Home
Sync environment variables across your team. No more "it works on my machine."
The Problem¶
Every team faces this:
- New developer joins → spends half a day hunting for the right
.envvalues - Someone updates a secret → nobody else knows until production breaks
- "Can you send me the latest API keys?" in Slack → security nightmare
- Environment drift between dev, staging, and production → 3am outages
Paid SaaS solutions exist, but do you really want to trust your production secrets to someone else's infrastructure?
The Solution¶
envdrift is an open-source CLI that syncs encrypted environment files across your team using your existing cloud vault—no hosted service, no additional servers, no third-party trust.
| Hosted SaaS | envdrift | |
|---|---|---|
| Your secrets | On their servers | On YOUR infrastructure |
| Infrastructure | New service to manage | Uses existing vault (Azure/AWS/GCP/HashiCorp) |
| Cost | Per-seat pricing | Free and open source |
| Trust model | Trust the vendor | Zero third-party trust |
# New team member onboarding - one command
envdrift pull
# That's it. Keys synced from vault, .env files decrypted, ready to code.
How It Works¶
- You encrypt your
.envfile and push the encryption key to your cloud vault - Team members pull the key from vault and decrypt locally
- Everyone stays in sync — same encrypted secrets, same decryption keys
Quick Start¶
1. Set up encryption (once per project)¶
# Encrypt your .env file
envdrift encrypt .env.production
# Push the encryption key to your team's vault
envdrift vault-push . my-app-key --provider azure --vault-url https://myvault.vault.azure.net/
2. Team members onboard instantly¶
# New developer runs one command
envdrift pull --provider azure --vault-url https://myvault.vault.azure.net/
# Done! .env.production is decrypted and ready
3. Keep environments in sync¶
# Before committing changes
envdrift lock # Encrypts files, verifies keys match vault
# After pulling latest code
envdrift pull # Syncs keys, decrypts files
Beyond Sync: Full Environment Management¶
Once your team is syncing environments, envdrift also provides:
| Feature | Description |
|---|---|
| Schema Validation | Validate .env files against Pydantic schemas—catch missing variables before deployment |
| Environment Diffing | Compare dev vs staging vs production—spot drift instantly |
| CI/CD Integration | Fail builds when environments are misconfigured |
| Pre-commit Hooks | Ensure files are encrypted before every commit |
| Partial Encryption | Keep non-sensitive vars readable, encrypt only secrets |
# Validate against your schema
envdrift validate .env.production --schema config:Settings
# Compare environments
envdrift diff .env.staging .env.production
Installation¶
pip install envdrift
# With your vault provider
pip install "envdrift[azure]" # Azure Key Vault
pip install "envdrift[aws]" # AWS Secrets Manager
pip install "envdrift[hashicorp]" # HashiCorp Vault
pip install "envdrift[gcp]" # GCP Secret Manager
pip install "envdrift[vault]" # All providers
What's Next?¶
-
Vault Sync Guide
Set up team-wide environment sync with your cloud vault.
-
Quick Start
Full walkthrough from installation to team sync.
-
Encryption Guide
Choose between dotenvx and SOPS encryption backends.
-
CLI Reference
Complete documentation for all commands.