https://finfam.app/blog/credit-union-mortgages
388•mhashemi•4d ago•129 comments

Show HN: Radioactive Pooping Knights

https://minichessgames.com/#/play/pooping-knights
27•patrickdavey•2d ago•8 comments

Show HN: Microlandia, a brutally honest city builder

https://microlandia.city
142•phaser•4d ago•25 comments

Show HN: Sloppylint – A linter for AI-generated Python code

https://github.com/rsionnach/sloppylint
19•kyub•2d ago•3 comments

Show HN: I was frustrated of 85% of my technical interviews, I built SharpSkill

https://sharpskill.fr/en
3•Enjoyooor•22h ago•1 comments

Show HN: AI Paul Graham

https://www.paulgraham-nia.com/
4•arlanrakh•1d ago•5 comments

Show HN: A Markdown document manager in Rust

https://www.seychl.app/
3•ranys•1d ago•0 comments