enseal 0.9.0

Secure, ephemeral secret sharing for developers
Documentation

enseal

CI Release Crates.io License: MIT

Secure, ephemeral secret sharing for developers.

Stop pasting secrets into Slack. enseal makes the secure path faster than the insecure one — share .env files and secrets through encrypted, single-use channels with one command and zero setup.

# sender
$ enseal share .env
  Share code:  7-guitarist-revenge
  Secrets:     14 variables (staging)
  Expires:     5 minutes or first receive

# recipient
$ enseal receive 7-guitarist-revenge
ok: 14 secrets written to .env

Installation

From crates.io

cargo install enseal

From source

git clone https://github.com/FlerAlex/enseal.git
cd enseal
cargo build --release
# binary at ./target/release/enseal

Prebuilt binaries

Download from GitHub Releases for Linux (x86_64, aarch64), macOS (Intel, Apple Silicon), and Windows.

Quick Start

Anonymous mode (zero setup)

Share secrets using a one-time code. No keys, no accounts — works immediately.

# terminal 1 (sender)
enseal share .env
  Share code:  7-guitarist-revenge
  Secrets:     14 variables
  Expires:     5 minutes or first receive

# terminal 2 (recipient) — enter the code
enseal receive 7-guitarist-revenge
ok: 14 secrets written to .env

Works with single secrets too:

# terminal 1 — pipe a token
echo "my-api-token" | enseal share --label "API key"
  Share code:  4-orbital-hammock

# terminal 2 — prints to stdout
enseal receive 4-orbital-hammock
my-api-token

Both terminals must be open at the same time — the sender waits until the recipient connects.

Identity mode (key-based, no codes)

For teams with established key trust. Encrypt to a name, no coordination needed.

# one-time setup
enseal keys init
enseal keys export > my-key.pub          # share this with teammates
enseal keys import teammate-key.pub      # import theirs

# sender encrypts to recipient by name
enseal share .env --to sarah

# or push through the public relay (no codes at all)
enseal share .env --to sarah --relay wss://relay.enseal.dev

# or produce an encrypted file (no network)
enseal share .env --to sarah --output ./drop/

Inject secrets into a process (never touch disk)

# anonymous mode: sender gives you a code
enseal inject 7-guitarist-revenge -- npm start

# identity mode: listen on relay, sender pushes when ready
enseal inject --listen --relay wss://relay.enseal.dev -- docker compose up

# from an encrypted file drop
enseal inject ./staging.env.age -- python manage.py runserver

Secrets exist only in the child process's memory. When it exits, they're gone.

Features

Two Sharing Modes

Anonymous mode (default) — wormhole-based, zero setup. A human-readable code is all you need. SPAKE2 mutual authentication prevents MITM attacks.

enseal share .env                         # generates code
enseal receive 7-guitarist-revenge        # uses code

Identity mode — public-key encryption for known teammates. Encrypt to a name.

enseal keys init                          # one-time setup
enseal share .env --to sarah              # encrypt to sarah's public key

Identity mode supports three transport options:

# wormhole (default, no --relay): generates a code like anonymous mode
enseal share .env --to sarah

# relay push (with --relay): zero codes, pushes directly to recipient's channel
enseal share .env --to sarah --relay wss://relay.enseal.dev

# file drop (with --output): no network, produces encrypted file
enseal share .env --to sarah --output ./drop/
# produces ./drop/sarah@company.com.env.age

Flexible Input

enseal accepts secrets from multiple sources:

# .env file (default)
enseal share .env
enseal share staging.env

# environment profile
enseal share --env staging               # resolves to .env.staging

# pipe from stdin
echo "sk_live_abc123" | enseal share
cat secrets.env | enseal share
pass show stripe/key | enseal share --to sarah

# inline (careful — visible in shell history)
enseal share --secret "API_KEY=sk_live_abc123"

# wrap raw string as KEY=VALUE
echo "sk_live_abc123" | enseal share --as STRIPE_KEY

Variable Interpolation

${VAR} references are resolved before sending so recipients get fully expanded values:

DB_HOST=postgres.internal
DB_PORT=5432
DATABASE_URL=postgres://user:pass@${DB_HOST}:${DB_PORT}/myapp

Supports ${VAR:-default} fallback syntax. Circular and forward references are detected and rejected. Use --no-interpolate to send raw ${VAR} syntax.

