env-manager
Manage encrypted .env file vaults across projects and environments using env-file-manager
Best use case
env-manager is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Manage encrypted .env file vaults across projects and environments using env-file-manager
Teams using env-manager should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/env-manager/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How env-manager Compares
| Feature / Agent | env-manager | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Manage encrypted .env file vaults across projects and environments using env-file-manager
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# env-manager skill ## When to use Use this skill when the user needs to: - Encrypt and store environment variables with AES-256-GCM encryption - Share encrypted vaults between team members via S3 or local paths - Pull decrypted variables to a local `.env` file - Diff two environments to see which variables differ - Manage multiple projects each with development, staging, and production environments ## Prerequisites - Node.js 20+ - pnpm - Optional: AWS credentials for S3 sync ## Installation ``` npm install -g env-file-manager ``` ## Quick Start ``` # Start the dashboard server env-mgr start # Create a project (will prompt for a passphrase) env-mgr project add my-app # Set a variable (will prompt for passphrase and value) env-mgr set my-app development DATABASE_URL # Pull all variables to a .env file env-mgr pull my-app development # Push vault to S3 env-mgr push my-app production ``` ## Usage Patterns ### Setting multiple variables Run `env-mgr set` for each variable. The vault session is cached in memory for 15 minutes so you only need to enter the passphrase once per session: ``` env-mgr set my-app development DATABASE_URL env-mgr set my-app development REDIS_URL env-mgr set my-app development SECRET_KEY ``` ### Pulling to a custom path By default, `env-mgr pull` writes to the project path configured at creation. Override with `--output`: ``` env-mgr pull my-app production --output ./config/.env.production ``` ### Dry run before pulling Preview which variables would be written without touching the `.env` file: ``` env-mgr pull my-app production --dry-run ``` ### Diffing environments The diff command compares variable key sets and ciphertexts. It does not decrypt values: ``` env-mgr diff my-app development production ``` ### Setting up S3 sync Configure S3 once and all projects will use it for push/pull: ``` env-mgr config set s3-bucket my-team-vaults env-mgr config set s3-region us-east-1 ``` ### Syncing locally instead of S3 ``` env-mgr push my-app production --destination local --path /mnt/shared/vaults env-mgr pull my-app production --source local --path /mnt/shared/vaults ``` ## CLI Reference | Command | Description | |---|---| | `env-mgr start` | Start the dashboard server | | `env-mgr project add <name>` | Create a new project | | `env-mgr project list` | List all projects | | `env-mgr project remove <name>` | Remove a project | | `env-mgr env add <project> <env>` | Add an environment to a project | | `env-mgr set <project> <env> <KEY>` | Set (encrypt and store) a variable | | `env-mgr get <project> <env> <KEY>` | Decrypt and print one variable value | | `env-mgr pull <project> <env>` | Write all variables to .env file | | `env-mgr pull <project> <env> --dry-run` | Preview pull without writing | | `env-mgr pull <project> <env> --output <path>` | Write to a specific path | | `env-mgr push <project> <env>` | Push vault to sync destination | | `env-mgr push <project> <env> --destination local --path <path>` | Push to local path | | `env-mgr diff <project> <env1> <env2>` | Diff two environments | | `env-mgr config set <key> <value>` | Set a config value | | `env-mgr config show` | Show configuration | | `env-mgr --help` | Show help | | `env-mgr --version` | Show version | ## Environment Variables | Variable | Description | Default | |---|---|---| | `ENVMGR_PORT` | Dashboard port | `7433` | | `ENVMGR_HOST` | Bind address | `127.0.0.1` | | `ENVMGR_DATA_DIR` | Vault, config, and database directory | `~/.env-file-manager` | | `ENVMGR_S3_BUCKET` | S3 bucket name | (from config) | | `ENVMGR_S3_PREFIX` | S3 key prefix | `vaults/` | | `ENVMGR_S3_ENDPOINT` | S3-compatible endpoint URL | (AWS default) | | `ENVMGR_S3_REGION` | AWS region | `us-east-1` | | `ENVMGR_AWS_ACCESS_KEY_ID` | AWS access key | (from env or ~/.aws) | | `ENVMGR_AWS_SECRET_ACCESS_KEY` | AWS secret key | (from env or ~/.aws) | | `ENVMGR_LOG_LEVEL` | Log level: debug, info, warn, error | `info` | ## Troubleshooting **"wrong passphrase" / auth tag error** - The passphrase entered does not match the one used to create the vault. There is no recovery path. Ensure the passphrase is correct. **Diff shows all variables as "changed"** - This can happen after re-encrypting a vault (the ciphertexts differ even if values are the same). This is expected behavior - AES-256-GCM uses random IVs, so re-encryption always produces new ciphertexts. **S3 push fails with AccessDenied** - Check that `ENVMGR_AWS_ACCESS_KEY_ID` and `ENVMGR_AWS_SECRET_ACCESS_KEY` are set, or that `~/.aws/credentials` is configured. The IAM policy must allow `s3:PutObject` and `s3:GetObject` on the bucket. **`.env` file written with wrong path** - Set the project path: `env-mgr config set project.my-app.path /Users/you/projects/my-app`. **Session expired during bulk set** - Re-enter the passphrase. Sessions last 15 minutes. Use `env-mgr set` sequentially - each set call checks the in-memory session token.
Related Skills
bookmark-manager
Save and organize URLs with tags, full-text search, and auto-generated screenshots. Use when you need to save a URL for later, organize links into collections, search saved bookmarks, or import browser bookmarks. Triggers include "save this link", "bookmark", "organize URLs", "find that article I saved", or any task involving managing a personal URL library.
Skill: clinic-queue-manager API
## When to use this skill
appointment-manager
Schedule and track healthcare appointments, manage provider contacts, build pre-appointment checklists, attach documents, receive reminders, and export appointment history. Use when a user needs to add, view, update, or export healthcare appointments.
dns-record-manager
Operate dns-record-manager -- manage DNS records across Cloudflare and Route 53, review change history, and configure providers.
ssh-config-manager
Manage SSH host configurations in ~/.ssh/config from the terminal. Use when adding, editing, or searching SSH hosts, cloning host configs, testing connections, or importing configs. Triggers include "ssh config", "ssh host", "sshm", "add ssh host", "edit ssh config", "test ssh connection".
Skill: farm-task-manager
## Purpose
Skill: Uptime Monitoring
## Overview
Skill: Status Page
## Overview
Skill: unit-conversion
## Overview
Skill: recipe-scaler
## Overview
reading-list
Operate the reading-list API to save, manage, tag, search, and export articles.
email-digest
Configure, test, and troubleshoot the reading-list daily email digest delivered via nodemailer.