ripenv is a comprehensive, military-grade solution for managing encrypted environment files and API secrets across development teams. Built with a security-first approach, ripenv addresses the critical challenge of secret management in modern software development workflows.
The software industry faces an unprecedented crisis in secret management:
- 18,000+ exposed API secrets discovered across 1 million domains in the web, including Discord webhooks and critical service tokens (The API Secret Sprawl Report)
- 3,325 secrets compromised in the Ghost Action supply chain attack (September 8, 2025), affecting PyPI, npm, and DockerHub tokens through malicious GitHub workflows(Git Guardian)
- 12.8 million secrets accidentally leaked on public GitHub repositories in 2023 alone(Infosecurity Magazine)
ripenv provides a robust, cryptographically secure solution to prevent these devastating security breaches while maintaining developer productivity.
- Client-side encryption using industry-standard algorithms (X25519, XSalsa20-Poly1305, Argon2id)
- Private keys never leave your machine in plaintext form
- Per-file key rotation with individual recipient wrapping
- Forward secrecy through ephemeral key generation
- Web-based dashboard for project and team member management
- Granular access controls with project-based permissions
- Automatic recipient synchronization via Supabase integration
- Email-based invitation system with secure onboarding
- Intuitive CLI with rich terminal output and progress indicators
- Natural language input via Google Gemini integration for command parsing
- Seamless CI/CD integration with automated secret rotation
- Cross-platform support (Windows, macOS, Linux)
- Smart rotation reminders with configurable intervals
- Supabase integration for real-time team synchronization
- Git-friendly encrypted files that can be safely committed
- Automated cleanup and secure deletion of plaintext files
- Framework: Next.js 14 with App Router
- UI/UX: Tailwind CSS with custom cyberpunk-inspired design
- Authentication: Supabase Auth with magic link authentication
- Cryptography: WebCrypto API + TweetNaCl for browser-based key generation
- State Management: React hooks with TypeScript
- Deployment: Vercel-ready with optimized builds
- Language: Python 3.10+ with async/await support
- Cryptography: PyNaCl (libsodium bindings) for high-performance crypto operations
- Password Hashing: Argon2id with secure parameter tuning
- Database: Supabase (PostgreSQL) with Row Level Security (RLS)
- CLI Framework: Click with Rich for enhanced terminal UI
- AI Integration: Google Gemini for natural language command processing
- Confidentiality: XSalsa20-Poly1305 authenticated encryption
- Integrity: Built-in authentication tags prevent tampering
- Forward Secrecy: Ephemeral keys are rotated per encryption operation
- Key Derivation: Argon2id with tuned parameters resistant to GPU attacks
- Client-side key generation: Private keys never transmitted
- Zero-knowledge architecture: Server only stores encrypted data and public keys
- Compartmentalized access: Project-based isolation with granular permissions
- Audit trail: Comprehensive logging of all cryptographic operations
- ✅ Insider threats: Encrypted at rest with individual key wrapping
- ✅ Supply chain attacks: Cryptographic verification of all operations
- ✅ Data breaches: Zero plaintext exposure on server infrastructure
- ✅ Credential theft: Automatic rotation with configurable intervals
- ✅ Social engineering: Multi-factor authentication via email verification
- API keys and tokens (AWS, GCP, Azure, etc.)
- Database connection strings
- OAuth credentials and refresh tokens
- Webhook URLs and signing secrets
- Certificate and private key materials
- Custom environment configurations
- Anything and everything you want
- Development Teams: Secure collaboration on sensitive projects
- CI/CD Pipelines: Automated deployment with encrypted secrets
- Configurable reminder intervals (30, 60, 90 days)
- Supabase Edge Functions for reliable delivery
- Team-wide coordination of rotation schedules
- Generation: Secure random key generation with proper entropy
- Distribution: Encrypted individual wrapping for each team member
- Usage: Decryption only on authorized developer machines
- Rotation: Seamless key rotation with backward compatibility
- Revocation: Immediate access removal for departing team members
We welcome contributions from the security and development community:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
If you discover a security vulnerability, please create a new issue. All security vulnerabilities will be promptly addressed.
ripenv - Git maintains your code. We protect your secrets.