HN Showcase
Back to browse
GitHub Repository

Store ENV in the Macos keychain, get them on demand

10 starsSwift

Touchenv – store ENV master keys in macOS keychain

by tillcarlos·Mar 17, 2026·4 points·2 comments
Visit ProjectView on HN

AI Analysis

MidCozyNiche Gem

Touch ID for ENV secrets is clever, but dotenvx and 1Password CLI already solve this.

Strengths
  • Single Swift file is auditable - no blind installs for keychain-accessing tools
  • One fingerprint prompt unlocks all secrets for a deployment command batch
  • Replaces plaintext .env files with keychain references that LLMs cannot read
Weaknesses
  • macOS only - excludes Linux CI pipelines and Windows development environments
  • Very narrow scope - really just solves Rails encrypted credentials master key storage
Target Audience

Rails developers deploying from local macOS machines

Similar To

dotenvx · 1Password CLI · git-crypt

Post Description

Hey HN

I am used to store my secrets in Rails 8 fashion in so-called encrypted credentials, and committed to git.

The problem became: where to store the RAILS_MASTER_KEY securely?

Many people use 1password CLI, which can pull the keys out, but I didn't want to start using 1password.

Touchenv is a quick repo I spun up, which works surprisingly well.

e.g. deploying from localhost:

- pnpm stagedeploy. - starts touchenv exec .env -- kamal deploy. - Touch Id prompt comes up. I have to confirm it with my fingerprint. - Deploy runs.

My next step is to make a similar thing for my CI, or just use the KWS from AWS. I'll look into that soon.

Any feedback is appreciated.

Similar Projects