Getting started
Install
Section titled “Install”npm i -g hushenvCreate the vault
Section titled “Create the vault”hushenv initThis generates a master key, stores it in your OS keychain (macOS Keychain or Windows Credential Manager), and creates an empty vault at ~/.hushenv/vault.json. On Linux or in CI, where there is no OS keychain, supply the key through HUSHENV_MASTER_KEY instead — see Core concepts.
Store a secret
Section titled “Store a secret”hushenv set DB_PASSWORDYou’ll be prompted for the value with a hidden input — it never appears in your shell history. To pipe a value in instead:
echo 'my-secret-value' | hushenv set DB_PASSWORD --stdinReference it in .env
Section titled “Reference it in .env”Replace the real value in your .env with a reference:
DB_PASSWORD={hushenv.DB_PASSWORD}Migrating an existing .env
Section titled “Migrating an existing .env”Already have a populated .env? hushenv import does the two steps above in one pass — it moves the real values into the vault and rewrites the file to references in place:
hushenv import --dry-run # preview what gets vaulted vs. left alonehushenv import # do it (interactive)It vaults your real secrets and leaves obvious non-secrets (localhost URLs, booleans, plain numbers) untouched. If that .env was ever committed, rotate the imported secrets afterward — the old plaintext is still in your git history.
Run your app
Section titled “Run your app”hushenv run -- pnpm devhushenv reads your .env, resolves the references against the vault, and injects the real values into the environment of the command you run. Nothing is written back to disk.
By default hushenv run loads ./.env. To load a different file:
hushenv run -f .env.local -- pnpm devWhat’s protected now
Section titled “What’s protected now”Your .env holds only references, so it is safe to commit and safe for an AI agent to read. The encrypted vault and the keychain-held master key stay on your machine, outside the repository.