Tene is a local-first, encrypted secret management CLI. It stores your API keys, tokens, and credentials in an encrypted SQLite vault on your device. No server, no signup, no cloud dependency.

How does Claude Code auto-detection work?

When you run tene init, it generates a CLAUDE.md file in your project root. Claude Code reads this file automatically and learns how to use tene to retrieve secrets.

Yes, Tene is 100% free and open source under the MIT license. All local features — encryption, runtime injection, multi-environment, AI editor rules — are free forever with no limits.

Will there be team features?

Team sync and collaboration features are being designed. The goal is encrypted team sync without a central server. Join the waitlist at tene.sh to get notified when it launches.

How are my secrets encrypted?

Tene uses XChaCha20-Poly1305 encryption with 256-bit keys derived from your master password via Argon2id. Each secret gets a unique 192-bit nonce.

Does Tene work offline?

Tene is 100% offline. It makes zero network calls. Your secrets are encrypted and stored locally in a SQLite database.

Why no comparison table for dynamic secrets?

Because tene doesn't have them, and it would be misleading to compare. Vault's dynamic secret engines (AWS, database, SSH, PKI) are in a different category — tene focuses on long-lived developer secrets + runtime injection.

Can tene bootstrap secrets from Vault?

Yes, via a shell pipeline: `vault kv get -format=json secret/myapp | jq -r '.data.data | to_entries[] | "\(.key)=\(.value)"' | tee .env && tene import .env && rm .env`. This gives your local dev environment the current production secrets without running Vault locally.

Is tene a replacement for Vault?

No. Vault is the right tool for production server-side secret management. tene is the right tool for developer-workstation + AI-editor workflows. They're complements.

What about audit logs?

tene's CLI emits local history. Optional cloud audit logs are on the roadmap for Pro (at app.tene.sh). If you need certified audit logs today, stay on Vault.

Comparison

tene vs HashiCorp Vault

HashiCorp Vault is the gold standard for enterprise server-side secrets. tene is the local-first CLI for developer machines and AI-editor safety.

Star on GitHub

HashiCorp Vault is the incumbent enterprise secret manager. It handles dynamic secrets, PKI, transit encryption, and policy-driven access at production scale. It is also expensive to run, complex to operate, and wildly overkill for the individual developer workflow.

tene doesn't compete with Vault on Vault's turf. If you already run Vault for production server-side secrets, keep it. tene solves a different problem: encrypted secrets on the developer's workstation that stay out of AI-editor context windows. Run both — they don't conflict.

They solve different problems

Vault is a production secrets service: policies, audit logs, dynamic leases, and integrations with every major infrastructure layer. If you need AWS IAM credentials that expire in 15 minutes, Vault is the answer.

tene is a developer-workstation and CI tool: encrypted .env replacement, runtime env-var injection, AI-editor safety. If you want your API keys to stay out of Claude Code's context window, tene is the answer. Neither replaces the other.

Side-by-side

Feature-by-feature comparison. Every row is sourced from the official docs of each product — if you find something stale, open an issue.

Dimension	tene	HashiCorp Vault
Target audience	Individual developers + small teams + AI workflows	Platform / SRE / security teams in mid-to-large enterprises
Infrastructure	None (CLI only)	HA cluster, storage backend, unseal workflow, PKI, audit backends
Price	Free (MIT)	Free (Vault OSS) to $1,000+ / month for Vault Enterprise HA
Dynamic secrets	No (long-lived secrets only)	Yes — best-in-class (DB, cloud, PKI, SSH)
AI-editor integration	Auto-generates CLAUDE.md, .cursor/rules/tene.mdc, .windsurfrules, GEMINI.md, AGENTS.md	None
Encryption	XChaCha20-Poly1305 + Argon2id	AES-GCM + Shamir unseal / KMS auto-unseal
Scale	Single developer / small team	Thousands of clients, millions of leases
Operational complexity	Install binary + `tene init`	Cluster ops, seal/unseal, backup, upgrade procedures
Open source	MIT	Vault OSS is BUSL 1.1 (source-available, not OSI-approved)

The common pattern: use both

Production services read from Vault (dynamic DB creds, rotating API keys, short-lived cloud credentials). Developer machines use tene for the local developer loop: storing the handful of long-lived secrets (Stripe, OpenAI, webhook keys) that make local dev work, keeping them encrypted, and keeping AI editors from reading them.

A common pattern: `vault kv get -format=json` to bootstrap local secrets from Vault, pipe into `tene import`. Developers then `tene run --` their local stack.

When NOT to use tene

If your secret rotation policy is measured in minutes, you need dynamic secrets, or you have a compliance team that requires audit-log-everything: use Vault. tene is intentionally not a replacement for that.

FAQ

Why no comparison table for dynamic secrets?: Because tene doesn't have them, and it would be misleading to compare. Vault's dynamic secret engines (AWS, database, SSH, PKI) are in a different category — tene focuses on long-lived developer secrets + runtime injection.
Can tene bootstrap secrets from Vault?: Yes, via a shell pipeline: `vault kv get -format=json secret/myapp | jq -r '.data.data | to_entries[] | "\(.key)=\(.value)"' | tee .env && tene import .env && rm .env`. This gives your local dev environment the current production secrets without running Vault locally.
Is tene a replacement for Vault?: No. Vault is the right tool for production server-side secret management. tene is the right tool for developer-workstation + AI-editor workflows. They're complements.
What about audit logs?: tene's CLI emits local history. Optional cloud audit logs are on the roadmap for Pro (at app.tene.sh). If you need certified audit logs today, stay on Vault.

Other comparisons

See how tene compares against every other major secret manager.