Filtering

Control which variables are sent:

# exclude public/non-secret vars
enseal share .env --exclude "^PUBLIC_|^NEXT_PUBLIC_"

# send only matching vars
enseal share .env --include "^DB_|^API_"

# skip .env parsing entirely (send raw file)
enseal share .env --no-filter

Smart Receive

Output adapts to what was sent:

# .env payload -> writes to file
enseal receive CODE
ok: 14 secrets written to .env

# write to specific file
enseal receive CODE --output staging.env

# raw string -> prints to stdout (pipe-friendly)
enseal receive CODE
sk_live_abc123

# force clipboard
enseal receive CODE --clipboard
ok: copied to clipboard

# force stdout for any payload
enseal receive CODE --no-write

# receive from encrypted file drop (identity mode)
enseal receive ./staging.env.age
ok: signature verified, file decrypted
ok: 14 secrets written to .env

Inject

Receive secrets and inject them directly as environment variables into a child process. Secrets never touch the filesystem.

# anonymous mode: inject via wormhole code
enseal inject 7-guitarist-revenge -- npm start

# identity mode: listen for incoming transfer on relay
enseal inject --listen --relay wss://relay.enseal.dev -- docker compose up

# from encrypted file drop
enseal inject ./staging.env.age -- python manage.py runserver

With --listen, the receiver connects to the relay and waits. The sender pushes with enseal share .env --to alex --relay wss://relay.enseal.dev — no codes exchanged, zero coordination needed.

.env Toolkit

Beyond sharing, enseal is a complete .env security toolkit:

# check: verify your .env has all required vars
enseal check
error: missing from .env (present in .env.example):
  JWT_SECRET, REDIS_URL

# diff: compare two .env files (keys only, never values)
enseal diff .env.development .env.staging
  + REDIS_CLUSTER_URL    (only in staging)
  - DEBUG                (only in development)

# redact: strip values for safe sharing of structure
enseal redact .env
  DATABASE_URL=<REDACTED>
  API_KEY=<REDACTED>
  PORT=<REDACTED>

# validate: check values against schema rules
enseal validate .env
  error: missing required: JWT_SECRET
  error: PORT value "abc" is not an integer
  ok: 11/14 variables passed validation

# template: generate .env.example with type hints
enseal template .env
  # DATABASE_URL=<postgres connection string>
  # API_KEY=<32+ character string>
  # PORT=<integer, 1024-65535>

At-Rest Encryption

Encrypt .env files for safe git storage using age encryption:

# whole-file encryption
enseal encrypt .env
ok: .env encrypted in-place (14 variables, age key)

enseal decrypt .env

# per-variable: keys visible for diffing, values encrypted
enseal encrypt .env --per-var
# DB_HOST=ENC[age:abc123...]
# DB_PORT=ENC[age:def456...]

# multi-recipient: anyone on the team can decrypt
enseal encrypt .env --to sarah --to alex

Identity & Key Management

# generate your keypair
enseal keys init

# share your public key with teammates
enseal keys export > my-key.pub

# import a teammate's key (shows fingerprint, prompts for confirmation)
enseal keys import sarah.pub

# list all trusted keys and aliases
enseal keys list

# show your key fingerprint (for out-of-band verification)
enseal keys fingerprint

# remove a trusted key
enseal keys remove sarah@company.com

# create aliases for convenience
enseal keys alias sarah sarah@company.com

# create groups for multi-recipient sharing
enseal keys group create backend-team
enseal keys group add backend-team sarah
enseal keys group add backend-team alex
enseal keys group list backend-team
enseal share .env --to backend-team

# delete a group
enseal keys group delete backend-team

Public Relay

A free public relay is available at wss://relay.enseal.dev. Use it for quick testing or when you don't need a private relay.

