How Vaultlet Works

Vaultlet is a CLI-first secret manager designed to seamlessly sync environment variables across your team without compromising on security. We achieve this through end-to-end zero-knowledge encryption.

Zero-Knowledge Encryption

Unlike traditional secret managers that store your API keys in plain text on their servers, Vaultlet uses Zero-Knowledge Encryption. This means we never see your actual secrets.

The Encryption Flow:

  1. When you run vaultlet push, your secrets are encrypted locally on your machine using a unique AES-256-GCM encryption key.
  2. This local encryption key is itself encrypted using your team's public keys.
  3. Only the encrypted ciphertexts are sent to Vaultlet's servers.
  4. When a teammate runs vaultlet pull, their machine downloads the ciphertext and decrypts it locally using their private key.

If our servers were ever compromised, the attacker would only find mathematical noise. Your secrets are mathematically guaranteed to remain private.

Managing Local Environments

Vaultlet deeply integrates into your local development workflow to make managing .env files painless.

  • Instant Syncing

    Changed an API key? Run vaultlet set STRIPE_KEY=sk_test_123. Your team can run vaultlet pull to immediately update their local .env.local files without touching the filesystem manually.

  • Process Injection

    Don't want to write to a file at all? Use vaultlet run -- npm run dev. Vaultlet decrypts the secrets in memory and injects them directly into your Next.js or Node.js process, leaving zero trace on your hard drive.

  • Multiple Environments

    Easily switch between development, staging, and production contexts using vaultlet env switch staging. It automatically updates your local state so you never accidentally use production keys in dev.