SecureFlow is a lightweight, cross-platform CLI tool for securely encrypting and decrypting sensitive files using AES-256 encryption. Built with Go, it provides a simple, reliable way to manage secrets in your projects and CI/CD pipelines.
Perfect for: Environment variables, keystores, SSL certificates, service credentials, API keys, database passwords, and any sensitive configuration files.
- π Strong Security: AES-256-CBC encryption with PBKDF2 key derivation (OpenSSL-compatible)
- π Fast & Lightweight: Single binary, no dependencies, instant startup
- π Cross-Platform: Works on Linux, macOS, and Windows
- π€ CI/CD Ready: Non-interactive mode designed for automation
- π Configuration-Based: Simple YAML config for managing multiple files
- π§ͺ Safe Testing: Test decryption without overwriting existing files
- π Detailed Reports: Track what's encrypted, when, and metadata
- πͺ Production-Ready: Battle-tested, reliable error handling
- Quick Start
- Installation
- Usage
- Configuration
- CI/CD Integration
- Documentation
- Security
- Common Use Cases
- Contributing
# 1. Install SecureFlow (Linux/macOS)
curl -sSL https://raw.githubusercontent.com/MayR-Labs/secureflow-go/main/install.sh | bash
# 2. Initialize configuration
cd your-project
secureflow init
# 3. Edit secureflow.yaml to list your sensitive files
vim secureflow.yaml
# 4. Encrypt your files
secureflow encrypt
# 5. Commit encrypted files to git
git add enc_keys/ secureflow.yaml
git commit -m "Add encrypted secrets"
# 6. Add originals to .gitignore
echo ".env.prod" >> .gitignoreThat's it! Your secrets are now encrypted and safe to commit. Your team can decrypt them with:
secureflow decryptThe easiest way to install SecureFlow:
curl -sSL https://raw.githubusercontent.com/MayR-Labs/secureflow-go/main/install.sh | bashOr with wget:
wget -qO- https://raw.githubusercontent.com/MayR-Labs/secureflow-go/main/install.sh | bashDownload the appropriate binary for your OS from the Releases page.
Linux (AMD64):
wget https://github.com/MayR-Labs/secureflow-go/releases/latest/download/secureflow-linux-amd64
chmod +x secureflow-linux-amd64
sudo mv secureflow-linux-amd64 /usr/local/bin/secureflowmacOS (Intel):
wget https://github.com/MayR-Labs/secureflow-go/releases/latest/download/secureflow-darwin-amd64
chmod +x secureflow-darwin-amd64
sudo mv secureflow-darwin-amd64 /usr/local/bin/secureflowmacOS (Apple Silicon):
wget https://github.com/MayR-Labs/secureflow-go/releases/latest/download/secureflow-darwin-arm64
chmod +x secureflow-darwin-arm64
sudo mv secureflow-darwin-arm64 /usr/local/bin/secureflowWindows:
Download secureflow-windows-amd64.exe from the Releases page and add it to your PATH.
git clone https://github.com/MayR-Labs/secureflow-go.git
cd secureflow-go
go build -o secureflow
sudo mv secureflow /usr/local/bin/SecureFlow provides a convenient install-local command that sets up a portable installation without requiring system-wide installation. This is perfect for CI/CD pipelines where you can't or don't want to install binaries globally.
