Encrypt
Secrets are encrypted with AES-256-GCM before they leave your machine. The registry only ever stores opaque ciphertext; keys stay with you.
How encryption worksEnvo packages secrets, agent skills, and runtime config into a portable encrypted pack. One command on any machine gets a working agent: secrets decrypted, skills on disk, doctor-verified.
Works with
Coding agents are only useful after secrets are present, skills are installed, and the runtime is configured. Envo makes that one command, not the first hour.
With Envo
Push secrets, skills, and runtime config once. On any machine, envo up pulls the pack, decrypts it locally, runs doctor, and launches the agent.
Without Envo
Copy keys, patch config files, remember which tool needs which token, and hope the next machine matches the last one.
The product starts where agents actually fail: the machine they wake up on.
Set secrets, add skills, and push once from your machine. Then on any laptop, container, or CI box, one envo up pulls the pack, decrypts it locally, runs doctor, and launches your agent with the environment injected.
See the quickstart1
command from fresh box to running agent
0
plaintext secrets ever seen by the server
256
bit AES-GCM encryption, client-side
The parts that usually make agents stall before they start.
Secrets are encrypted with AES-256-GCM before they leave your machine. The registry only ever stores opaque ciphertext; keys stay with you.
How encryption worksPush the pack once, pull it anywhere. Secrets, skills, and runtime config move together, with version history.
See the golden pathOne envo up on any machine, container, or CI box pulls, decrypts, verifies, and launches your agent with the env injected.
Run an agentAgent tokens are pull-only, per-environment, expiring, and revocable. Made for headless agents; no browser auth dance.
Review tokensEnvo turns setup into a command your team can run, review, and repeat.
Secrets, agent skills, and runtime config travel together in one encrypted pack. Push from your machine, pull anywhere, with version history.
$ envo secrets set OPENAI_API_KEY $ envo skills add ./my-skill $ envo push ✓ pack v3 pushed (encrypted)
Machines give agents somewhere to run. Envo gives that place the secrets, skills, and checks required to do useful work.
Laptop
local shell
CI runner
ENVO_TOKEN
Sandbox
edge endpoint
$ ENVO_TOKEN=... envo up myproject/prod --run "codex"
✓ pulled pack v12, decrypted locally
✓ 12 secrets · 2 skills · doctor passed
✓ codex started with env injected
Free on your own machines. Pay when you want the pack everywhere.
$0
Local-only CLI. Everything you need on your own machines.
$10/mo
Hosted encrypted sync. Push from one machine, pull from anywhere.
$5+ prepaid
Deploy environments as hosted sandbox endpoints, pay as you go.
“The boring part of running agents is wiring up the machine first. Envo turns that into one command instead of a setup scavenger hunt.”
Why we built Envo
Get started
Install the CLI, set a secret, add a skill, push. Any machine with a token can run your agent from there.
curl -fsSL https://envo.sh/install | shStart freeSet a secret, add a skill, push. Your environment is now portable and encrypted.
Read moreenvo skills add packages skills for Claude Code, Codex, Hermes, or OpenCode next to your secrets.
Read moreGive any machine, container, or CI box a scoped token and one envo up gets a working agent.
Read moreSet a secret, add a skill, push. Then run envo up anywhere and see exactly what your agent has before it starts.
curl -fsSL https://envo.sh/install | sh