Getting Started
Welcome to EnvCat! This guide will help you get up and running with local-first secrets management in under 15 minutes.
What You'll Learn
- Installation: Set up EnvCat using Docker Compose
- First Run: Create your first bundle and request secrets
- Core Concepts: Understand bundles, device-approval flow, and encryption
- Basic Usage: Use EnvCat in your daily workflow
Prerequisites
Before you begin, make sure you have:
- Docker & Docker Compose (v2.0+)
- Install Docker Desktop (includes Compose)
- Or install Docker Engine + Compose plugin separately
- Operating System: Linux or macOS (Windows support coming soon)
- Terminal: Basic command-line familiarity
- Optional: Go 1.21+ (to build CLI from source)
System Requirements:
- 2GB RAM minimum (4GB recommended)
- 1GB free disk space
- Ports 8888 and 8889 available (configurable)
Quick Navigation
- Installation - Docker Compose setup and verification
- First Run - Create your first bundle and request secrets
Architecture at a Glance
EnvCat consists of four services running via Docker Compose:
┌──────────────────────────────────────────────────┐
│ Your Machine (Docker Network: constants) │
│ │
│ ┌─────────┐ ┌────────┐ ┌──────┐ ┌────────┐ │
│ │ Redis │ │ API │ │ Web │ │ Docs │ │
│ │ :6379 │ │ :8080 │ │:8888 │ │ :8889 │ │
│ └────┬────┘ └───┬────┘ └───┬──┘ └────────┘ │
│ │ │ │ │
│ Ephemeral Bundles Approval │
│ Requests (SQLite) UI │
└──────────────────────────────────────────────────┘
▲ ▲
│ │
CLI requests Browser approves
(Go binary) (http://localhost:8888)
Ports:
- 8888: Web UI (bundle management and approvals) - Public
- 8889: Documentation site (this site!) - Public
- 8080: API (Flask backend) - Internal only (not exposed to host)
- 6379: Redis (ephemeral storage) - Internal only
Data Storage:
- Redis: Ephemeral approval state (5-minute TTL)
- SQLite: Bundle storage (
api/data/app.db) - No cloud: Everything runs locally
Installation Paths
Choose your installation method:
Option A: Quick Start (Recommended)
Best for: First-time users who want to try EnvCat quickly.
git clone https://github.com/check-the-vibe/envcat
cd EnvCat
docker compose up -d --build
Option B: Development Setup
Best for: Developers who want to modify or contribute to EnvCat.
git clone https://github.com/check-the-vibe/envcat
cd EnvCat
# Start services in dev mode
docker compose up --build
# In another terminal, build CLI
cd cli
go build -o envcat ./cmd/constants
→ See internal docs/DEVELOPMENT.md for development setup
What's Next?
After installation, you'll:
- Verify installation - Check that all services are healthy
- Seed example bundle - Create sample data to test with
- Build CLI - Compile the Go binary
- Request your first secret - Experience the device-approval flow
- Use secrets in your shell - Inject variables or write .env files
→ Start here: Installation Guide
Core Concepts
Before diving in, understand these key concepts:
Bundles
Named sets of environment variables, like:
dev/myproject- Development environment for "myproject"prod/api- Production API credentialsclient-acme- Client-specific secrets for ACME Corp
Example:
Bundle: dev/myproject
├── API_KEY=sk_test_123...
├── DB_URL=postgres://localhost:5432/dev
└── STRIPE_KEY=sk_test_456...
Device-Approval Flow
OAuth-style approval flow for requesting secrets:
- CLI initiates request → Generates ephemeral keypair, shows QR/URL
- User approves in browser → Selects bundle + keys to send
- Server encrypts to CLI → End-to-end encryption (sealed box)
- CLI decrypts locally → Outputs shell-safe exports
Why? No copy-paste, no long-lived tokens, ephemeral security.
Encryption Layers
Two layers of encryption:
-
At-rest encryption: Bundle values encrypted in SQLite (libsodium secretbox)
- Encrypted with server-side key (
BUNDLE_KMS_KEY) - Server can decrypt to re-encrypt for CLI
- Encrypted with server-side key (
-
End-to-end encryption: Secrets encrypted to CLI public key (sealed boxes)
- Only the CLI can decrypt
- Server never sees plaintext in this flow
→ Learn more: Security Model
Need Help?
- Troubleshooting Guide - Common issues and solutions
- GitHub Issues - Report bugs
- GitHub Discussions - Ask questions
Community
EnvCat is free and open-source (MIT license).
- ⭐ Star us on GitHub: Support the project
- 🐛 Report issues: Help us improve
- 💡 Request features: Share your ideas
- 🔧 Contribute: Pull requests welcome
Ready to start? → Installation Guide