Your secrets deserve better than plaintext
keyden replaces .env files with an AES-256-GCM encrypted vault. Nothing hits your disk in plaintext. Nothing to accidentally commit. One command to rotate everything.
Set your master password first
Run keyden initand choose a strong master password. It's the only thing standing between your secrets and the world β keyden never stores or transmits it.
AES-256-GCM
Encryption
scrypt N=2ΒΉβ·
KDF
Zero
Dependencies
Free
Price
β οΈ Local development only. keyden stores secrets in ~/.keyden/vault.encΒ on your machine β it doesn't exist in production (Vercel, AWS Lambda, Docker). Use your platform's native secrets management for production.
.env vs keyden
Same workflow. Dramatically better security posture.
| Feature | .env approach | keyden |
|---|---|---|
| Secrets at rest | Plaintext on disk | AES-256-GCM encrypted |
| Accidental git commit | High risk β .env often committed | No .env exists to commit |
| CI/CD secrets | Secrets visible in CI logs | Read from vault, never logged |
| Key rotation | Find & update every .env file | keyden rotate β one command |
| Multiple developers | Share via Slack / Notion | Shared team vaults (Teams plan) |
| External dependencies | dotenv package required | Zero β Node.js built-ins only |
Up in four commands
No configuration files. No provider accounts. An encrypted vault on your machine, opened with a password you choose. Works with any language via keyden run.
# 1. Create your vault
keyden init
# 2. Store a secret
keyden set GEMINI_API_KEY
# 3. Run your app with secrets injected
keyden run npm start
# 4. Or use the Node.js SDK
const keyden = require('keyden');
await keyden.open(process.env.KEYDEN_PASSWORD);
const key = await keyden.get('GEMINI_API_KEY');Security first, not an afterthought
Zero external crypto dependencies β only Node.js built-ins.
AES-256-GCM
Authenticated encryption with built-in tamper detection. Any modification to the vault file is detected at decryption time.
scrypt KDF (N=2ΒΉβ·)
~500ms per brute-force attempt. Your password is never stored anywhere β only the derived key is used in memory.
Atomic writes
The vault is written via a temp-file rename. No partial vault states if a write is interrupted mid-flight.
chmod 600
Vault file permissions are set to owner-read/write at creation and validated by keyden doctor.
No symlink traversal
Every write validates the full vault path for symbolic links, preventing redirect-to-arbitrary-file attacks.
Zero crypto dependencies
No third-party crypto packages. Relies exclusively on Node.js built-in crypto module β nothing to supply-chain attack.