# enseal
[](https://github.com/FlerAlex/enseal/actions/workflows/ci.yml)
[](https://github.com/FlerAlex/enseal/actions/workflows/release.yml)
[](https://crates.io/crates/enseal)
[](LICENSE)
> **Beta:** enseal is under active development. APIs and CLI flags may change between releases.
Secure, ephemeral secret sharing for developers.
Stop pasting secrets into Slack. `enseal` makes the secure path faster than the insecure one — share `.env` files and secrets through encrypted, single-use channels with one command and zero setup.
```bash
# sender
$ enseal share .env
Share code: 7-guitarist-revenge
Secrets: 14 variables (staging)
Expires: on first receive
# recipient
$ enseal receive 7-guitarist-revenge
ok: 14 secrets written to .env
```
## Installation
### From crates.io
```bash
cargo install enseal
```
### From source
```bash
git clone https://github.com/FlerAlex/enseal.git
cd enseal
cargo build --release
# binary at ./target/release/enseal
```
### Prebuilt binaries
Download from [GitHub Releases](https://github.com/FlerAlex/enseal/releases) for Linux (x86_64, aarch64), macOS (Intel, Apple Silicon), and Windows.
## Quick Start
### Anonymous mode (zero setup)
Share secrets using a one-time code. No keys, no accounts — works immediately.
```bash
# terminal 1 (sender)
enseal share .env
Share code: 7-guitarist-revenge
Secrets: 14 variables
Expires: on first receive
# terminal 2 (recipient) — enter the code
enseal receive 7-guitarist-revenge
ok: 14 secrets written to .env
```
Works with single secrets too:
```bash
# terminal 1 — pipe a token
# terminal 2 — prints to stdout
enseal receive 4-orbital-hammock
my-api-token
```
Both terminals must be open at the same time — the sender waits until the recipient connects.
### Identity mode (key-based, no codes)
For teams with established key trust. Encrypt to a name, no coordination needed.
```bash
# one-time setup
enseal keys init
enseal keys export > my-key.pub # share this with teammates
enseal keys import teammate-key.pub # import theirs
# sender encrypts to recipient by name
enseal share .env --to sarah
# or push through the public relay (no codes at all)
enseal share .env --to sarah --relay wss://relay.enseal.dev
# or produce an encrypted file (no network)
enseal share .env --to sarah --output ./drop/
```
### Inject secrets into a process (never touch disk)
```bash
# anonymous mode: sender gives you a code
enseal inject 7-guitarist-revenge -- npm start
# identity mode: listen on relay, sender pushes when ready
enseal inject --listen --relay wss://relay.enseal.dev -- docker compose up
# from an encrypted file drop
enseal inject ./staging.env.age -- python manage.py runserver
```
Secrets exist only in the child process's memory. When it exits, they're gone.
## Features
### Two Sharing Modes
**Anonymous mode** (default) — wormhole-based, zero setup. A human-readable code is all you need. SPAKE2 mutual authentication prevents MITM attacks.
```bash
enseal share .env # generates wormhole code
enseal receive 7-guitarist-revenge # uses code
```
With `--relay`, anonymous mode bypasses wormhole and uses the enseal relay transport instead. Both sides must use the same relay:
```bash
enseal share .env --relay ws://relay.internal:4443 # generates channel code
enseal receive 3421-amber-frost --relay ws://relay.internal:4443
```
**Identity mode** — public-key encryption for known teammates. Encrypt to a name.
```bash
enseal keys init # one-time setup
enseal share .env --to sarah # encrypt to sarah's public key
```
Identity mode supports three transport options:
```bash
# wormhole (default, no --relay): generates a code like anonymous mode
enseal share .env --to sarah
# relay push (with --relay): zero codes, pushes directly to recipient's channel
enseal share .env --to sarah --relay wss://relay.enseal.dev
# file drop (with --output): no network, produces encrypted file
enseal share .env --to sarah --output ./drop/
# produces ./drop/sarah@company.com.env.age
```
### Flexible Input
enseal accepts secrets from multiple sources:
```bash
# .env file (default)
enseal share .env
enseal share staging.env
# environment profile
enseal share --env staging # resolves to .env.staging
# pipe from stdin
pass show stripe/key | enseal share --to sarah
# inline (careful — visible in shell history)
enseal share --secret "API_KEY=sk_live_abc123"
# wrap raw string as KEY=VALUE
### Variable Interpolation
`${VAR}` references are resolved before sending so recipients get fully expanded values:
```env
DB_HOST=postgres.internal
DB_PORT=5432
DATABASE_URL=postgres://user:pass@${DB_HOST}:${DB_PORT}/myapp
```
Supports `${VAR:-default}` fallback syntax. Circular and forward references are detected and rejected. Use `--no-interpolate` to send raw `${VAR}` syntax.
