terminal

    npx hush encrypt
    Encrypting .env files...
    ✓ Wrote .env.encrypted
    ✓ Wrote .env.development.encrypted
    ✓ Wrote .env.production.encrypted
     
    npx hush decrypt
    Decrypting for development...
    ✓ app/.env.development (3 vars)
    ✓ api/.dev.vars (5 vars)
     
    
  

The AI-native secrets manager

Encrypt secrets, commit to git, let AI help—without exposing values. Works with every framework.

Get Started View on GitHub

Install in Seconds

With AI Assistant
Manual Setup

Install the Claude Code / OpenCode skill, then let AI handle the rest:

npx @chriscode/hush skill

Once installed, just ask your AI: “Set up Hush for this project”

# Install Hush
npm install -D @chriscode/hush

# Initialize config
npx hush init

# Encrypt your secrets
npx hush encrypt

Why Hush?

AI-Native by Design

Built for the AI coding era. Let Claude, Copilot, and Cursor help with secrets—without ever seeing the values. Includes a Claude Code Skill.

Every Framework

Next.js, Vite, Expo, Remix, Cloudflare Workers, Kubernetes—route NEXT_PUBLIC_* to frontend, server secrets to API.

Encrypted in Git

Commit .env.encrypted files safely. SOPS + age encryption your security team will approve. Single source of truth.

Multiple Formats

Output to dotenv, Wrangler .dev.vars, JSON, YAML, or shell exports. Each package gets secrets in the format it needs.

Quick Example

# Initialize configuration
npx hush init

# Encrypt your .env files
npx hush encrypt

# Decrypt for development
npx hush decrypt

# Decrypt for production
npx hush decrypt -e production

# Push to Cloudflare Workers
npx hush push

The Problem

In a monorepo, you have multiple packages that each need different subsets of environment variables:

Your Expo app needs EXPO_PUBLIC_* variables
Your Next.js web app needs NEXT_PUBLIC_* variables
Your Cloudflare Worker needs API keys but not public variables
Your root needs everything for local development

Copying .env files manually is error-prone. Committing unencrypted secrets is a security risk.

The Solution

Hush gives you a single encrypted source of truth that automatically distributes the right secrets to the right places:

sources:
  shared: .env
  development: .env.development
  production: .env.production

targets:
  - name: app
    path: ./app
    format: dotenv
    include:
      - EXPO_PUBLIC_*

  - name: api
    path: ./api
    format: wrangler
    exclude:
      - EXPO_PUBLIC_*

One command. All packages. Correct secrets.