# Run this once to set up local installation
secureflow install-localThis command will:
- Download platform-specific executables (Linux, macOS, Windows) to
.secureflow/directory - Create a
secureflow.shlauncher script in the current directory - The launcher automatically detects your platform and runs the correct executable
Usage in CI/CD:
# In your CI/CD pipeline
./secureflow.sh decrypt --password "$SECUREFLOW_PASSWORD" --non-interactive
./secureflow.sh encrypt --password "$SECUREFLOW_PASSWORD" --non-interactiveBenefits:
- β No system installation required
- β Works across different platforms automatically
- β
Portable - commit
.secureflow/andsecureflow.shto your repo - β Perfect for CI/CD environments with restricted permissions
Example: Using in GitHub Actions
Option A: Install during CI/CD run
steps:
- uses: actions/checkout@v3
- name: Setup SecureFlow locally
run: |
wget https://github.com/MayR-Labs/secureflow-go/releases/latest/download/secureflow-linux-amd64
chmod +x secureflow-linux-amd64
./secureflow-linux-amd64 install-local
- name: Decrypt secrets
run: ./secureflow.sh decrypt --password "${{ secrets.SECUREFLOW_PASSWORD }}" --non-interactiveOption B: Commit installation to repo (no CI/CD setup needed)
# Run locally once
secureflow install-local
git add .secureflow/ secureflow.sh
git commit -m "Add portable SecureFlow"Then your CI/CD workflow is simply:
steps:
- uses: actions/checkout@v3
- name: Decrypt secrets
run: ./secureflow.sh decrypt --password "${{ secrets.SECUREFLOW_PASSWORD }}" --non-interactivesecureflow --versionCreate a default secureflow.yaml configuration file:
secureflow initUse a project template for quick setup:
# Interactive template selection
secureflow init
# Or specify a template directly
secureflow init --template flutter
secureflow init --template reactnative
secureflow init --template web
secureflow init --template docker
secureflow init --template k8s
secureflow init --template microservicesAvailable templates:
default- React Native/Mobile app with Android/iOS filesreactnative- React Native specific configurationflutter- Flutter mobile app configurationweb- Web application with multiple environmentsdocker- Docker deployment configurationk8s- Kubernetes secrets configurationmicroservices- Microservices architecture with multiple services
All templates include copy_to: .env for .env.prod files to automatically create .env after decryption.
This generates a configuration file like:
# secureflow.yaml (Flutter template example)
output_dir: enc_keys
test_output_dir: test_dec_keys
files:
- input: .env.prod
output: .env.prod.encrypted
copy_to: .env
- input: android/app/keystore.jks
output: keystore.jks.encryptedEdit this file to match your project's sensitive files.
Interactive mode (prompts for password and optional hint):
secureflow encryptNon-interactive mode (for scripts and CI/CD):
secureflow encrypt --password "your_password" --non-interactiveCustom config file:
secureflow encrypt --config ./path/to/custom-config.yamlAll encrypted files are saved to enc_keys/ (or your configured output_dir).
Interactive mode:
secureflow decryptNon-interactive mode (for CI/CD):
secureflow decrypt --password "$ENCRYPTION_PASSWORD" --non-interactiveCustom config file:
secureflow decrypt --config ./custom-config.yamlTest decryption without overwriting existing files (decrypts to test_dec_keys/):
secureflow testOr non-interactively:
secureflow test --password "your_password" --non-interactivesecureflow --help
secureflow init --help
secureflow encrypt --help
secureflow decrypt --help
secureflow test --help
secureflow install-local --helpSecureFlow uses a YAML configuration file (secureflow.yaml) to define which files to encrypt/decrypt.
output_dir: enc_keys # Where encrypted files are stored
test_output_dir: test_dec_keys # Where test decryption outputs go
files:
- input: .env.production # Source file (relative to project root)
output: .env.production.encrypted # Encrypted filename
copy_to: .env # (Optional) Copy decrypted file to this path
- input: config/database.yml
output: database.yml.encrypted
- input: ssl/private.key
output: ssl-private.key.encryptedoutput_dir: Directory for encrypted files (committed to git)test_output_dir: Directory for test decryption (added to .gitignore)files: Array of file entriesinput: Path to source file (relative to project root)output: Encrypted filename (just filename, not path)copy_to: (Optional) Copy decrypted file to this path - useful when apps expect.envbut you store.env.prod
When decrypting files, SecureFlow can automatically copy the decrypted file to another location. This is particularly useful for environment files where your application expects .env but you store .env.prod or .env.production:
files:
- input: .env.prod
output: .env.prod.encrypted
copy_to: .env # Automatically creates .env from .env.prod after decryptionAfter decryption, both .env.prod and .env will exist with identical content.
See the Configuration Guide for detailed examples including:
- Mobile apps (Flutter, React Native)
- Web applications
- Microservices
- Docker deployments
- Kubernetes secrets
- Multi-environment setups
Quick example configs:
SecureFlow is designed to work seamlessly in CI/CD pipelines with its non-interactive mode.
The easiest approach for CI/CD is to use install-local which creates a portable installation.
Approach A: Download and install during each CI/CD run
name: Deploy
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# Download and setup SecureFlow (no sudo required)
- name: Setup SecureFlow
run: |
wget https://github.com/MayR-Labs/secureflow-go/releases/latest/download/secureflow-linux-amd64
chmod +x secureflow-linux-amd64
./secureflow-linux-amd64 install-local
# Use the launcher script
- name: Decrypt secrets
run: |
./secureflow.sh decrypt --password "${{ secrets.SECUREFLOW_PASSWORD }}" --non-interactive
# Build and deploy
- name: Build & Deploy
run: |
npm run build
./deploy.shApproach B: Commit the local installation to your repo (Recommended for simplicity)
Run secureflow install-local once locally, then commit the files:
# Run locally (one-time setup)
secureflow install-local
git add .secureflow/ secureflow.sh
git commit -m "Add portable SecureFlow installation"
git pushYour CI/CD workflow becomes very simple (no installation step needed):
name: Deploy
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# No installation needed - files are already in the repo!