### Filtering
Control which variables are sent:
```bash
# exclude public/non-secret vars
enseal share .env --exclude "^PUBLIC_|^NEXT_PUBLIC_"
# send only matching vars
enseal share .env --include "^DB_|^API_"
# skip .env parsing entirely (send raw file)
enseal share .env --no-filter
```
### Smart Receive
Output adapts to what was sent:
```bash
# .env payload -> writes to file
enseal receive CODE
ok: 14 secrets written to .env
# write to specific file
enseal receive CODE --output staging.env
# raw string -> prints to stdout (pipe-friendly)
enseal receive CODE
sk_live_abc123
# force clipboard
enseal receive CODE --clipboard
ok: copied to clipboard
# force stdout for any payload
enseal receive CODE --no-write
# receive from encrypted file drop (identity mode)
enseal receive ./staging.env.age
ok: signature verified, file decrypted
ok: 14 secrets written to .env
```
### Inject
Receive secrets and inject them directly as environment variables into a child process. Secrets never touch the filesystem.
```bash
# anonymous mode: inject via wormhole code
enseal inject 7-guitarist-revenge -- npm start
# identity mode: listen for incoming transfer on relay
enseal inject --listen --relay wss://relay.enseal.dev -- docker compose up
# from encrypted file drop
enseal inject ./staging.env.age -- python manage.py runserver
```
With `--listen`, the receiver connects to the relay and waits. The sender pushes with `enseal share .env --to alex --relay wss://relay.enseal.dev` — no codes exchanged, zero coordination needed.
### .env Toolkit
Beyond sharing, enseal is a complete `.env` security toolkit:
```bash
# check: verify your .env has all required vars
enseal check
error: missing from .env (present in .env.example):
JWT_SECRET, REDIS_URL
# diff: compare two .env files (keys only, never values)
enseal diff .env.development .env.staging
+ REDIS_CLUSTER_URL (only in staging)
- DEBUG (only in development)
# redact: strip values for safe sharing of structure
enseal redact .env
DATABASE_URL=<REDACTED>
API_KEY=<REDACTED>
PORT=<REDACTED>
# validate: check values against schema rules
enseal validate .env
error: missing required: JWT_SECRET
error: PORT value "abc" is not an integer
ok: 11/14 variables passed validation
# template: generate .env.example with type hints
enseal template .env
# DATABASE_URL=<postgres connection string>
# API_KEY=<32+ character string>
# PORT=<integer, 1024-65535>
```
### At-Rest Encryption
Encrypt `.env` files for safe git storage using age encryption:
```bash
# whole-file encryption
enseal encrypt .env
ok: .env encrypted in-place (14 variables, age key)
enseal decrypt .env
# per-variable: keys visible for diffing, values encrypted
enseal encrypt .env --per-var
# DB_HOST=ENC[age:abc123...]
# DB_PORT=ENC[age:def456...]
# multi-recipient: anyone on the team can decrypt
enseal encrypt .env --to sarah --to alex
```
### Identity & Key Management
```bash
# generate your keypair
enseal keys init
# share your public key with teammates
enseal keys export > my-key.pub
# import a teammate's key (shows fingerprint, prompts for confirmation)
enseal keys import sarah.pub
# list all trusted keys and aliases
enseal keys list
# show your key fingerprint (for out-of-band verification)
enseal keys fingerprint
# remove a trusted key
enseal keys remove sarah@company.com
# create aliases for convenience
enseal keys alias sarah sarah@company.com
# create groups for multi-recipient sharing
enseal keys group create backend-team
enseal keys group add backend-team sarah
enseal keys group add backend-team alex
enseal keys group list backend-team
enseal share .env --to backend-team
# delete a group
enseal keys group delete backend-team
```
### Public Relay
A free public relay is available at `wss://relay.enseal.dev`. Use it for quick testing or when you don't need a private relay.
```bash
# check relay health
curl https://relay.enseal.dev/health
# use it for identity-mode transfers
enseal share .env --to sarah --relay wss://relay.enseal.dev
enseal inject --listen --relay wss://relay.enseal.dev -- npm start
# or set it globally
export ENSEAL_RELAY=wss://relay.enseal.dev
```
#### Try it yourself
```bash
# 1. generate keys (one-time)
enseal keys init
# 2. export and import your own key (for self-testing)
enseal keys export > /tmp/mykey.pub
enseal keys import /tmp/mykey.pub
# enter an alias when prompted (e.g. "mykey")
# 3. test file drop (no network needed)
enseal share --secret "TEST=works" --to mykey --output /tmp/
enseal receive /tmp/mykey.env.age
# 4. test relay push (two terminals)
# terminal 1 (receiver):
enseal share --secret "TEST=relay_works" --to mykey --relay wss://relay.enseal.dev
```
### Self-Hosted Relay
Keep everything inside your network. The relay is stateless — it sees only ciphertext.