# check relay health
curl https://relay.enseal.dev/health

# use it for identity-mode transfers
enseal share .env --to sarah --relay wss://relay.enseal.dev
enseal inject --listen --relay wss://relay.enseal.dev -- npm start

# or set it globally
export ENSEAL_RELAY=wss://relay.enseal.dev

Try it yourself

# 1. generate keys (one-time)
enseal keys init

# 2. export and import your own key (for self-testing)
enseal keys export > /tmp/mykey.pub
enseal keys import /tmp/mykey.pub
#    enter an alias when prompted (e.g. "mykey")

# 3. test file drop (no network needed)
enseal share --secret "TEST=works" --to mykey --output /tmp/
enseal receive /tmp/mykey.env.age

# 4. test relay push (two terminals)
#    terminal 1 (receiver):
enseal inject --listen --relay wss://relay.enseal.dev -- env | grep TEST
#    terminal 2 (sender):
enseal share --secret "TEST=relay_works" --to mykey --relay wss://relay.enseal.dev

Self-Hosted Relay

Keep everything inside your network. The relay is stateless — it sees only ciphertext.

# Docker (one command)
docker run -d -p 4443:4443 enseal/relay

# Or as a binary
enseal serve --port 4443

# Check relay health
curl http://localhost:4443/health

# Clients point to your relay
enseal share .env --relay wss://relay.internal:4443
# or set it globally
export ENSEAL_RELAY=wss://relay.internal:4443

With identity mode and a self-hosted relay, sharing is fully codeless:

# receiver listens on the relay
enseal inject --listen --relay wss://relay.internal:4443 -- npm start

# sender pushes directly — no code generated
enseal share .env --to alex --relay wss://relay.internal:4443
ok: pushed to alex

Schema Validation

Define rules in .enseal.toml at the project root:

[schema]
required = ["DATABASE_URL", "API_KEY", "JWT_SECRET"]

[schema.rules.DATABASE_URL]
pattern = "^postgres://"
description = "PostgreSQL connection string"

[schema.rules.PORT]
type = "integer"
range = [1024, 65535]

[schema.rules.API_KEY]
min_length = 32

Then validate:

enseal validate .env

Validation also runs automatically when receiving .env files — catching broken configs before they cause confusion.

Environment Profiles

enseal share --env staging              # shares .env.staging
enseal validate --env production        # validates .env.production
enseal diff .env.development .env.production

How It Works

Anonymous Mode (Wormhole)

  1. Sender encrypts the payload with age
  2. A SPAKE2 key exchange establishes a shared secret via the relay
  3. The encrypted payload transits through the relay
  4. Recipient decrypts with the negotiated key
  5. The channel is destroyed — single use, time-limited

The relay never sees plaintext. The wormhole code provides mutual authentication.

Identity Mode (Public Key)

  1. Sender encrypts with the recipient's age public key
  2. Sender signs with their own ed25519 key
  3. Payload transits through relay, file drop, or wormhole
  4. Recipient decrypts with their private key
  5. Recipient verifies the sender's signature

Trust is based on which keys you've imported.

Transport options in identity mode:

Transport Flag How it works
Wormhole (default) --to sarah Generates a code, like anonymous mode but with signing
Relay push --to sarah --relay URL Pushes to recipient's deterministic channel, no code
File drop --to sarah --output ./dir/ Produces encrypted .env.age file, no network

With relay push, the recipient listens with enseal inject --listen --relay URL -- cmd or receives the file drop with enseal receive ./file.env.age.

Security Model

Protected:

  • Secrets in transit (encrypted channel)
  • Secrets in Slack/email history (ephemeral, no persistence)
  • MITM attacks (SPAKE2 / public key auth)
  • Malicious relay (E2E encryption, relay sees ciphertext only)
  • Sender impersonation (identity mode: ed25519 signatures)
  • Secrets on disk (inject mode: process memory only)
  • Secrets in git (encrypt: at-rest encryption)

Not protected:

  • Compromised endpoints (if the machine is owned, nothing helps)
  • Key distribution (you trust the keys you import — no PKI, no CA)

Configuration

Optional .enseal.toml in your project root:

[defaults]
relay = "wss://relay.enseal.dev"     # or your self-hosted relay
timeout = 600

[filter]
exclude = ["^PUBLIC_", "^NEXT_PUBLIC_", "^REACT_APP_"]

[identity]
default_recipient = "devops-team"

[schema]
required = ["DATABASE_URL", "API_KEY", "JWT_SECRET"]

