Local development · Zero .env files

Your secrets deserve better than plaintext

keyden replaces .env files with an AES-256-GCM encrypted vault. No secrets touch your disk in plaintext. Nothing to accidentally commit. One command to rotate everything.

npm install -g keyden

⚠️ Local development only. keyden stores secrets in ~/.keyden/vault.encon your machine — it doesn't exist in production (Vercel, AWS Lambda, Docker). Use your platform's native secrets management for production.

.env vs keyden

Same workflow. Dramatically better security posture.

Feature	.env approach	keyden
Secrets at rest	Plaintext on disk	AES-256-GCM encrypted
Accidental git commit	High risk — .env often committed	No .env exists to commit
CI/CD secrets	Secrets visible in CI logs	Read from vault, never logged
Key rotation	Find & update every .env file	keyden rotate — one command
Multiple developers	Share via Slack / Notion	Shared team vaults (Teams plan)
External dependencies	dotenv package required	Zero — Node.js built-ins only

Up in four commands

No configuration files. No provider accounts. An encrypted vault on your machine, opened with a password you choose. Works with any language via keyden run.

# 1. Create your vault
keyden init

# 2. Store a secret
keyden set GEMINI_API_KEY

# 3. Run your app with secrets injected
keyden run npm start

# 4. Or use the Node.js SDK
const keyden = require('keyden');
await keyden.open(process.env.KEYDEN_PASSWORD);
const key = await keyden.get('GEMINI_API_KEY');

Security first, not an afterthought

Zero external crypto dependencies — only Node.js built-ins.

AES-256-GCM

Authenticated encryption with built-in tamper detection. Any modification to the vault file is detected at decryption time.

scrypt KDF (N=2¹⁷)

~500ms per brute-force attempt. Your password is never stored anywhere — only the derived key is used in memory.

Atomic writes

The vault is written via a temp-file rename. No partial vault states if a write is interrupted mid-flight.

chmod 600

Vault file permissions are set to owner-read/write at creation and validated by keyden doctor.

No symlink traversal

Every write validates the full vault path for symbolic links, preventing redirect-to-arbitrary-file attacks.

Zero crypto dependencies

No third-party crypto packages. Relies exclusively on Node.js built-in crypto module — nothing to supply-chain attack.

Free forever. Upgrade when you need more.

The core vault is always free. Sync, team sharing, and enterprise features are paid.

Free

Single developer

Pro

Coming soon

Teams

$29

Coming soon

Enterprise

$299+

Coming soon

Ready to ditch .env?

Install once, initialize your vault, and never worry about a leaked secret file again.