Keynest – a simple offline secrets manager

Name: Keynest – a simple offline secrets manager
Availability: InStock
Author: capydev42

by capydev42·Mar 20, 2026·1 point·0 comments

Visit Project View on HN

AI Analysis

●MidShip ItCozy

Encrypted .env replacement, but pass and sops already cover this.

Strengths

•Single encrypted file approach eliminates complex setup and background services
•Runtime injection via keynest exec keeps secrets out of source code entirely
•No account or cloud dependency makes it genuinely offline and portable

Weaknesses

•No team sharing or collaboration features, solo developer workflow only
•Local secrets manager space already crowded with pass, 1Password CLI, dotenv-vault

Post Description

I tend to build a lot of small tools, side projects and experimenting with many different technologies and always run into the same issues:

- secrets are in .env files which i need to copy around between the projects - hardcoded secrets in code which i forget to delete when commiting - keep track of set environment variables in different environments

and i tried different solutions out there (1Password, Vault, ..) but it felt like too heavy for my local projects.

This is why i built Keynest for my personal local workflow. I use it currently for small local experimenting stuff only.

It is basically one encrypted file on my disk and i decide what secrets i want to inject while running commands: E.g. keynest exec -- docker compose up

Curious if others have the same pain with local secrets or if I'm overengineering this.

Would love some feedback.