```bash
# Docker (one command)
docker run -d -p 4443:4443 enseal/relay
# Or as a binary
enseal serve --port 4443
# Check relay health
curl http://localhost:4443/health
```
`enseal serve` speaks plain WebSocket (`ws://`). For TLS, put a reverse proxy (Caddy, nginx) in front and connect with `wss://`.
With `--relay` set, all modes route through your relay:
```bash
# Anonymous mode — generates enseal channel code instead of wormhole code
enseal share .env --relay ws://relay.internal:4443
# info: Share code: 3421-amber-frost
enseal receive 3421-amber-frost --relay ws://relay.internal:4443
# Or set globally
export ENSEAL_RELAY=ws://relay.internal:4443
enseal share .env
```
Identity mode with a self-hosted relay is fully codeless:
```bash
# receiver listens on the relay
enseal inject --listen --relay ws://relay.internal:4443 -- npm start
# sender pushes directly — no code generated
enseal share .env --to alex --relay ws://relay.internal:4443
ok: pushed to alex
```
### Schema Validation
Define rules in `.enseal.toml` at the project root:
```toml
[schema]
required = ["DATABASE_URL", "API_KEY", "JWT_SECRET"]
[schema.rules.DATABASE_URL]
pattern = "^postgres://"
description = "PostgreSQL connection string"
[schema.rules.PORT]
type = "integer"
range = [1024, 65535]
[schema.rules.API_KEY]
min_length = 32
```
Then validate:
```bash
enseal validate .env
```
Validation also runs automatically when receiving `.env` files — catching broken configs before they cause confusion.
### Environment Profiles
```bash
enseal share --env staging # shares .env.staging
enseal validate --env production # validates .env.production
enseal diff .env.development .env.production
```
## How It Works
### Anonymous Mode
**Wormhole (default, no `--relay`):**
1. Sender encrypts the payload with `age`
2. A SPAKE2 key exchange establishes a shared secret via the public wormhole relay
3. The encrypted payload transits through the relay
4. Recipient decrypts with the negotiated key
5. The channel is destroyed — single use, time-limited
The relay never sees plaintext. The wormhole code provides mutual authentication.
**Enseal relay (`--relay`):**
1. Sender encrypts the payload with `age` and sends it to the enseal relay under a generated channel code
2. Recipient connects to the same relay with the same code and receives the payload
3. The channel is consumed on first receive
There is no SPAKE2 in this mode — the channel code is the only credential.
### Identity Mode (Public Key)
1. Sender encrypts with the recipient's `age` public key
2. Sender signs with their own `ed25519` key
3. Payload transits through relay, file drop, or wormhole
4. Recipient decrypts with their private key
5. Recipient verifies the sender's signature
Trust is based on which keys you've imported.
**Transport options in identity mode:**
| Wormhole (default) | `--to sarah` | Generates a code, like anonymous mode but with signing |
| Relay push | `--to sarah --relay URL` | Pushes to recipient's deterministic channel, no code |
| File drop | `--to sarah --output ./dir/` | Produces encrypted `.env.age` file, no network |
With relay push, the recipient listens with `enseal inject --listen --relay URL -- cmd` or receives the file drop with `enseal receive ./file.env.age`.