- name: Decrypt secrets
run: |
./secureflow.sh decrypt --password "${{ secrets.SECUREFLOW_PASSWORD }}" --non-interactive
# Build and deploy
- name: Build & Deploy
run: |
npm run build
./deploy.shname: Deploy
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# Install SecureFlow globally
- name: Install SecureFlow
run: |
wget https://github.com/MayR-Labs/secureflow-go/releases/latest/download/secureflow-linux-amd64
chmod +x secureflow-linux-amd64
sudo mv secureflow-linux-amd64 /usr/local/bin/secureflow
# Decrypt secrets
- name: Decrypt secrets
run: |
secureflow decrypt --password "${{ secrets.SECUREFLOW_PASSWORD }}" --non-interactive
# Build and deploy
- name: Build & Deploy
run: |
npm run build
./deploy.shSecureFlow works with all major CI/CD platforms:
- GitHub Actions β
- GitLab CI β
- Bitbucket Pipelines β
- Jenkins β
- CircleCI β
- Azure Pipelines β
- Travis CI β
- Any CI/CD platform that can run shell commands β
See our comprehensive CI/CD Usage Guide for:
- Platform-specific setup instructions
- Best practices for secrets management
- Multi-environment configurations
- Caching strategies
- Security considerations
- Troubleshooting CI/CD issues
Comprehensive documentation is available in the docs/ directory:
- Configuration Guide - Detailed configuration options, examples, and best practices
- CI/CD Usage Guide - Complete guide for integrating SecureFlow into your CI/CD pipelines
- Security Guide - Security best practices, encryption details, and compliance considerations
- Troubleshooting - Common issues, solutions, and debugging tips
- Examples Directory - Practical usage examples and sample configurations
- Usage Examples - Real-world usage scenarios
- Sample Configs - Configuration templates for different project types
- Algorithm: AES-256-CBC (Advanced Encryption Standard, 256-bit)
- Key Derivation: PBKDF2 with SHA-256
- Format: OpenSSL-compatible (Salted__ header + 8-byte salt + encrypted data)
- Compatibility: Files can be encrypted/decrypted with OpenSSL
- Passwords are never stored or logged
- Strong encryption (AES-256-CBC) with proper key derivation (PBKDF2)
- OpenSSL compatible - industry-standard format
- Non-interactive mode for secure CI/CD integration
- Clean password handling - passwords cleared from memory after use
β DO:
- Use strong passwords (16+ characters, mixed case, numbers, symbols)
- Store passwords in password managers
- Rotate passwords periodically (every 3-6 months)
- Use different passwords for different environments
- Keep plaintext secrets in
.gitignore - Commit only encrypted files to version control
β DON'T:
- Commit plaintext secrets to git
- Share passwords via email or Slack
- Reuse passwords across projects
- Log or print passwords
- Store passwords in code or config files
For comprehensive security guidance, see our Security Guide.
Each encryption run generates a report.txt in your output directory with detailed metadata:
Encryption Report
=================
Note: Encrypted secrets for CI/CD
Password Hint: For the wise only
Created at: 2025-10-24
=================
File: .env.prod
Encrypted As: .env.prod.encrypted
Size (bytes): 348
Lines: 17
Last Modified: 2025-10-22 11:24:09
----------------------------------------
This helps you track:
- What files are encrypted
- When they were encrypted
- Password hints for team reference
- File sizes and metadata
Decrypt secrets when setting up a new project:
# Clone project
git clone https://github.com/yourorg/your-project.git
cd your-project
# Install SecureFlow
curl -sSL https://raw.githubusercontent.com/MayR-Labs/secureflow-go/main/install.sh | bash
# Decrypt secrets (get password from team)
secureflow decryptOption 1: Using install-local (recommended)
# One-time setup
secureflow install-local
# In your CI/CD pipeline
./secureflow.sh decrypt --password ${{ secrets.SECUREFLOW_PASSWORD }} --non-interactiveOption 2: Global installation
- name: Decrypt secrets
run: secureflow decrypt --password ${{ secrets.SECUREFLOW_PASSWORD }} --non-interactiveFor teams that want a fully portable solution, commit the local installation to your repo:
# One-time setup in your repository
secureflow install-local
git add .secureflow/ secureflow.sh
git commit -m "Add portable SecureFlow installation"
# Your CI/CD config becomes very simple:
# - name: Decrypt secrets
# run: ./secureflow.sh decrypt --password "$PASSWORD" --non-interactiveThis approach:
- β No installation step needed in CI/CD
- β Works across all platforms automatically
- β Consistent versions across all environments
- β Faster CI/CD runs (no download/install time)
New team member joining:
- Install SecureFlow
- Clone repository
- Get decryption password from team lead (via secure channel)
- Run
secureflow decrypt - Start working!
