Install
15 secOpen-source CLI on npm. 35KB, zero dependencies beyond the Node standard library.
npm install -g @nodatachat/protect@latest
nodata --version
✓ YOU SHOULD SEE
changed 1 package in 2s
nodata v1.9.0Free · Open Source · Your keys, never ours
Your most important file
is sitting in plaintext.
.env, tokens, keys — readable by anything that runs on your machine. NoData Protect encrypts them so a stolen file is useless ciphertext, and the key never touches disk. Three minutes, one command.
the difference
One line of your .env, two outcomes
✗ Without NoData
OPENAI_API_KEY=sk-proj-Ax7Q9n8d4FmK...
Matches a scraper regex. GitHub Secret Scanning — and every bot — pulls it within 30 seconds. An extension reads it instantly.
✓ With NoData v2
OPENAI_API_KEY=aes256gcm:v2:hUPNqLZ:Rgd1Dh...
Matches no known pattern. Bots skip it. The key is wrapped server-side and bound to your device — the file alone is worthless.
3 commands · 3 minutes · free forever
Get protected right now
copy · paste · run — no application code changes
1
npm install -g @nodatachat/protect#install2
nodata init#register (nickname + PIN)3
nodata encrypt#encrypt .env4
nodata run -- next dev#run with decrypted env (RAM only)✓ Free forever✓ 0 dependencies✓ 35KB✓ Source-available
how you use it
Step by step
From an unprotected project to encrypted secrets and signed code — without changing a line of your app.
Register
30 secNickname + 4-digit PIN. No email, no password. Identity is bound to this device.
nodata init
✓ YOU SHOULD SEE
✓ Registered as yourname
✓ Tier: ghost
✓ API key saved to ~/.nodata/config.jsonEncrypt
5 secBacks up your .env, then encrypts every secret value with AES-256-GCM. No more plaintext on disk.
cd your-project
nodata encrypt
✓ YOU SHOULD SEE
🔐 OPENAI_API_KEY... ✓
🔐 DATABASE_URL... ✓
💾 Backup saved: .env.backup
✓ 2 secrets encryptedRun
instantDecrypts values into RAM only. When the process exits, the plaintext vanishes — it is never written to disk.
nodata run -- next dev
# or: nodata run -- node server.js
✓ YOU SHOULD SEE
🔓 Decrypting 2 secrets in memory...
✓ process.env populated (RAM only)
> next devSeal your code
10 secSign the repo as a Merkle tree. If a poisoned extension or a rogue AI edit changes a single byte, verify catches it.
nodata sign --dir src/
nodata verify --dir src/
✓ YOU SHOULD SEE
✓ 142 files signed → .nodata-tree.sig
✓ verify: tree intact — 0 modifiedthe github lesson
What an extension can't steal
Protect doesn't stop an extension from running — that's your IDE's job. It makes what the extension can reach worthless.
Secrets it grabs
- .env is ciphertext, not plaintext
- Key wrapped server-side, off the disk
- Bound to your device — replay fails elsewhere
Code it tampers with
- Merkle-tree signature over the repo
verifyflags any silent edit- The AI skill refuses to touch signed regions
Proof you keep
- Signed receipt on every encrypt/decrypt
- Tamper-evident per-user chain
- Answer "what was touched" with proof
honestly
What it solves — and what it doesn't
Encryption protects data at rest. It does not replace MFA, OAuth governance, or network segmentation.
Solves fully
- Stolen .env = useless ciphertext
- Bots skip the encrypted format
- Tokens decrypted in RAM only
- Provable code integrity
Partially helps
- Secret sprawl detection
- Post-incident proof chain
- Reducing CI/CD log leakage
Needs another layer
- OAuth consent — IAM hygiene
- Lateral movement — zero-trust
- Blocking the extension itself — EDR/IDE
architecture
How your data flows
Three boxes. Zero plaintext persistence. We never see your secret values.
Your machine
.env encrypted on disk. CLI decrypts to RAM. Process exits → gone.
NoData server
Holds the KEK that wraps your key. Never sees your plaintext values.
Your app
process.env populated in memory. Works exactly like before.
How your key is protected
AES-256-GCM — the same standard used by banks, TLS, and government systems.
Server-held KEK — your key is wrapped under a key-encryption-key on our server. The .env file alone is useless ciphertext.
Device-bound identity — your API key works only from the machine where you registered. A stolen config is useless without the device.
RAM-only decryption — plaintext exists only in process memory at runtime, then vanishes. Never written to disk.
Signed receipts — every operation emits a cryptographic receipt on a per-user chain. A tamper-evident audit trail.
Encrypt now. It takes 3 minutes.
If you encrypt, you don't pay. Ever. Free forever on a single device.
$npm install -g @nodatachat/protect
NoData Protect v1.9.0is provided "as is" without warranty of any kind. The free tier carries no SLA. AES-256-GCM reduces exposure to data-at-rest theft and automated scraping, but no software guarantees absolute security. The tool never stores, accesses, or transmits your plaintext secrets — only encrypted tokens and metadata. Licensed under FSL-1.1-Apache-2.0 (converts to Apache 2.0 on 2028-04-25). © 2026 Capsule Ltd.