Envo – Encrypted env management for teams
GoGinPostgreSQLReactViteTailwindCSSDockerCLI
Envo encrypts secrets with AES-256 + AWS KMS envelope encryption before they hit storage, supports Google OAuth, org/project/env modeling, and a one-command CLI flow (e.g. `envo pull`) to sync secrets locally. Ships with Docker for single-server deployment.
Key Features
AES-256-GCM encryption with AWS KMS envelope encryption (fallback in dev)
Google OAuth authentication flow
Organizations, projects, environments, and secret CRUD with RBAC
CLI login + pull to write secrets to local .env files
Docker Compose deployment with reverse proxy
Challenges
Designing secure encryption boundaries across API, DB, and CLI
Building a reliable OAuth + token flow across web + CLI
Balancing DX (one-command pull) with least-privilege access
Key Learnings
Envelope encryption and practical secret-management patterns
RBAC modeling for teams and environments
Deploying full-stack systems with Docker + reverse proxying
Duration
—
Role
Full-stack Engineer
Status
in-progress