Pith CLI · terminal output
Encrypted .env management for small teams. Git-friendly, uses age for encryption, and ships as a 2MB static Rust binary. No SaaS server, no API key, no monthly fee — your secrets stay on your machines and in your repo, encrypted the right way.
// init a new pith vault with your ssh key $ pith init --recipients kasia,paulo,june › vault created at .pith/ › 3 recipients added // push an env to the vault $ pith push prod › encrypting 14 vars › ok · .pith/prod.age // pull on another machine $ pith pull prod › ok · wrote .env (14 vars)
Modern, auditable encryption by Filippo Valsorda. Small ciphertext, no weird crypto choices, easy to reason about.
Your team already has SSH keys. Reuse them. pith add @github/kasia fetches their public key and adds them as a recipient.
Encrypted .age files commit cleanly. Diffs are binary but changes are tracked. No "secrets pipeline" required.
One vault, N environments. pith pull staging vs. pith pull prod. Permissions per env — not everyone gets prod.
pith exec prod -- npm start loads vars into the subshell without writing them to disk. Great for CI.
Rust, musl-linked. One binary. No runtime. Paste into your Dockerfile's FROM scratch without a second thought.
Because your secrets are already in your repo — encrypted, reviewable, versioned. Adding a SaaS layer to that story adds a failure mode, a monthly bill, and an API key that itself needs to be managed somewhere. Pith is the boring alternative: a small tool that does one thing, doesn't phone home, and costs $19 once.
If you outgrow it — if you need SSO, audit logs, compliance reports, key-rotation workflows — move to Doppler or 1Password. Pith won't try to stop you. That's not what it's for.
Honor system. One $19 purchase per developer. We can't enforce it, we don't track it, we trust that people who read the word "per-seat" do the right thing.
sops is great — harder to onboard. Pith is for small teams who want git-committable encrypted envs without learning the AWS KMS story.
Yes, the single-seat license covers unlimited personal projects.
Exactly what was on the tin. No upsells, no tier gates, no "contact us for pricing" once I was in. Shipped in an afternoon and the docs were readable by a human.
I've bought half the catalogue at this point. The voice is consistent, the prices are honest, and the updates actually land. It's what indie shipping should look like.
Did what the page said it would do. Knocked off half a star because I wish there was a Windows native build — I'm on WSL and it works but feels like a workaround. Support replied to me in four hours.
I bought it at 11pm, downloaded it at 11:01pm, had it running at midnight. That's the whole review. Email went to a person who answered the next morning.
The amount of thought in the copy alone makes this worth the price. And that's before you get to the actual product. Rare to see this level of care at indie prices.
Swapped out my previous tool for this one last sprint. Fewer features, honestly — but the ones that are here are the ones I actually use. Don't miss the rest.