Show HN: KeyEnv – CLI-first secrets manager for dev teams (Rust)

https://www.keyenv.dev

5•ivannovazzi•2w ago

Hi HN,

I built KeyEnv because I was tired of the "can you Slack me the Stripe key?" workflow.

  The problem: My team's secrets lived in a mix of Slack DMs, shared Google Docs, and .env files that definitely weren't in .gitignore at some point. Enterprise tools like Vault required more DevOps time than we had. Doppler was close but felt
  heavier than we needed.

  What KeyEnv does:
  keyenv init          # link project
  keyenv pull          # sync secrets to local .env
  keyenv run -- npm start   # inject secrets, run command

  That's basically it. Secrets are encrypted client-side (AES-256-GCM) before leaving your machine. Zero-knowledge architecture—we can't read your secrets even if we wanted to.

  Technical details:
  - Single Rust binary, no runtime dependencies
  - Works offline (cached secrets)
  - RBAC for teams (owner/admin/member/viewer)
  - Service tokens for CI/CD
  - Full audit trail

  Honest tradeoffs:
  - SaaS only, no self-hosted option
  - Fewer integrations than Doppler
  - If you need dynamic secrets or PKI, use Vault

  Pricing: Free tier (3 projects, 100 secrets), $12/user/month for teams.

  Would love feedback on the CLI UX and any rough edges. Happy to answer questions about the architecture.

https://www.keyenv.dev

Comments

kxbnb•2w ago

Love the CLI-first approach for secrets. The Rust implementation should give you solid performance for dev workflows.

How does it handle rotation policies and audit logs? We've found that API key rotation is often where teams struggle with governance at keypost.ai.

Congrats on shipping!

ivannovazzi•2w ago

Thanks! Audit logs are fully implemented. One special focus is obviously on granular permissions on environment access. About rotation: that's going to be the next big feature, planning to ship within the next 15 days! Would really appreciate some usage feedback, service has been migrated on proper hardware and is now fully functional (no cold starts on free instances).

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

Show HN: I spent 4 years building a UI design tool with only the features I use

Show HN: If you lose your memory, how to regain access to your computer?

Show HN: R3forth, a ColorForth-inspired language with a tiny VM

Show HN: Smooth CLI – Token-efficient browser for AI agents

Show HN: I built a free UCP checker – see if AI agents can find your store

Show HN: ARM64 Android Dev Kit

Show HN: Slack CLI for Agents

Show HN: Compile-Time Vibe Coding

Show HN: Artifact Keeper – Open-Source Artifactory/Nexus Alternative in Rust

Show HN: Gigacode – Use OpenCode's UI with Claude Code/Codex/Amp

Show HN: Slop News – HN front page now, but it's all slop

Show HN: Horizons – OSS agent execution engine

Show HN: Daily-updated database of malicious browser extensions

Show HN: Fitspire – a simple 5-minute workout app for busy people (iOS)

Show HN: Micropolis/SimCity Clone in Emacs Lisp

Show HN: I built a RAG engine to search Singaporean laws

Show HN: Sem – Semantic diffs and patches for Git

Show HN: BioTradingArena – Benchmark for LLMs to predict biotech stock movements

Show HN: Falcon's Eye (isometric NetHack) running in the browser via WebAssembly

Show HN: Local task classifier and dispatcher on RTX 3080

Show HN: FastLog: 1.4 GB/s text file analyzer with AVX2 SIMD

Show HN: Gohpts tproxy with arp spoofing and sniffing got a new update

Show HN: A password system with no database, no sync, and nothing to breach

Show HN: I built a directory of $1M+ in free credits for startups

Show HN: GitClaw – An AI assistant that runs in GitHub Actions

Show HN: A Kubernetes Operator to Validate Jupyter Notebooks in MLOps

Show HN: 33rpm – A vinyl screensaver for macOS that syncs to your music

Show HN: Chiptune Tracker

Show HN: Craftplan – I built my wife a production management tool for her bakery