https://github.com/heycupola/relic

Manage and share secrets. Encrypted on your device, never exposed to anyone else.
https://github.com/heycupola/relic

cli encrypted gdpr-compliant project-management secret-manager secrets security tui typescript zero-knowledge

Last synced: 4 days ago
JSON representation

Manage and share secrets. Encrypted on your device, never exposed to anyone else.

• Host: GitHub
• URL: https://github.com/heycupola/relic
• Owner: heycupola
• License: mit
• Created: 2025-10-04T20:09:06.000Z (6 months ago)
• Default Branch: canary
• Last Pushed: 2026-03-24T15:50:16.000Z (12 days ago)
• Last Synced: 2026-03-25T14:19:27.213Z (11 days ago)
• Topics: cli, encrypted, gdpr-compliant, project-management, secret-manager, secrets, security, tui, typescript, zero-knowledge
• Language: TypeScript
• Homepage: https://relic.so
• Size: 29.8 MB
• Stars: 5
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

README

          


  

    

    

    

  





  End-to-end encrypted secret layer for developers.


  Secrets are encrypted on-device before reaching the server.





  

  

  





  



---

### What is Relic?

Relic is a CLI-first secret layer built for developers and teams.

- Secrets are encrypted on the client before leaving the device. The server stores only ciphertext.

- A Rust-based runner injects secrets at runtime without writing to disk.

- Share projects with teammates. Each person's secrets are encrypted with their own keys.

- Works in CI/CD. Use API keys to pull secrets in GitHub Actions, GitLab CI, or any pipeline.

### Install

```bash

curl -fsSL https://relic.so/install | bash

brew install heycupola/tap/relic

npm install -g relic

bun add -g relic

```

Or download a prebuilt binary from the [releases page](https://github.com/heycupola/relic/releases).

### Quick Start

```bash

relic login                                    # Authenticate via browser

relic init                                     # Initialize your project

relic                                          # Open the TUI and start managing secrets

relic run -e production -- npm run deploy      # Run with secrets injected

```

### How It Works

Relic encrypts and decrypts secrets on the client using AES-256 and Argon2id. The server only stores encrypted data.

When you run `relic run`, the CLI fetches encrypted secrets, decrypts them locally, and injects them into the target process through a Rust runner that clears memory after use. No secrets are written to disk.

Learn more in the [documentation](https://docs.relic.so).

### Contributing

If you're interested in contributing to Relic, please read our [contributing guide](./CONTRIBUTING.md) before submitting a pull request.

For security issues, email [can@relic.so](mailto:can@relic.so) directly. Do not open public issues.

---

[Website](https://relic.so) | [Documentation](https://docs.relic.so) | [Changelog](https://relic.so/changelog) | [X](https://x.com/icanvardar)