CLI Reference

CORE
  enseal share [<file>]              Send secrets (file, pipe, or --secret)
  enseal receive [<code|file>]       Receive secrets
  enseal inject [<code>] -- <cmd>    Inject secrets into a process
  enseal keys <subcommand>           Manage identity keys and aliases
  enseal serve                       Run self-hosted relay server

.ENV TOOLKIT
  enseal check [file]                Verify .env has all vars from .env.example
  enseal diff <file1> <file2>        Compare .env files (keys only)
  enseal redact <file>               Replace values with <REDACTED>
  enseal validate <file>             Validate against schema rules
  enseal template <file>             Generate .env.example with type hints

ENCRYPTION
  enseal encrypt <file>              Encrypt .env for git storage
  enseal decrypt <file>              Decrypt an encrypted .env

share flags

--to <name>              Identity mode: encrypt to recipient (alias, group, or identity)
--output <dir>           File drop: write encrypted file (identity mode, no network)
--secret <value>         Inline secret (raw string or KEY=VALUE)
--label <name>           Human label for raw/piped secrets
--as <KEY>               Wrap raw input as KEY=<value>
--relay <url>            Use specific relay server (also: ENSEAL_RELAY)
--env <profile>          Environment profile (resolves to .env.<profile>)
--exclude <pattern>      Regex to exclude vars
--include <pattern>      Regex to include only matching vars
--no-filter              Send raw file, skip .env parsing
--no-interpolate         Don't resolve ${VAR} references before sending
--words <n>              Number of words in wormhole code (default: 2)
--timeout <seconds>      Channel expiry (default: 300)
--quiet / -q             Minimal output

receive flags

--output <path>          Write to specific file
--clipboard              Copy to clipboard instead of stdout/file
--no-write               Print to stdout even for .env payloads
--relay <url>            Use specific relay server
--quiet / -q             Minimal output

inject flags

--listen                 Listen for incoming identity-mode transfer (requires --relay)
--relay <url>            Use specific relay server (also: ENSEAL_RELAY)
--quiet / -q             Minimal output

keys subcommands

enseal keys init                         Generate your keypair
enseal keys export                       Print your public key bundle
enseal keys import <file>                Import a colleague's public key
enseal keys list                         Show all trusted keys and aliases
enseal keys remove <identity>            Remove a trusted key
enseal keys fingerprint                  Show your key fingerprint
enseal keys alias <name> <identity>      Map short name to identity
enseal keys group create <name>          Create a named group
enseal keys group add <group> <id>       Add identity to group
enseal keys group remove <group> <id>    Remove identity from group
enseal keys group list [name]            List groups or group members
enseal keys group delete <name>          Delete a group

serve flags

--port <port>            Listen port (default: 4443)
--bind <addr>            Bind address (default: 0.0.0.0)
--max-mailboxes <n>      Max concurrent channels (default: 100)
--channel-ttl <seconds>  Idle channel lifetime (default: 300)
--max-payload <bytes>    Max WebSocket message size (default: 1048576)
--rate-limit <n>         Max connections per minute per IP (default: 10)
--health                 Print server health check and exit

encrypt / decrypt flags

--per-var                Per-variable encryption (keys visible, values encrypted)
--to <name>              Encrypt to specific recipients (multi-key)

Global flags

--verbose / -v           Debug output (never prints secret values)
--quiet / -q             Minimal output (for scripting)
--config <path>          Path to .enseal.toml manifest

Comparison

enseal Slack DM 1Password Share dotenvx croc
Zero setup Yes Yes No No Yes
End-to-end encrypted Yes No Yes N/A Yes
Ephemeral (no history) Yes No Yes N/A Yes
.env aware Yes No No Yes No
Process injection Yes No No Yes No
Schema validation Yes No No No No
At-rest encryption Yes N/A N/A Yes No
Self-hostable relay Yes No No N/A Yes
Raw string/pipe support Yes Yes No No Yes

Roadmap

  • v0.1 — Core: share/receive, pipe/stdin, .env toolkit (check, diff, redact)
  • v0.2 — Identity mode: keys, aliases, --to flag
  • v0.3 — Inject command, self-hosted relay
  • v0.4 — Schema validation, templates, interpolation, profiles
  • v0.5 — At-rest encryption (encrypt/decrypt)
  • v1.0 — Groups, Helm chart, shell completions, docs

License

MIT