envstash
Install
| Method | Command |
|---|---|
| Cargo | cargo install envstash |
| Homebrew | brew tap franzos/tap && brew install envstash |
| Debian/Ubuntu | Download .deb — sudo dpkg -i envstash_*_amd64.deb |
| Fedora/RHEL | Download .rpm — sudo rpm -i envstash-*.x86_64.rpm |
| Guix | guix install -L <panther> envstash (Panther channel) |
Pre-built binaries for Linux (x86_64), macOS (Apple Silicon, Intel) on GitHub Releases.
Quick start
# Initialize the store
# Save the current .env file
# Save with a note
# List saved versions
# Restore a saved version (by hash prefix, or number)
# See what changed between versions
Versions can be referenced by hash prefix (stable, tab-completable) or by number (convenient shortcut, but changes as new versions are saved).
Features
- Version .env files per git branch and commit
- Diff variables by name (order-independent)
- Restore saved versions to disk, or inject into the shell environment
- Send/receive exports with teammates (with optional GPG or password encryption)
- Dump/load the entire store for backup and migration
- Works outside git repos using folder path as identifier
Commands
| Command | Description |
|---|---|
envstash init |
Initialize the store (choose encryption mode) |
envstash save [file] [-m msg] |
Save a .env file with optional message |
envstash ls |
List saved versions on the current branch |
envstash diff <a> <b> |
Diff two versions (by hash prefix) |
envstash checkout <version> |
Restore a version to disk |
envstash env [version] |
Print export statements for shell eval |
envstash exec [version] -- <cmd> |
Run a command with saved env vars |
envstash log |
Show what changed between consecutive versions |
envstash rm <version> |
Remove saved versions |
envstash global |
List all projects with saved .env files |
envstash send [--to <target>] |
Send a version (stdout, paste, gist, email, ssh) |
envstash receive [--from <source>] |
Receive a shared version |
envstash dump <path> |
Export the entire store |
envstash load <path> |
Import a full dump |
envstash man |
Show usage examples and detailed guide |
Encryption
Three modes, chosen at init time:
Running envstash init --encrypt gpg without --recipient lists available GPG keys.
Architecture (inspired by Tomb):
- A random AES-256-GCM key encrypts variable values at rest
- The AES key is wrapped with GPG or a password-derived key
- Metadata (branches, timestamps, file paths) stays plaintext for fast queries
- GPG mode: one Yubikey touch per gpg-agent cache window, not per operation
The key file location can be overridden with --key-file or ENVSTASH_KEY_FILE.
Shell integration
# Load variables into current shell
# Run a one-off command with saved variables
# Isolated mode (only saved variables, no inherited env)
Supports bash, fish, and json output via --shell.
Tab completion
Enable tab-completion for version hashes (and all subcommands/flags):
# Bash (~/.bashrc)
# Zsh (~/.zshrc)
# Fish (~/.config/fish/config.fish)
| )
Sharing
# Export latest version to stdout
# Encrypted export (password)
# Encrypted export (GPG, one or more recipients)
# Receive
|
# Full store backup
Remote sharing
Send and receive via paste services, GitHub Gists, email, or SSH:
# Upload to 0x0.st (default paste service)
# Custom paste instance
# Receive from a URL (paste, raw gist, etc.)
# Create a GitHub Gist (requires `gh auth login`)
# Public gist
# Receive from a gist URL
# Send via email (uses msmtp or sendmail)
# Pipe to remote envstash via SSH
# Pipe from remote envstash via SSH
All transport backends work with encryption:
The default target for bare --to can be changed in ~/.config/envstash/config.toml:
[]
= "https://my.paste.service"
# or any other target: "ssh://user@host", "gist", "email:team@example.com"
[]
= "Bearer mytoken"
Storage
Data lives in ~/.local/share/envstash/:
~/.local/share/envstash/
├── store.db # SQLite (mode 0600)
└── key.gpg # AES key wrapped in GPG/password (mode 0600)
Building
# Network-dependent tests (paste, gist) are ignored by default
License
GPL-3.0