GitHub - GreatScott/enveil: ENVeil: Hide .env secrets from prAIng eyes: secrets live in local encrypted stores (per project) and are injected directly into apps at runtime, never touching disk as plaintext.
Hacker News
February 24, 2026
AI-Generated Deep Dive Summary
ENVeil emerges as a cutting-edge solution to protect sensitive data in .env files from being exposed by AI coding tools like Claude Code and Copilot, which can access project directories. Traditional .env files store secrets in plaintext, posing risks of accidental exposure. ENVeil addresses this by replacing actual secret values with symbolic references (e.g., ev://database_url), while the real values are securely stored in an encrypted local file.
When running an application, ENVeil prompts for a master password to decrypt and inject the correct environment variables into the subprocess. This process uses AES-256-GCM encryption, ensuring that decrypted keys vanish from memory afterward. The encrypted store is indistinguishable from random data without the master password, providing robust security.
The tool offers multiple installation options, including via Rust's cargo package manager or building from source. Each project maintains its own encrypted store, which should be added to .gitignore to prevent accidental commits. ENVeil stands out for its self-contained approach, eliminating reliance on third-party services and offering developers control over their security.
In an era where AI tools are increasingly integrated into development workflows, the risk of unintended data exposure rises. ENVeil provides a simple yet effective way for developers to safeguard sensitive information without complicating their workflow. By ensuring secrets never touch disk as plaintext and employing strong encryption, ENVeil enhances project security while maintaining ease of use, making it an essential tool for any developer concerned with protecting sensitive data.
Verticals
techstartups
Originally published on Hacker News on 2/24/2026