Manage secrets across multiple environments:
# Production
secureflow encrypt --config secureflow.prod.yaml --password "$PROD_PASS"
# Staging
secureflow encrypt --config secureflow.staging.yaml --password "$STAGING_PASS"
# Development
secureflow encrypt --config secureflow.dev.yaml --password "$DEV_PASS"secureflow-go/
β
βββ cmd/ # CLI commands (Cobra)
β βββ root.go # Root command and global flags
β βββ encrypt.go # Encryption command
β βββ decrypt.go # Decryption command
β βββ test.go # Test decryption command
β βββ init.go # Initialize config command
β βββ install_local.go # Local installation command
β βββ secureflow.sh # Launcher script template
β
βββ internal/ # Internal packages
β βββ crypto/ # Encryption/decryption logic
β βββ config/ # Configuration handling
β βββ utils/ # Utilities (file ops, logging)
β
βββ docs/ # Comprehensive documentation
β βββ configuration.md # Configuration guide
β βββ cicd-usage.md # CI/CD integration guide
β βββ security.md # Security best practices
β βββ troubleshooting.md # Troubleshooting guide
β
βββ examples/ # Usage examples
β βββ README.md # Practical examples
β βββ configs.md # Sample configurations
β
βββ main.go # Application entry point
βββ install.sh # Installation script
βββ go.mod # Go module definition
βββ LICENSE # MIT License
βββ README.md # This file
SecureFlow provides clear, actionable error messages:
- Missing files β Warns and skips, continues with other files
- Wrong password β Clear error message with exit code 1
- Invalid YAML β Shows line number and syntax error
- Missing directories β Automatically creates them
- Interrupts (Ctrl+C) β Graceful exit with cleanup notice
go run main.go encrypt
go run main.go decrypt
go run main.go test
go run main.go initgo test ./...With verbose output:
go test ./... -vgo build -o secureflowCross-compile for different platforms:
# Linux AMD64
GOOS=linux GOARCH=amd64 go build -o secureflow-linux-amd64
# macOS Intel
GOOS=darwin GOARCH=amd64 go build -o secureflow-darwin-amd64
# macOS Apple Silicon
GOOS=darwin GOARCH=arm64 go build -o secureflow-darwin-arm64
# Windows
GOOS=windows GOARCH=amd64 go build -o secureflow-windows-amd64.exeFuture enhancements we're considering:
- Support for
.envkey filtering (only encrypt certain variables) - Optional GPG-based encryption backend
- Progress bars for large files
- Batch re-encryption command
- Integration with Flutter build runners
- Support for multiple encryption backends
- Vault/secret manager integration
- Shell completion scripts
Contributions are welcome! Here's how you can help:
- Fork the repository
- Create a feature branch:
git checkout -b feature/AmazingFeature - Make your changes
- Run tests:
go test ./... - Commit your changes:
git commit -m 'Add some AmazingFeature' - Push to the branch:
git push origin feature/AmazingFeature - Open a Pull Request
- Follow Go best practices and conventions
- Add tests for new features
- Update documentation as needed
- Keep commits focused and descriptive
- Ensure all tests pass before submitting PR
SecureFlow is licensed under the MIT License.
Copyright (c) 2025 MayR Labs
- GitHub Repository - Source code and issues
- Latest Releases - Download binaries
- Documentation - Comprehensive guides
- Examples - Practical usage examples
- MayR Labs - Our website
- Report Issues - Bug reports and feature requests
SecureFlow is built with these excellent libraries:
Special thanks to all contributors and users who help make SecureFlow better!
If you find SecureFlow useful, please consider giving us a star on GitHub! It helps others discover the project.
Made with β€οΈ by MayR Labs