## Security Model
**Protected:**
- Secrets in transit (encrypted channel)
- Secrets in Slack/email history (ephemeral, no persistence)
- MITM attacks (SPAKE2 / public key auth)
- Malicious relay (E2E encryption, relay sees ciphertext only)
- Sender impersonation (identity mode: ed25519 signatures)
- Secrets on disk (inject mode: process memory only)
- Secrets in git (encrypt: at-rest encryption)
**Not protected:**
- Compromised endpoints (if the machine is owned, nothing helps)
- Key distribution (you trust the keys you import — no PKI, no CA)
## Configuration
Optional `.enseal.toml` in your project root:
```toml
[defaults]
relay = "wss://relay.enseal.dev" # public relay (identity mode)
# relay = "ws://relay.internal:4443" # self-hosted without TLS
# relay = "wss://relay.internal:4443" # self-hosted with TLS reverse proxy
[filter]
exclude = ["^PUBLIC_", "^NEXT_PUBLIC_", "^REACT_APP_"]
[identity]
default_recipient = "devops-team"
[schema]
required = ["DATABASE_URL", "API_KEY", "JWT_SECRET"]
```
## CLI Reference
```
CORE
enseal share [<file>] Send secrets (file, pipe, or --secret)
enseal receive [<code|file>] Receive secrets
enseal inject [<code>] -- <cmd> Inject secrets into a process
enseal keys <subcommand> Manage identity keys and aliases
enseal serve Run self-hosted relay server
.ENV TOOLKIT
enseal check [file] Verify .env has all vars from .env.example
enseal diff <file1> <file2> Compare .env files (keys only)
enseal redact <file> Replace values with <REDACTED>
enseal validate <file> Validate against schema rules
enseal template <file> Generate .env.example with type hints
ENCRYPTION
enseal encrypt <file> Encrypt .env for git storage
enseal decrypt <file> Decrypt an encrypted .env
```
### `share` flags
```
--to <name> Identity mode: encrypt to recipient (alias, group, or identity)
--output <dir> File drop: write encrypted file (identity mode, no network)
--secret <value> Inline secret (raw string or KEY=VALUE)
--label <name> Human label for raw/piped secrets
--as <KEY> Wrap raw input as KEY=<value>
--relay <url> Route through relay server. Anonymous mode: uses enseal relay transport
(generates channel code, bypasses wormhole). Identity mode: push to
recipient's channel. Also: ENSEAL_RELAY env var.
--env <profile> Environment profile (resolves to .env.<profile>)
--exclude <pattern> Regex to exclude vars
--include <pattern> Regex to include only matching vars
--no-filter Send raw file, skip .env parsing
--no-interpolate Don't resolve ${VAR} references before sending
--words <n> Words in wormhole code (2-5, default: 2). Wormhole mode only (no --relay).
--quiet / -q Minimal output
```
### `receive` flags
```
--output <path> Write to specific file
--clipboard Copy to clipboard instead of stdout/file
--no-write Print to stdout even for .env payloads
--relay <url> Use specific relay server
--quiet / -q Minimal output
```
### `inject` flags
```
--listen Listen for incoming identity-mode transfer (requires --relay)
--relay <url> Use specific relay server (also: ENSEAL_RELAY)
--quiet / -q Minimal output
```
### `keys` subcommands
```
enseal keys init Generate your keypair
enseal keys export Print your public key bundle
enseal keys import <file> Import a colleague's public key
enseal keys list Show all trusted keys and aliases
enseal keys remove <identity> Remove a trusted key
enseal keys fingerprint Show your key fingerprint
enseal keys alias <name> <identity> Map short name to identity
enseal keys group create <name> Create a named group
enseal keys group add <group> <id> Add identity to group
enseal keys group remove <group> <id> Remove identity from group
enseal keys group list [name] List groups or group members
enseal keys group delete <name> Delete a group
```
### `serve` flags
```
--port <port> Listen port (default: 4443)
--bind <addr> Bind address (default: 0.0.0.0)
--max-mailboxes <n> Max concurrent channels (default: 100)
--channel-ttl <seconds> Idle channel lifetime (default: 300)
--max-payload <bytes> Max WebSocket message size (default: 1048576)
--rate-limit <n> Max connections per minute per IP (default: 10)
--health Print server health check and exit
```
### `encrypt` / `decrypt` flags
```
--per-var Per-variable encryption (keys visible, values encrypted)
--to <name> Encrypt to specific recipients (multi-key)
```
### Global flags
```
--verbose / -v Debug output (never prints secret values)
--quiet / -q Minimal output (for scripting)
```
## Comparison
| Zero setup | Yes | Yes | No | No | Yes |
| End-to-end encrypted | Yes | No | Yes | N/A | Yes |
| Ephemeral (no history) | Yes | No | Yes | N/A | Yes |
| .env aware | Yes | No | No | Yes | No |
| Process injection | Yes | No | No | Yes | No |
| Schema validation | Yes | No | No | No | No |
| At-rest encryption | Yes | N/A | N/A | Yes | No |
| Self-hostable relay | Yes | No | No | N/A | Yes |
| Raw string/pipe support | Yes | Yes | No | No | Yes |
## Roadmap
- **v0.1** — Core: share/receive, pipe/stdin, .env toolkit (check, diff, redact) *(done)*
- **v0.2** — Identity mode: keys, aliases, `--to` flag *(done)*
- **v0.3** — Inject command, self-hosted relay *(done)*
- **v0.4** — Schema validation, templates, interpolation, profiles *(done)*
- **v0.5** — At-rest encryption (encrypt/decrypt) *(done)*
- **v0.10** — Groups, Helm chart, docs *(done)*
- **v0.11** — Security hardening, docs sync *(done)*
- **v0.12** — .enseal.toml wired up, private relay for anonymous mode *(current)*
- **v1.0** — crates.io publish, shell completions, final polish
## License
MIT