Automic VaultAutomic Vault

brew

Install envchain with Homebrew, Nix

Secure your credentials in environment variables. Version 1.1.0 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install envchain

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#envchain

nixpkgs package indexes · pkgs/by-name/en/envchain/package.nix · source: api.github.com

overview

Package summary

Secure your credentials in environment variables

Commands and aliases

  • envchain

history

Project history and usage

envchain is a security-focused CLI for storing secret environment variables in the macOS Keychain or a D-Bus Secret Service provider, then exposing them only for explicitly launched commands.

Project history

The README positions envchain as a response to the common practice of putting credentials such as AWS access keys in shell initialization files. Instead of writing those secrets to `.bashrc` or `.zshrc`, envchain stores them in a secure vault under namespaced entries.

The project supports macOS Keychain and Linux Secret Service backends such as GNOME Keyring and KeePassXC. Its documented platform requirements include macOS versions from the OS X era and Linux systems with readline, libsecret, and D-Bus Secret Service support.

Adoption history

envchain is a niche but established package-manager tool. Its README documents Homebrew installation, and Homebrew formula analytics showed hundreds of annual installs during this enrichment run. The input package facts also list Nix packaging.

How it is used

Users create a namespace with `envchain --set NAMESPACE ENV ...`, enter secret values interactively, and then run commands as `envchain namespace command`. The tool injects only the variables from the requested namespace into that child process.

Multiple namespaces can be combined, which supports workflows such as separating AWS credentials from chatbot or service credentials while still composing them for a particular command.

Why package nerds care

envchain is part of a family of small Unix secret-handling wrappers that try to make environment variables less dangerous without changing the tools that consume them. Its package value is in bridging native desktop secret stores with ordinary CLI workflows.

Timeline

  • 2010s: envchain documents OS X Keychain support and later Linux Secret Service support.
  • 2010s: Homebrew installation is documented in the upstream README.
  • 2020s: The tool remains packaged as a small credential wrapper for macOS and Linux.

Related projects

  • envchain relates to macOS Keychain, GNOME Keyring, KeePassXC, libsecret, and the D-Bus Secret Service specification.
  • It overlaps with dotenv-style workflows, but stores values in platform secret stores rather than in project files.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 10 platform targets.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
envchaincliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.1.0
manager updated
local dataok
upstreamcurrent
latest detectedv1.1.0

https://github.com/sorah/envchain

  • infoNo package-manager update timestamp was available.low confidence

install metadata

Package metadata

Package keybrew:envchain
Version1.1.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/envchain
Homepagehttps://github.com/sorah/envchain
Repositoryhttps://github.com/sorah/envchain
Upstream docshttps://github.com/sorah/envchain#readme
LicenseMIT
Source archivehttps://github.com/sorah/envchain/archive/refs/tags/v1.1.0.tar.gz
Bottleavailable (on arm64_linux, arm64_monterey, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, monterey, sonoma, ventura, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameenvchain
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

envchain

nix profile install nixpkgs#envchain
  • normalized package name match
  • Matched by: Envchain
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/en/envchain/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment