Plaintext credentials in .env files leak onto hard drives, into backups, and through careless commits. DesktopSecrets replaces them with references your team can safely commit — and resolves them at runtime from your own vault, with no cloud service involved.
No secrets on disk. No cloud middleman. No friction.
Your .env.tpl contains only references, never real values. Secrets are resolved in memory at runtime and injected directly into your process — nothing written to disk.
A .env.tpl without real credentials is safe to commit. Your whole team works from the same template — each person's local vault provides their own credentials.
KeePass has been audited for decades. It's offline, open-source, and your data stays exactly where you put it. No subscription, no vendor lock-in, no data sovereignty concerns.
A background daemon caches unlocked vaults for a configurable TTL. Enter your master password once — it stays available for the rest of your session without repeated prompts.
On Windows, use the built-in credential store you already have. wincred(target) retrieves passwords and usernames stored via cmdkey or the Credential Manager GUI — no extra tools, no master password.
The provider interface is open. Add your own — HashiCorp Vault, AWS Secrets Manager, 1Password — with a small Go interface. Multiple providers can be mixed freely in a single template.
AI coding agents and automation pipelines need API keys. tplenv run injects secrets into the agent process without writing them to disk or leaking them into the agent's file context.
Write a template, run your tool through tplenv run — that's the whole workflow.
Replace every credential with a secret reference. The file contains no real values — it's safe to commit and share.
tplenv runDesktopSecrets connects to the background daemon, which unlocks your KeePass vault (prompting only when the cache is cold) and resolves every reference from the template.
Resolved values are injected as environment variables into the child process. Nothing is written to disk. The .env file your tool "sees" never exists as a file.
DATABASE_URL=keepass(&personal|/Dev/postgres|Notes) AWS_ACCESS_KEY_ID=keepass(&cloud|/AWS/Prod/access-key) AWS_SECRET_ACCESS_KEY=keepass(&cloud|/AWS/Prod/secret-key) DEPLOY_TOKEN=user(Enter deploy token) APP_ENV=production
# Start your app with secrets injected $ tplenv run -- npm start # Run a database migration $ tplenv run -- flyway migrate # Launch an AI agent with its API keys $ tplenv run -- claude --dangerously-skip-permissions ✔ vault unlocked (cached 3h) ✔ 4 secrets resolved ✔ process started
Mix and match providers freely in a single template. Each reference resolves independently.
keepass(...) — KeePassRetrieve secrets from .kdbx vaults. Supports absolute paths, wildcards, attribute selection, aliases, and chained vault unlocking.
keepass(vault.kdbx|/AWS/Prod/key)
wincred(...) — Windows Credential ManagerRetrieve passwords and usernames from the built-in Windows Credential Manager. No master password, no TTL — transparent once logged in. Windows only.
wincred(MyApp/DBPassword|username)
awssm(...) — AWS Secrets ManagerRetrieve secrets from AWS Secrets Manager. Supports raw string secrets and JSON field extraction. Uses the standard AWS credential chain — env vars, ~/.aws, instance roles.
awssm(MyApp/DB|password)
awsps(...) — AWS Parameter StoreRetrieve parameters from AWS Systems Manager Parameter Store. SecureString parameters are always decrypted. Supports JSON field extraction.
awsps(/myapp/prod/api-key)
user(...) — Interactive PromptShow a GUI prompt and ask the user to type a secret. Useful for one-off tokens, OTPs, or anything that shouldn't be stored at all.
user(Enter deploy token)
A compact expression language for retrieving secrets from any provider.
# KeePass vault entry API_KEY=keepass(vault.kdbx|/AWS/Prod/api-key) # Wildcard matching DB_PASS=keepass(vault.kdbx|/DB/**/password) # Windows Credential Manager DB_PASS=wincred(MyApp/DBPassword) DB_USER=wincred(MyApp/DBPassword|username) # AWS Secrets Manager API_KEY=awssm(MyApp/ApiKey) DB_PASS=awssm(MyApp/DB|password) # AWS Parameter Store DB_HOST=awsps(/myapp/prod/db|host) # Interactive prompt TOKEN=user(Enter deploy token)
# Simple file alias personal: C:\Vaults\personal.kdbx # Alias with chained master password cloud: file: C:\Vaults\cloud.kdbx master: keepass(&personal|Cloud Master) # Usage in .env.tpl SECRET=keepass(&cloud|/Prod/api-key)
Downloads the latest release, verifies SHA256 checksums, and adds the tools to your PATH.
irm https://it-atelier-gn.github.io/desktop-secrets/install.ps1 | iex
curl -fsSL https://it-atelier-gn.github.io/desktop-secrets/install.sh | bash
Binaries are built by GitHub Actions from source. Browse releases · inspect install.ps1 · inspect install.sh
All builds are produced by GitHub Actions from source. SHA256-verified.
Built by Georg Nelles — freelance software engineer specializing in automation, modernization, and pragmatic tooling. DesktopSecrets is open-source. Your secrets stay on your machine.