Envrify is a secure, self-hostable backend for managing environment variables and secrets across registered organizations and projects. It is designed to centralized secret management with strong encryption and SDK-ready integration.
- Organization & File Management: Hierarchical structure where Organizations contain multiple secure Files (e.g.,
.env.production,.env.staging). - Double-Layer Encryption:
- Master Key: A system-wide
MASTER_ENCRYPTION_KEYencrypts unique encryption keys for each file. - File Key: Each file has its own unique key used to encrypt the actual key-value contents.
- Master Key: A system-wide
- Secure SDK Integration: Dedicated API endpoints for SDKs to fetch decrypted secrets using file-specific API Keys.
- Key Rotation: Built-in support for rotating both File API Keys and File Encryption Keys.
- Role-Based Access Control (RBAC): Data model designed to support Moderators and Members with granular
Read,Write, andDeletepermissions per file. - Audit Ready: Tracks
AddedByandUpdatedByfor all secret changes.
- Language: Go (Golang)
- Framework: Gin Gonic
- Database: SQLite (via GORM)
- Encryption: AES (implied)
- Configuration: Dotenv
.
├── internals/
│ ├── config/ # Configuration loaders
│ ├── controllers/ # API Handlers (Organization, File, FileContent)
│ ├── database/ # GORM Models (Org, File, Content, RBAC)
│ ├── initializers/ # DB Connect & Sync
│ ├── middleware/ # SDK Access Validation
│ ├── routes/ # API Route Definitions
│ └── utils/ # Encryption & Helper logic
├── main.go # Entry point
└── .env # System configuration
- Clone the repository.
- Create
.env: Copy.env.example(if available) or create a new.envfile.
# Install dependencies
go mod download
# Run with hot reload (if Air is installed)
air
# Standard run
go run main.goThe server will start (default port is usually 8080 or defined by Gin).
| Method | Endpoint | Description |
|---|---|---|
GET |
/ |
Returns system status and app name. |
| Method | Endpoint | Description |
|---|---|---|
POST |
/org/create |
Create a new organization. |
POST |
/org/update-name |
Update an organization's name. |
DELETE |
/org/delete/:id |
Delete an organization and all its data. |
| Method | Endpoint | Description |
|---|---|---|
POST |
/file/create |
Create a new secure file within an Org. |
POST |
/file/update-name |
Rename a file. |
POST |
/file/rotate-api-key |
Generate a new API Key for a file. |
POST |
/file/rotate-encryption-key |
Rotates the internal encryption key for the file. |
DELETE |
/file/delete/:id |
Delete a file. |
| Method | Endpoint | Description |
|---|---|---|
POST |
/file-content/create |
Add a new encrypted secret (Key-Value) to a file. |
POST |
/file-content/update |
Update an existing secret. |
DELETE |
/file-content/delete |
Remove a secret. |
POST |
/file-content/fetch-all |
Fetch all decrypted secrets for a file (Admin/User context). |
| Method | Endpoint | Description |
|---|---|---|
POST |
/api/v1/fetch-decrypted-values |
SDK Only: Fetch decrypted secrets using the File's API Key. |
- At Rest: All secret values are encrypted in the database.
- Access Control:
- Management API: Intended for the Dashboard/CLI to manage files.
- SDK API: specifically designed for applications to pull their configuration at runtime using a static API Key.