env-sync GitHub

Stop copying .env files
between machines

env-sync keeps secrets in sync across every machine on your local network — automatically. No central server, no cloud dependency, no manual copy-paste.

Open Source mDNS Auto-Discovery SSH & mTLS Transport AGE Encryption

Download nowGet started — it's free View on GitHub
env-sync peer-to-peer secrets synchronization across local machines
# install in 10 seconds
curl -fsSL https://envsync.arnav.tech/install.sh | bash -s -- --user

# start syncing
env-sync init
env-sync add OPENAI_API_KEY="sk-..."
env-sync sync
End-to-end encrypted Linux, macOS & WSL2 Written in Go Zero-config discovery 100% open source

Up and running in 3 steps

No accounts to create, no servers to manage, no cloud services to configure.

Install

One-liner install on every machine. Works on Linux, macOS, and WSL2.

Initialize

Run env-sync init to set up keys and choose your security mode.

Sync

Peers discover each other via mDNS. Secrets merge automatically with backups.

Built for teams that work offline-first

Unlike cloud-based secret managers, env-sync works entirely on your local network — even without an internet connection.

Auto-discovery with mDNS

Machines find each other automatically using Avahi or Bonjour. No manual IP configuration needed.

Three security modes

From zero-config SSH for personal devices to mTLS + AGE encryption for cross-team collaboration.

Smart merge & backup

Per-key timestamps prevent data loss. Automatic backups before every write — keeps last 5 versions.

Lightweight & fast

Single Go binary. No runtime dependencies, no background database, no Docker required.

Sync on autopilot

Cron-based sync every 30 minutes, shell hook on startup, or manual trigger — your choice.

Peer management

Invite, approve, and revoke peers with signed membership events that propagate automatically.

Choose your security model

env-sync gives you explicit control over trust boundaries. Pick the mode that fits your team.

ModeStorageTransportBest for
trusted-owner-ssh (default)Plaintext (optional AGE) SCP / SSHAll machines belong to you — your laptop, desktop, NUC, server
secure-peerAGE encrypted (mandatory) HTTPS + mTLSMultiple people sharing secrets without giving each other shell access
dev-plaintext-httpPlaintext HTTPQuick local debugging only — not for real secrets
Learn about each mode →

How does env-sync compare?

env-sync fills the gap that centralized tools leave open — secrets on local machines that drift apart.

vs

Infisical

Open-source secrets platform vs decentralized LAN mesh.

vs

Doppler

Cloud secrets operations vs offline-first sync.

vs

dotenvx

Encrypted dotenv runtime injection vs peer synchronization.

vs

SOPS

Git-native encrypted files vs always-on machine sync.

Ready to stop sharing .env files over Slack?

Get peer-to-peer secret sync running in under a minute. Open source, self-hosted, no accounts needed.

Install env-syncRead the usage guide