Tene is a local-first, encrypted secret management CLI. It stores your API keys, tokens, and credentials in an encrypted SQLite vault on your device. No server, no signup, no cloud dependency.

How does Claude Code auto-detection work?

When you run tene init, it generates a CLAUDE.md file in your project root. Claude Code reads this file automatically and learns how to use tene to retrieve secrets.

Yes, Tene is 100% free and open source under the MIT license. There are no paid tiers, no usage limits, and no hidden costs.

How are my secrets encrypted?

Tene uses XChaCha20-Poly1305 encryption with 256-bit keys derived from your master password via Argon2id. Each secret gets a unique 192-bit nonce.

Does Tene work offline?

Tene is 100% offline. It makes zero network calls. Your secrets are encrypted and stored locally in a SQLite database.

Open source · Local-first · Free

Your .env is not a secret.
AI can read it.

Tene encrypts your secrets so AI agents can use them — without ever seeing them.

View on GitHub

terminal

From .env exposure to encrypted runtime injection — under 1 minute.

.env is the problem. Tene is the fix.

AI agents read your project files. That includes .env. Tene encrypts secrets and injects them at runtime.

Problem

.env is visible to AI

AI agents read all your project files — including .env. Your API keys are sent to AI models as plaintext.

Solution

Runtime injection

tene run injects secrets as environment variables. Your app works normally. AI never sees the values.

Encrypted vault

XChaCha20-Poly1305 + Argon2id. Secrets stored locally in an encrypted SQLite vault.

One command setup

Install, init, set — done. No signup, no config files, no dashboard.

.env migration

tene import .env converts all your existing secrets into the encrypted vault. Zero friction.

Coming Soon

Cloud sync

Manage secrets across all your projects and machines. No more repeated init and set. $1/user/month.

Up and running in 1 minute

Install

One command. Auto-detects your OS and installs the latest binary. No Go required, no account, no server.

Project Initialize

Navigate to your project folder first. Creates an encrypted vault, generates CLAUDE.md for Claude Code, and issues a 12-word recovery key.

Store secrets

Secrets are encrypted with XChaCha20-Poly1305 and stored in a local SQLite vault. Never leaves your machine.

Develop with secrets

Injects all secrets as environment variables into any command. Claude Code reads CLAUDE.md and knows the rest.

No server. Nothing to hack.

While .env files expose secrets to every AI agent in your project, Tene keeps them encrypted on your device. No server to breach, no database to leak, no API to exploit.

Encryption architecture

// Your device — secrets exist only here

Master Password

└─ Argon2id (64MB memory, 3 iterations)

└─ Master Key (256-bit) → OS Keychain

└─ XChaCha20-Poly1305 (192-bit nonce)

└─ SQLite vault (.tene/vault.db)

// Network calls: none
// Server: none
// Attack surface: none

Network calls in free tier

256-bit

XChaCha20-Poly1305 encryption

12 words

BIP-39 recovery key

Open source — verify it yourself

Every line of encryption code is open source. Don't trust us — read the code. github.com/tomo-kay/tene

How Tene compares

The only tool that hides secrets from AI agents while keeping everything local and free.

	Tene	.env	Doppler	Vault	Infisical
Secrets hidden from AI
Local-first
No server required
Encrypted at rest
AI agent auto-detect
Runtime injection
No signup required
Open source
Price	$0	$0	$21/mo	$1,152+	$6/mo

Free locally. $1/mo for cloud.

Local CLI is free forever. Cloud sync eliminates repeated setup across projects and machines.

Free

$0/ forever

Local encrypted secrets for individual projects.

Unlimited secrets
XChaCha20-Poly1305 encryption
AI runtime injection
OS keychain integration
12-word recovery key

Cloud