I’m the creator of DotVeil. I’ve just migrated the repo from private to public (v1.0.1), and I wanted to share it here.
The Problem: I was tired of sharing .env files over Slack/Discord or trying to manage GPG keys for every team member just to sync a few API keys. Existing enterprise solutions felt too heavy for small-to-medium projects, and simple solutions often lacked proper encryption.
What it is: DotVeil is a CLI tool (npm install -g dotveil) that syncs your secrets using a push/pull workflow, similar to Git.
The Architecture (Zero-Knowledge): Security was the priority. We use a Hybrid Public-Key Encryption scheme:
Local Encryption: Secrets are encrypted on your device using AES-256-GCM before network transmission.
Key Derivation: Your Master Password protects your private key using Argon2; we never see the password or the raw private key.
Server: The server acts as a "blind" storage for encrypted blobs.
Updates in v1.0.1: We just patched in better support for headless environments (Linux VPS/Docker). It now gracefully falls back to file-based storage if system keyrings (libsecret) aren't available, making it easier to use in CI/CD pipelines.
The repo is MIT licensed. I’d love to hear your feedback on the crypto implementation or the CLI UX!
Hi HN,
I’m the creator of DotVeil. I’ve just migrated the repo from private to public (v1.0.1), and I wanted to share it here.
The Problem: I was tired of sharing .env files over Slack/Discord or trying to manage GPG keys for every team member just to sync a few API keys. Existing enterprise solutions felt too heavy for small-to-medium projects, and simple solutions often lacked proper encryption.
What it is: DotVeil is a CLI tool (npm install -g dotveil) that syncs your secrets using a push/pull workflow, similar to Git.
The Architecture (Zero-Knowledge): Security was the priority. We use a Hybrid Public-Key Encryption scheme:
Local Encryption: Secrets are encrypted on your device using AES-256-GCM before network transmission.
Key Derivation: Your Master Password protects your private key using Argon2; we never see the password or the raw private key.
Server: The server acts as a "blind" storage for encrypted blobs.
Updates in v1.0.1: We just patched in better support for headless environments (Linux VPS/Docker). It now gracefully falls back to file-based storage if system keyrings (libsecret) aren't available, making it easier to use in CI/CD pipelines.
The repo is MIT licensed. I’d love to hear your feedback on the crypto implementation or the CLI UX!