Three months ago a friend of mine onboarded a contractor.
He DM'd him the .env. Standard practice. Two days later the contractor pushed a debug log to a public repo with one of the keys still in it.
They rotated. Customers didn't notice. But that file is still in his Slack archive. It's still in the contractor's Slack archive. It's still cached on two computers. It will still be there in five years.
That's the .env problem. Most teams "solve" it the same way:
- Slack DM (plaintext forever, in two chat archives)
- Notion page (whoever can read the page can read prod)
- 1Password vault item (works, but now you have a second ACL to maintain)
-
.env.examplewith fake values (drifts in 48 hours) - "I'll send it to you on Signal" (still plaintext on two phones)
I tried the existing tools. Doppler is great if you're 50 people with a budget — $21/user/mo and a sales call. Infisical is open-source but feels Kubernetes-shaped, built for DevOps teams. dotenvx is sharp and the encryption-in-git story is clever, but you still have to share the encryption key out of band, and there's no team-revocation story.
What I actually wanted: zero new accounts, zero new ACLs. If GitHub already says you can push to the repo, you should be able to pull the env.
So I built boltenv.
The pitch in one sentence
Revoke a teammate's GitHub access. They lose env access. Done.
That's the whole thing. GitHub repo permissions are the access list. There's no parallel user system to keep in sync.
What the workflow looks like
# You: push your .env (encrypted on YOUR machine, only ciphertext leaves)
$ npm i -g @boltenv.dev/cli
$ boltenv push
⚡ .env → org/app:development v1 (12 vars, permanent)
# Teammate: pull it
$ boltenv pull
⚡ .env ← org/app:development (12 vars)
That's it. No invites. No ACL panel. No "create a project."
The first push generates an AES-256 key locally. The server only ever sees ciphertext. You share the key with your teammate once via secure channel:
# You
$ boltenv key export
dGhpcyBpcyBhIDMyIGJ5dGUga2V5...
# Teammate
$ boltenv key import dGhpcyBpcyBhIDMyIGJ5dGUga2V5...
After that, your teammate just runs boltenv pull from any machine. They authenticate to GitHub once via Device Flow — same UX as gh auth login.
How it actually works
Three layers, each independently breakable so the system fails closed:
1. Authorization gate
Server calls GET https://api.github.com/repos/{owner}/{repo} with the user's GitHub token. Reads permissions.push. Read-only or no access → request rejected before any data moves. The server has no idea who's "on the team." It asks GitHub.
2. Encryption gate
- AES-256-GCM (NIST standard)
- Key derivation: HKDF-SHA256, separate subkeys for encryption and HMAC
- IV: 12 bytes, random per push
- Auth tag: 16 bytes (tamper detection)
- Master key never leaves your laptop. Stored at
~/.boltenv/keys/{owner}/{repo}.keywith mode0600. - Server stores ciphertext + a 16-char key fingerprint so mismatched keys are caught early instead of producing garbled output.
3. Branch-aware environments
main, master → production
staging → staging
develop → development
anything else → development
The branch you're on determines what you push or pull. Override with -e production if you need to. No "which environment is this dropdown set to" footgun.
Why "GitHub permissions = ACL" matters
Think about what happens today when someone leaves your team:
- ✅ You remove them from GitHub.
- ❌ You remove them from your Doppler / Infisical / Vault. (manual, often forgotten)
- ❌ You rotate every secret they had access to. (rarely happens)
- ❌ Their
.envfiles in~/projects/*are now museum pieces of your prod stack.
With boltenv, step 1 is the whole list. You revoke GitHub access — they can't pull anymore. Their cached .env on disk is still there, sure (no tool can fix that), but they can't get a fresh one and they can't push poison.
This isn't a perfect security model. It's a pragmatic one for small teams. If you're handling HIPAA data, go use Vault. If you're five people shipping a SaaS, this is the right level of control.
How it stacks up
| Tool | Per-user cost | New accounts? | Encryption | ACL source |
|---|---|---|---|---|
| Slack DMs | Free | None | None | "I trust you" |
| dotenvx | Free | None | AES-256 in git | Manual key sharing |
| Doppler | $21/mo | Yes | Server-managed | Doppler users |
| Infisical | $8/mo | Yes | Server-managed | Infisical users |
| 1Password Dev | $7.99/mo bundled | Yes | 1P-managed | 1Password users |
| boltenv | Free for ≤3, then $4/mo | None | Client-side AES-256-GCM | GitHub repo permissions |
The lane I'm aiming for is narrow but real: small teams who don't want a heavyweight platform, don't want to share keys out of band forever, and do want one ACL.
CI/CD works without a service account
Two env vars on the box, no SDK to install:
export BOLTENV_TOKEN=$GITHUB_TOKEN # any PAT with repo scope
export BOLTENV_KEY=<base64-from-export>
boltenv pull -y
BOLTENV_TOKEN works with secrets.GITHUB_TOKEN in GitHub Actions. BOLTENV_KEY is the master key, stored as a single repo secret. The binary is the SDK.
A typical Actions step:
- name: Pull env
env:
BOLTENV_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BOLTENV_KEY: ${{ secrets.BOLTENV_KEY }}
run: |
npm i -g @boltenv.dev/cli
boltenv pull -e production -y
Multi-file projects
Most real projects have more than one env file: .env.backend, .env.frontend, .env.workers. boltenv discovers them automatically:
$ boltenv push
⚡ Found 3 env files:
.env.backend 18 vars
.env.frontend 9 vars
.env.workers 6 vars
3 files → org/app:development (permanent)
Pull preserves the layout. Save the file list to .boltenv.yaml and commit it — your teammates pull the same set without configuration drift.
What it doesn't do
I'd rather be honest about scope.
- No org-level RBAC. Your repo permissions are the rules.
- No automated key rotation. Rotating means everyone re-imports.
- No HSM, no compliance certifications. This is a pre-SOC2 product.
-
No native Coolify / Railway / Vercel sync yet. On the roadmap. Today:
boltenv pull --stdout --format dotenvand paste, or run boltenv on the VPS itself with the env-var auth above.
If any of those are deal-breakers — you're not the user, and that's fine.
Try it
npm i -g @boltenv.dev/cli
cd your-project
boltenv push
- Repo: github.com/boltenv/boltenv
- Site: boltenv.dev
- License: FSL-1.1-MIT (free for everyone, including commercial use, with non-compete)
I'd love to hear what breaks for you. Comment, file an issue, or DM me. I read every one.
If this saved you from one Slack-DM'd .env, that's the entire goal.
Top comments (1)
regardless of which backend for secret storage you use, varlock.dev is a huge DX improvement.