A secure local secrets manager with TUI interface and SDK support.
Lazy-Locker replaces plain-text .env files with encrypted local storage, providing seamless integration with Python and JavaScript/TypeScript projects.
- π AES-256-GCM encryption for all secrets at rest
- π Argon2id key derivation for secure passphrase-based encryption
- π₯οΈ Terminal UI (TUI) for easy secret management
- π Python SDK - drop-in replacement for
python-dotenv - π¦ JavaScript/TypeScript SDK - drop-in replacement for
dotenv - β° Expiration dates for time-limited secrets
- π Usage tracking - see which files use your secrets
- π Clipboard support - copy secrets with one keypress
- π€ Agent-based architecture - no passphrase needed after initial unlock
# Clone and build
git clone https://github.com/WillIsback/lazy-locker.git
cd lazy-locker
cargo build --release
# Install globally
sudo cp target/release/lazy-locker /usr/local/bin/# Start Lazy-Locker and create your passphrase
lazy-lockerPress a to add your first secret, then use it in your code:
Python:
from lazy_locker import inject_secrets
inject_secrets()
import os
api_key = os.environ["MY_API_KEY"]JavaScript/TypeScript:
import { injectSecrets } from 'lazy-locker';
await injectSecrets();
const apiKey = process.env.MY_API_KEY;Run your scripts normally - no wrapper needed!
python my_script.py
uv run my_script.py
bun run my_script.ts| Key | Action |
|---|---|
β/β |
Navigate secrets |
a |
Add new secret |
e |
Reveal/hide value |
y |
Copy to clipboard |
d |
Delete secret |
: |
Open command modal |
h |
Show help |
q |
Quit |
| Command | Description |
|---|---|
:env |
Generate .env file (plain text) |
:bash |
Export secrets to ~/.bashrc |
:zsh |
Export secrets to ~/.zshrc |
:fish |
Export secrets to fish config |
:json |
Export secrets as JSON |
:clear |
Remove exports from shell profiles |
lazy-locker # Open TUI
lazy-locker status # Check agent status
lazy-locker stop # Stop agent
lazy-locker run <cmd> # Run command with secrets injected
lazy-locker help # Show helpLazy-Locker includes a security analysis feature to scan your codebase for exposed secrets. This functionality is available as a standalone tool: token-analyzer.
# Install the analyzer
cargo install token-analyzer
# Analyze your project for exposed API keys
token-analyzer API_KEY ./my-project --thorough
# The analyzer detects:
# π΄ Hardcoded secrets in .env files
# π Secrets in docker-compose and config files
# π’ Logged/printed secrets in source codeSee the token-analyzer repository for more details.
Python:
pip install lazy-locker
# or: uv add lazy-lockerJavaScript/TypeScript:
npm install lazy-locker
# or: pnpm add lazy-locker
# or: bun add lazy-locker- Encryption: AES-256-GCM
- Key Derivation: Argon2id
- Memory Safety: Sensitive data zeroized after use
- No Plain Text: Secrets never written to disk unencrypted
See Security Documentation for details.
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- Built with Ratatui for the TUI
- Cryptography by RustCrypto
- Developed with assistance from Claude Opus 4.5 (Anthropic) - AI pair programming was used ethically to accelerate development while maintaining code quality and security best practices
William Derue (@WillIsback)
Made with β€οΈ and π¦