Vsync

Appearance

VsyncSecrets your team actually shares.

One encrypted vault for your environment secrets — shared across your team, mirrored to GH / GCP / AWS / Azure / Vault, audited every time someone touches it.

Get started
How it works
GitHub
🔐

Encrypted at rest, sealed in transit

AES-256-GCM bundles on any S3-compatible bucket (AWS, Hetzner, MinIO, R2, B2). Per-machine AES key in the OS keychain. The bucket alone is useless; the key alone is useless. Both halves required.

📁

Your whole vault, not just `.env`

Drop anything secret into `infra/vault//` — env files, JSON service-account keys, TLS certs, regression fixtures, signing keys. The folder ships whole.

🔁

One-passphrase onboarding

`vsync export ` mints a `.share` file. Send it on one channel, the passphrase on another. Teammate imports + pulls — they're live in 30 seconds.

↗️

Fanout to where prod runs

`vsync sync ` pushes the same `.env.` keys to any of five backends — GitHub Actions, GCP Secret Manager, AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault KV v2. One edit in the vault; every target stays in step.

📦

Read it from your app — Python, TS, Go, Java

`vsync-s3-client` ships in four languages, all at 0.11.0, all behaviorally identical. Two env vars (`VSYNC_CONFIG` + `VSYNC_PASSPHRASE`), one S3 round trip at boot, in-memory `get/source/asset_path` accessor with a deterministic vault → env → default fallback chain. Browse the libs →

📜

Append-only audit log

Every push / pull / import / export records `who, where, when, version, free-form note` to a CSV on the bucket. `vsync audit ` prints it. CI tags rows with `--note="run

🔗

Just `dotenv.config()` — no path arg

`vsync use ` symlinks `./.env` at the vault's env file. Apps just work. Switch envs with one command; restart the dev server.

<div class="vsync-flow-wrap">

How vsync flows — owner vault → push → S3/MinIO with audit.csv → pull → teammate vault, with linking ./.env and fanning out to gh / gcp / aws / azure / vault.

</div>

Install

bash
bun install -g @muthuishere/vsync     # or:  npm install -g @muthuishere/vsync
vsync --help

Requires Bun ≥ 1.2.21 on PATH (for Bun.secrets). Don't want to install? bunx @muthuishere/vsync <subcommand> works too.

The two-minute version

bash
# One-time per machine — name your S3 bucket once, reuse across projects
vsync profile add hetzner-personal          # endpoint, bucket, IAM key

# Per repo + env
vsync init dev --profile=hetzner-personal   # generate per-(repo, env) key + config
echo "DB_URL=postgres://…" > infra/vault/dev/.env.dev
vsync push dev                              # encrypt + upload to S3

vsync export dev                            # → ./<repo>-dev.share + passphrase
# Hand the file + passphrase to teammate on different channels.

# Teammate:
vsync import dev ./<repo>-dev.share         # config + key into keychain
vsync pull dev                              # decrypt + unpack vault folder
vsync use dev                               # ./.env → infra/vault/dev/.env.dev

# Daily:
vsync push dev                              # I edited a secret
vsync pull dev                              # what did the team change?
vsync sync dev gh                           # push .env.dev keys to GitHub Actions
vsync audit dev                             # who touched what, when
vsync status                                # what's set up on this machine

# Production app — mint a bootstrap token for the runtime libs
vsync runtime-token --env=prod              # → vsync-cfg-v1:H4sIAAAA...
# Paste into your platform's secret store as VSYNC_CONFIG.

Full quickstart → · Architecture →

Released under the MIT License.

© Muthukumaran Navaneethakrishnan