env.sync

LoginGet Started
Documentation

GET STARTED WITH
SYNCENV

Secure, end-to-end encrypted environment variable synchronization. Your secrets are encrypted on your device — we never see them.

Quick Start

01

Install CLI

One-line installer for macOS, Linux, and Windows (via WSL)

curl -sL https://syncenv-files.uagents.app/cli/install.sh | bash
02

Run Setup

One-command wizard: login + encryption keys setup

syncenv setup
03

Initialize Project

Create .syncenvrc and optionally create project on server. Environments are created on first push.

syncenv init
04

Push Your .env

Encrypt and upload your environment variables

syncenv env push

CLI Reference

syncenv --help
syncenv setupFirst-time setup wizard (recommended)
syncenv auth loginAuthenticate with your account
syncenv auth logoutClear local session and keys
syncenv auth statusCheck authentication status
syncenv initInitialize project (creates .syncenvrc and optionally creates remote project)
syncenv project listList all your projects
syncenv project create [name]Create a new project
syncenv project get <identifier>Get project by ID or name
syncenv project delete <identifier>Delete project by ID or name
syncenv project use <identifier>Set default project by ID or name
syncenv env pushEncrypt and upload .env file
syncenv env pullDownload and decrypt .env file
syncenv env syncSmart two-way sync with merge
syncenv env historyView version history
syncenv env diff <v1> <v2>Compare two versions
syncenv env rollback <version>Rollback to specific version
syncenv user-keys unlockUnlock encryption keys for session
syncenv user-keys lockLock and clear keys from memory
syncenv user-keys statusCheck encryption key status
syncenv user-keys rotateRe-encrypt keys with new password
syncenv config listList all configuration values
syncenv config get <key>Get configuration value
syncenv config set <key> [value]Set configuration value
syncenv config delete <key>Reset config to default
syncenv doctorDiagnose configuration issues

Common Workflows

First-Time Setup

$ curl -sL https://syncenv-files.uagents.app/cli/install.sh | bash
$ syncenv setup  # One-command wizard
$ cd ~/my-project && syncenv init
$ syncenv env push -m "Initial environment setup"

Daily Development Workflow

$ syncenv user-keys unlock  # Keys are remembered by default
$ syncenv env sync  # Pull + merge + push in one command
$ # Edit .env file...
$ syncenv env push -m "Updated API endpoints"
$ syncenv user-keys lock  # When done

Working with Multiple Environments

$ syncenv env push -e production -m "Database migration config"
$ syncenv env pull -e staging
$ syncenv project get "My Project"  # Get by name or ID

Version Management

$ syncenv env history  # View all versions
$ syncenv env diff 5 8  # Compare versions 5 and 8
$ syncenv env rollback 6  # Rollback to version 6
$ syncenv env pull --version 3  # Pull specific version

Best Practices

Use Setup for First-Time

syncenv setup

Run `syncenv setup` for one-command onboarding. It handles login and encryption key setup automatically.

Initialize Project

syncenv init

Use `syncenv init` to create .syncenvrc configuration. It can optionally create the project on the server. Environments are created on first push.

Use Smart Sync

syncenv env sync --strategy=interactive

Use `syncenv env sync` instead of separate push/pull. It performs three-way merge and handles conflicts intelligently.

Write Meaningful Commit Messages

syncenv env push -m "Added Redis config for caching"

Always use the -m flag to describe your changes. This makes version history useful for auditing.

Keys Are Remembered by Default

syncenv user-keys unlock

Keys are automatically cached in system keychain. Use `syncenv user-keys lock` when done on shared machines.

Lock Keys When Done

syncenv user-keys lock

Always lock your keys when leaving your workstation, especially on shared or public computers.

Manage CLI Configuration

syncenv config set apiUrl https://custom-api.example.com

Use `syncenv config` to manage settings like API URL and auto-lock timeout. Config is stored in system keychain.

Security Architecture

Client-Side Encryption

Your .env files are encrypted with AES-256-GCM on your device before upload. The encryption keys never leave your machine.

Master Key Protection

Your login password is processed with PBKDF2 to derive encryption keys. We never store your password.

Zero-Knowledge Storage

Our servers only store ciphertext. Even if our database is compromised, attackers cannot decrypt your data without your master key.

Secure Key Management

Hierarchical key system: Login Password → KEK → DEK. Keys are cached in system keychain for convenience.

Encryption Flow

1. Your Device

.env file → AES-256-GCM encryption → Ciphertext

2. Transport

TLS 1.3 + already encrypted data → Double protection

3. Cloud Storage

Store ciphertext only → No keys to decrypt

Key Management

Hierarchical Key System

L0
Login Password (your memory only)
L1
KEK - Key Encryption Key (PBKDF2 derivation)
L2
DEK - Data Encryption Key (per project)

Password Change Safety

Changing your login password does not require re-encrypting all your .env files. Only the KEK (Key Encryption Key) is re-encrypted with your new password. Your DEKs and encrypted data remain unchanged.

Session Management

Keys are automatically stored in system keychain for convenience. Use syncenv user-keys lock when done, especially on shared machines.

Merge Strategies

StrategyBehaviorBest For
interactivePrompt for each conflict [l]ocal/[r]emote/[b]oth/[s]kipManual review of changes
local-winsAlways use local changesCI/CD pipelines
remote-winsAlways use remote changesFresh environment setup
fail-on-conflictExit with error if conflicts existAutomated scripts requiring clean state

FAQ

What is the difference between syncenv setup and syncenv init?

`syncenv setup` is for first-time users to authenticate and set up encryption keys. `syncenv init` is for each project to create .syncenvrc configuration. Run setup once per machine, init once per project.

What happens if I forget my master password?

We cannot recover your password. Use your 12-word recovery phrase generated during signup to restore access. Store this phrase in a secure password manager.

Can SyncEnv team access my .env files?

No. All encryption happens on your device. We only store ciphertext and have no way to decrypt it without your master key.

Is there a web interface?

Yes, you can view and manage projects at the web dashboard, but the CLI provides the full feature set and is recommended for daily use.

What encryption algorithms are used?

AES-256-GCM for data encryption, PBKDF2 for key derivation, and secure random IV generation for each encryption operation.

How do I handle merge conflicts?

Use `syncenv env sync --strategy=interactive` to review conflicts one by one. Options include keeping local, remote, both, or editing manually.

Can I use SyncEnv in CI/CD pipelines?

Yes. Use `syncenv env pull --env production --yes` with CI authentication tokens. Set strategy to local-wins or remote-wins for non-interactive mode.