eenvdir is a simple commandline utility inspired by envdir

Find it on GitHub: sufianrhazi/eenvdir


envdir and really the whole daemontools suite of commandline utilities are deceptively simple and powerful tools for managing UNIX services. While the original envdir is fantastic, I've found a common need to pass a set of "secret" environment variables that are stored encrypted at rest on disk.

eenvdir is a tiny reimplementation of envdir (102 LoC, including documentation) that allows environment variable files to be encrypted via AES-256 in CBC mode with a shared password across all files in the directory.

This encryption strategy not meet your needs if you work with others on complex infrastructure. I personally manage a handful of hosts and this works great for me. If you're doing complex things, you may want to look at KMS, Vault, or Keywhiz.

I consider eenvdir to be "complete." Unless AES-256 is found to be broken or a security vulnerability is found in python's standard library, I will not maintain or modify this software.



Copy/symlink eenvdir to somewhere on your path.

Or just ln -s "$(pwd)/eenvdir" /usr/local/bin/eenvdir


Usage: eenvdir [--password-via-fd=N] DIR CMD [ARG] ...

Run CMD with environment modified according to files in DIR

    If DIR contains a file named KEY.aes it is decrypted and proceeds as if the
    file was named KEY. Decryption via: openssl enc -d -aes-256-cbc -salt

    If DIR contains a file named KEY whose first line is VAL, envdir removes an
    environment variable named KEY if one exists, and then adds an environment
    variable named KEY with value VAL. The name KEY must not contain =. Spaces
    and tabs at the end of VAL are removed. Nulls in VAL are changed to
    newlines in the environment variable.

    If the file KEY is completely empty (0 bytes long), envdir removes an
    environment variable named KEY if one exists, without adding a new

    Exits 111 if it has trouble reading DIR, if it runs out of memory for
    environment variables, or if it cannot run child. Otherwise its exit code is
    the same as that of child.

    --password-via-fd=N     fd N is read and closed; password is the contents