cred

Encrypted local secrets → Deployment platforms.

What it is

cred stores encrypted secrets locally and safely pushes them to target platforms on demand.

⚠️ Status: Early Preview (v0.13.0) — The on-disk format, CLI surface, and security model may change between minor versions.

What it's not

A hosted secrets manager
A multi-user access control system
A replacement for HashiCorp Vault or AWS Secrets Manager
A runtime secret injector

Who it's for

Solo developers managing secrets on a single machine
Open-source maintainers who push secrets to deployment platforms
Anyone who wants local-first secrets without running infrastructure

Install

Homebrew:

brew tap edneedham/cred
brew install edneedham/cred/cred

Shell:

curl -fsSL https://raw.githubusercontent.com/edneedham/cred/main/scripts/install.sh | sh -s

Cargo:

cargo install cred

Pre-built binaries: GitHub Releases

Quick Start

# Initialize a project (auto-detects targets from git, fly.toml, etc.)
cred init

# Authenticate with a target (per-project, fine-grained token)
cred target set github

# Store a secret
cred secret set DATABASE_URL "postgres://..."

# Push to GitHub (no --repo needed, uses saved binding)
cred push github

See the Getting Started guide for more.

Features

Encrypted vault — Secrets stored locally with ChaCha20-Poly1305
Environments — Organize secrets by context (dev, staging, prod)
Version history — Track changes, rollback to previous versions
Sources — Generate credentials from APIs (Resend)
Targets — Push secrets to deployment platforms (GitHub Actions, Vercel, Fly.io)
OS keyring — Tokens stored in macOS Keychain, GNOME Keyring, or Windows Credential Manager
Automation-ready — --json, --dry-run, --non-interactive flags

Documentation

License

Licensed under either of:

Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
MIT License (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your choice.

cred 0.13.0