Environments & Secrets
lpm env manages encrypted environment variables for your project. Free accounts get an unconditional local vault backed by the OS keychain. Pro and Org accounts unlock cloud sync to lpm.dev, dashboard access from any device, push to deployment platforms (Vercel, Netlify, Railway, Fly, AWS, GitHub Actions, Coolify), and OIDC-based decrypt in CI — all end-to-end encrypted, never in plaintext on the server.
lpm env set DATABASE_URL=postgres://... # write to the local vault
lpm env list # read (values masked)
lpm env push # encrypt + sync to lpm.dev (Pro/Org)
lpm env pull --oidc --env=production # decrypt in CI without secretsWhat you get per plan
| Capability | Free | Pro | Org |
|---|---|---|---|
| Local OS-keychain vault | ✓ | ✓ | ✓ |
Per-environment scoping (--env=staging) | ✓ | ✓ | ✓ |
Import / export .env files | ✓ | ✓ | ✓ |
Schema validation (envSchema in lpm.json) | ✓ | ✓ | ✓ |
Cloud sync to lpm.dev (push / pull) | — | ✓ | ✓ |
Dashboard access (lpm env pair) | — | ✓ | ✓ |
| Platform push (Vercel, Netlify, Railway, …) | — | ✓ | ✓ |
OIDC decrypt in CI (pull --oidc) | — | ✓ | ✓ |
| Org sharing (team members decrypt) | — | — | ✓ |
| Per-vault audit log | — | ✓ | ✓ |
The local vault works without an account. Cloud-backed features check your plan server-side — a free account that calls lpm env push gets 403 Vault sync requires a Pro or Org plan with no surprise charges.
Two parts: CLI + dashboard
- CLI (
lpm env). Day-to-day reads/writes, sync, CI integration. Lives in your terminal next to the project. - Dashboard. Browser UI for the same vaults — runs an end-to-end encrypted pairing flow so the server still never sees plaintext. Useful for teammates who want a UI, or for cross-checking what synced.
Both surfaces read the same encrypted blob. The CLI is the source of truth; the dashboard is a paired client.
How it stays end-to-end encrypted
The lpm.dev server never sees a plaintext secret. Every secret value is encrypted on your machine with a per-vault AES-256 key, and that AES key is itself wrapped with a per-machine wrapping key that lives only in your OS keychain. The server stores encrypted blob + wrapped key and can't read either:
DATABASE_URL=...
│
▼ AES-256-GCM
[encrypted blob] ──┐
├──→ POST /api/vaults/{id}/sync
[per-vault AES key] ──┤
│ │
▼ wrapped with │
[your wrapping key] │ server stores both, decrypts neither
(OS keychain, │
never leaves) │
Org sharing extends the same model with X25519 ECIES: every member has a personal keypair, the vault's AES key is wrapped once per member, and a remove-then-rotate flow is what actually revokes access.
For the full crypto and storage walkthrough — wrapping-key migration, response signing (HMAC-SHA256), conflict detection, CI escrow — see Cloud Sync and Org Sharing.
Where to go next
- Local Secrets — set/get/list/import/export against the local vault
- Per-Environment Scoping — separate
staging,production, etc. - Cloud Sync —
push/pullarchitecture, conflict handling, key rotation - Dashboard Pairing — unlock the browser UI from a paired machine
- Org Sharing — share a vault across team members end-to-end
- Platform Integrations — push the vault to Vercel, Netlify, Railway, Fly, AWS SSM, AWS Secrets Manager, GitHub Actions secrets, Coolify, or a generic webhook
- OIDC for CI — let CI pull secrets without a long-lived token
For the full lpm env flag reference, see CLI Commands. The architectural deep-dive (keys, wire format, threat model) lives at cli.lpm.dev/docs/infra/secrets-vault.
