envstash 0.1.4

Manage .env files across git branches with versioning, diffing, and optional encryption
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218

# envstash

A CLI tool for managing `.env` files across git branches. Save, version, diff, restore, and share environment variables with optional encryption.

## Install

**From crates.io:**

```bash
cargo install envstash
```

**Pre-built binaries:**

Download the latest release from [GitHub Releases](https://github.com/franzos/envstash/releases) and extract the binary to a directory in your `PATH`:

```bash
# macOS (Apple Silicon)
curl -sL https://github.com/franzos/envstash/releases/latest/download/envstash-aarch64-apple-darwin.tar.gz | tar xz
sudo mv envstash /usr/local/bin/

# macOS (Intel)
curl -sL https://github.com/franzos/envstash/releases/latest/download/envstash-x86_64-apple-darwin.tar.gz | tar xz
sudo mv envstash /usr/local/bin/

# Linux (x86_64)
curl -sL https://github.com/franzos/envstash/releases/latest/download/envstash-x86_64-unknown-linux-gnu.tar.gz | tar xz
sudo mv envstash /usr/local/bin/
```

**Debian/Ubuntu:**

Download the `.deb` from [GitHub Releases](https://github.com/franzos/envstash/releases) and install:

```bash
sudo dpkg -i envstash_*_amd64.deb
```

**Fedora/RHEL:**

Download the `.rpm` from [GitHub Releases](https://github.com/franzos/envstash/releases) and install:

```bash
sudo rpm -i envstash-*.x86_64.rpm
```

## Quick start

```bash
# Initialize the store
envstash init

# Save the current .env file
envstash save

# Save with a note
envstash save -m "trying new DB config"

# List saved versions
envstash list

# Restore a saved version
envstash apply 1

# See what changed between versions
envstash diff 1 2
```

## Features

- **Version .env files** per git branch and commit
- **Diff** variables by name (order-independent)
- **Restore** saved versions to disk, or inject into the shell environment
- **Share** exports with teammates (with optional GPG or password encryption)
- **Dump/load** the entire store for backup and migration
- **Works outside git repos** using folder path as identifier

## Commands

| Command | Description |
|---------|-------------|
| `envstash init` | Initialize the store (choose encryption mode) |
| `envstash save [file] [-m msg]` | Save a `.env` file with optional message |
| `envstash list` | List saved versions on the current branch |
| `envstash diff <a> <b>` | Diff two versions (by number or hash) |
| `envstash apply <version>` | Restore a version to disk |
| `envstash env [version]` | Print `export` statements for shell eval |
| `envstash exec [version] -- <cmd>` | Run a command with saved env vars |
| `envstash history` | Show what changed between consecutive versions |
| `envstash delete <version>` | Remove saved versions |
| `envstash global` | List all projects with saved .env files |
| `envstash share [--to <target>]` | Export a version for sharing |
| `envstash import [--from <source>]` | Import a shared export |
| `envstash dump <path>` | Export the entire store |
| `envstash load <path>` | Import a full dump |

## Encryption

Three modes, chosen at init time:

```bash
envstash init                                    # no encryption
envstash init --encrypt gpg --recipient <key_id> # GPG (supports Yubikey)
envstash init --encrypt password                 # password-based (argon2id)
```

Running `envstash init --encrypt gpg` without `--recipient` lists available GPG keys.

Architecture (inspired by [Tomb](https://github.com/dyne/Tomb)):
- A random AES-256-GCM key encrypts variable values at rest
- The AES key is wrapped with GPG or a password-derived key
- Metadata (branches, timestamps, file paths) stays plaintext for fast queries
- GPG mode: one Yubikey touch per gpg-agent cache window, not per operation

The key file location can be overridden with `--key-file` or `ENVSTASH_KEY_FILE`.

## Shell integration

```bash
# Load variables into current shell
eval $(envstash env)

# Run a one-off command with saved variables
envstash exec -- npm start

# Isolated mode (only saved variables, no inherited env)
envstash exec --isolated -- npm test
```

Supports `bash`, `fish`, and `json` output via `--shell`.

## Sharing

```bash
# Export latest version to stdout
envstash share > export.env

# Encrypted export (password)
envstash share --encrypt --encryption-method password > export.enc

# Encrypted export (GPG, one or more recipients)
envstash share --encrypt --recipient <key_id> > export.gpg

# Import
envstash import export.env
cat export.enc | envstash import --password secret

# Full store backup
envstash dump backup.json
envstash load backup.json
```

### Remote sharing

Share and import via paste services, GitHub Gists, email, or SSH:

```bash
# Upload to 0x0.st (default paste service)
envstash share --to
# Custom paste instance
envstash share --to https://my.paste.service

# Import from a URL (paste, raw gist, etc.)
envstash import --from https://0x0.st/abc.env

# Create a GitHub Gist (requires `gh auth login`)
envstash share --to gist
# Public gist
envstash share --to gist --public
# Import from a gist URL
envstash import --from https://gist.github.com/user/abc123

# Send via email (uses msmtp or sendmail)
envstash share --to email:teammate@example.com

# Pipe to remote envstash via SSH
envstash share --to ssh://user@server
# Pipe from remote envstash via SSH
envstash import --from ssh://user@server
```

All transport backends work with encryption:

```bash
envstash share --encrypt --encryption-method password --to
envstash import --from https://0x0.st/abc.env --password secret
```

The default target for bare `--to` can be changed in `~/.config/envstash/config.toml`:

```toml
[share]
default_to = "https://my.paste.service"
# or any other target: "ssh://user@host", "gist", "email:team@example.com"

[share.headers]
Authorization = "Bearer mytoken"
```

## Storage

Data lives in `~/.local/share/envstash/`:

```
~/.local/share/envstash/
├── store.db    # SQLite (mode 0600)
└── key.gpg     # AES key wrapped in GPG/password (mode 0600)
```

## Building

```bash
cargo build --release
```

## License

GPL-3.0