Welcome to Redenv
A zero-knowledge, end-to-end encrypted secret management system designed to replace traditional .env files with secure, version-controlled, and dynamic secret management.
Redenv is a zero-knowledge, end-to-end encrypted secret management system designed to replace traditional .env files. It provides a secure, version-controlled, and dynamic way to manage application secrets using Upstash Redis as a centralized backend.
Why Redenv?#
Modern applications face two critical challenges with secret management:
The .env Problem#
- Synchronization nightmare across teams and environments
- Insecure sharing via Slack, email, or text messages
- No version control or audit trail
- "Works on my machine" syndrome
The Serverless Problem#
- Rebuild to rotate: Changing a secret requires full redeployment
- Configuration coupled with code: Simple config changes need CI/CD pipelines
- Slow emergency response: Leaked keys take minutes to rotate
How Redenv Solves This#
Redenv decouples configuration from deployment with:
- 🔐 Zero-Knowledge Encryption: AES-256-GCM encryption ensures your secrets are never stored in plaintext
- 📦 Centralized Storage: Single source of truth in your Upstash Redis instance
- ⏱️ Version History: Complete audit trail with instant rollbacks
- ⚡ Dynamic Updates: Rotate secrets without redeploying (seconds vs. minutes)
- 🛠️ Developer-First: Powerful CLI and runtime SDKs for any workflow
Quick Example#
# Install CLI
bun add -g @redenv/cli
# Connect to Upstash
redenv setup
# Register project
redenv register my-app
# Add a secret
redenv add API_KEY "super-secret-value"// Use in your app
import { Redenv } from "@redenv/client";
const redenv = new Redenv({
project: "my-app",
tokenId: process.env.REDENV_TOKEN_ID,
token: process.env.REDENV_TOKEN_KEY,
upstash: { url: "...", token: "..." },
});
const env = await redenv.load(); // Secrets loaded & cached
console.log(env.API_KEY); // Access securelyWhat's Included#
Core Packages#
- @redenv/cli - Complete CLI for managing secrets with 24+ commands
- @redenv/client - JavaScript/TypeScript runtime client with smart caching
- redenv (Python) - Python client with async/sync support
- @redenv/core - Universal cryptographic primitives
Key Features#
- Service Tokens: Secure, scoped access for applications and CI/CD
- Secret Expansion: Reference other secrets with
${VAR}syntax - Plugin System: Extend functionality (e.g., @redenv/studio)
- Multi-Environment: Separate dev, staging, and production secrets
- Backup/Restore: Built-in disaster recovery
Architecture Highlights#
- Master Password: Used only by developers via CLI, never stored
- Service Tokens: For application access, can be read-only or read-write
- End-to-End Encryption: Zero-knowledge model - Upstash never sees plaintext
- PBKDF2: 310,000 iterations for key derivation (OWASP recommended)
Next Steps#
Installation Guide
Set up the CLI and SDKs
Quickstart Tutorial
Your first secret in 5 minutes
Core Concepts
Understand how it works
CLI Commands
Complete command reference
JavaScript SDK
For Node.js/Deno/Bun apps
Python SDK
For Python applications
Community & Support#
- GitHub: redenv-labs/redenv
- Issues: Bug reports & feature requests
- NPM: @redenv/cli, @redenv/client
- PyPI: redenv
Built with ❤️ for the Upstash community.