envctl Documentation

Everything you need to manage secrets with your team using peer-to-peer sync and post-quantum encryption.

What is envctl?

envctl is a secrets management tool that works like Git for your environment variables. Instead of storing secrets on a cloud server, envctl encrypts them locally and syncs directly between your team's machines.

Key features:

No cloud dependency — Secrets are encrypted on your machine before syncing
P2P sync — Share directly with teammates, no middleman
Post-quantum encryption — ML-KEM-768 protects against future quantum attacks
Git-like workflow — Familiar commands: push, pull, status, log
Offline-first — Works without network; optional relay for async sync
Built-in rotation workflow — Guided process when team members leave

Quick Links

Getting Started

Install envctl and set up your first project in 5 minutes.

Core Concepts

Understand identities, projects, environments, and how sync works.

Command Reference

Complete reference for all envctl commands and options.

CI/CD Integration

Use encrypted bundles in your CI pipelines.

Common Tasks

Starting a new project

Create a project and invite your team.

Read the guide →

Joining an existing project

Accept an invitation and sync secrets.

Read the guide →

Removing a team member

Revoke access and rotate affected secrets.

Read the guide →

Setting up CI/CD

Export encrypted bundles for your pipelines.

Read the guide →

Managing multiple environments

Separate dev, staging, and production secrets.

Read the guide →

Enabling async sync

Use the relay for distributed teams.

Read the guide →

Need Help?

Run envctl doctor to diagnose common issues
Check the Troubleshooting guide for error solutions
Open an issue on GitHub