Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.envless.cloud/llms.txt

Use this file to discover all available pages before exploring further.

Envless variables are encrypted end-to-end with a key derived from your workspace passphrase. The dashboard caches that derived key in your browser’s IndexedDB; the CLI caches it in ~/.envless/config.json. These commands manage that cache.

Set the passphrase

envless passphrase set

Prompts for your workspace passphrase and saves the derived key under workspaceKeys[<workspaceId>] in ~/.envless/config.json (mode 0600). You run this once per workspace, per machine — every subsequent envless sync reuses the cached key silently.

How it works

1

Resolve the workspace

Reads the workspace slug from .envless and resolves it against the API. Errors if the directory hasn’t been linked yet — run envless link first.

2

Derive the key

The salt is deterministic: SHA-256("envless:workspace:" + workspaceId).slice(0, 16). The CLI derives the same key the dashboard does, so any passphrase set in the browser also works here.

3

Verify

The CLI tries to decrypt one existing variable in the workspace. If decrypt fails the passphrase is wrong and nothing is cached. If the workspace has no variables yet, the key is cached unverified.

4

Cache

The derived key is exported to JWK and stored under workspaceKeys[<workspaceId>].

Changing the passphrase

If you rotate your workspace passphrase from the dashboard, just run envless passphrase set again. The CLI derives the new key and overwrites the cached entry.

Clear the cached key

envless passphrase clear

Removes the cached key for the workspace in the current directory. The next envless sync will refuse with “workspace is locked” until you run envless passphrase set again.

Use this on a shared machine before stepping away, or after rotating the passphrase to force everyone else on this machine to enter the new one.

Clear every workspace

envless passphrase clear --all

Wipes every cached workspace key on this machine — useful when you’re handing off a laptop or rotating credentials across the board.

What passphrase clear does not do

Behaviorpassphrase clear
Removes the cached encryption key
Logs you out of the CLI❌ — use envless logout
Revokes the key server-side❌ — encryption is e2e; the server never had the key
Deletes .envless❌ — the binding stays, only the key is wiped

Flags

FlagUsed withDescription
--allpassphrase clearWipe the cached key for every workspace, not just this directory’s.